Location Based Access Control - v0.1.0 Released

Many thanks @wyclif for all your support. I cannot thank you enough. We have more clarity now thanks to you.

To the great community also, cannot thank you all enough for all the great work as well.

Please we require urgent response to the following questions below

1. it is possible to have Bahmni with location based access control using data filter module as a walkaround for a multi - practice /multi-tenant setup ? With all workflow designed remaining as-is? ( I don’t think LBAC module is ready to be used with Bahmni? Please correct me if I am wrong and do provide links and pointers to achieve this If possible with the LBAC module if possible)

" datafilter 1.x.x releases require OpenMRS 2.3.1 and above while 2.x.x versions require OpenMRS 2.4.0 and above"

2. If 1 above is possible, how do we achieve Bahmni running on OpenMRS 2.3.1 or 2.4.0 ? Is it already done, tested and stable for production? If so , pointers and links to this would be of great help.

3. Or do we need to ( seems to be the case ) engage a Bahmni service provider to achieve this custom setup?

Looking forward to your soonest revert

Please note this is not a question for Wyclif per se but to the whole community.

Thanks again for all the great work.

With Regards.

OpenMRS 2.3.x versions have been around for a little while so they should be stable

Thanks so much Boss. Cant say how much i appreciate you.

Now i just have to figure out a way to setup Bahmni with OpenMRS 2.3.1 atleast.

Thanks

@banji note that upgrading Bahmni’s OpenMRS Core version will be necessary but not sufficient.

There’s a known issue with Bahmni. That is: a large part of its backend is not leveraging Hibernate ORM, and instead shortcuts it to perform direct SQL queries to access data. This defeats Data Filter in many places, making it overall unreliable with Bahmni

This is not an issue with other OpenMRS-based distributions, in particular this is not an issue with OpenMRS 3.

Many thanks for this @mksd

In this regard I might have to go with Ozone HIS

Please ive sent multiple requests to your ozone website regarding this please kindly get back on this asap please. Thanks alot

@banji thanks, we had an issue with our SMTP servers and long story short I had to unearth your email, but I found it. I’ll connect in private in the next few days.

Another thing, is it 100% clear to you that in the context of an HIS like Ozone, data filtering will only apply to EMR data. There is no such segregation within the other components of the HIS (eg. Odoo, SENAITE, etc)?

Yes I understand, that is absolutely clear

@suthagar23 et al,

Good day, trust you are great. please i need help

i set user location at ‘manage accounts’ but when i try to login as the user it gives the error below. Then i press ‘back’ and it logs in the user successfully. But when i try to access other EHR features i get the same error. Please kindly point which configuration i am missing . i have created locations and attached user to location using the "manage accounts’ app. Also is there any other way apart from the ‘manage accounts’ to tie a user to a location ? many thanks for your anticipated swift reply Please note this doesnt happen when i login as admin super user.

image|690x263](upload://gutPvfCaIYPdzkNaf8swcLHDAC3.png)

image1490×427 14 KB

please note there are two images attached, the first one didnt show but is there

i seem to have figured parts of it out. it has to do with assigning a location either as visit or login or both. Yes correct. i set referenceapplication.locationUserPropertyName to false. now i can select an assigned location done on ‘manage accounts’ as per login location

@banji is there any reason why you are using this instead of the data filter module?

Hello @dkayiwa . Great question!

Originally , we wanted to use Bahmni as it is close to the production architecture we envisioned but found out that data filter module on bahmni has issues with the Hibernate-ORM layer and makes it unstable so thought LBAC with OpenMRS for data segregation. But now that you mention it, i am thinking this might be better using datafilter module which i originally looked at but in the context of using Bahmni.

So i got advice that datafilter with Bahmni type architecture work best with O3 distro like Ozone HIS. So that was the solution marked for use with the data filter module

But now that you mention it, i am thinking data filter module with OpenMRS might be just the thing. I am just pressed for workable solution right now to production and the devs we working with seem to feel more comfortable using the LBAC module . Any of your thoughts for or against this would be much appreciated. LBAC module seems easier to implement and maintain

I would definitely still look at datafilter module with OpenMRS use case

But best use case scenario is having Bahmni with data segregation implementation. We are constrained in this regard

With Regards

Am sure you must have read this: Location based Access

@ggomez what is your experience using the location based access control module in Nigeria?

We did assess this module a long while back when we were exploring data segregation strategies for the ICRC implementation (so a large implementation), and we came to the conclusion that it wouldn’t scale well. And then Data Filter was born

Data Filter was also designed to enforce very strict segregation of data that is subject to stringent data protection rules, that may or may not be your use case. And importantly it was designed from the onset to cover any segregation use cases, not just location-based access control.

I understand that you are in a tricky spot with this decision, and that the outcome has ramifications that would drastically influence the entire choice of distribution (Bahmni vs O3/Ozone). You wouldn’t be the only one sitting in that spot, other orgs have the exact same problem. IMO this is pointing to something serious about Bahmni’s internal designs (i.e. the systematic use of non-standard/shortcut methods to implement its DAO layer). This kind of tech debt has been identified for a long time already, and nothing was ever being done. So this raises questions about governance, tech strategy and so on (and then, Ozone was born ).

Many thanks mksd. I too believe in Ozone’s future in this regard.

Will definitely look at the Datafilter module again as i did before with the ref app. Thanks all for all the great help and assistance. I sincerely appreciate

Yes Daniel. Thanks for the pointer. Very interesting read!

apologies for the delay, alot going on but i’m working on it now with Ozone . will revert. i want to master its implementation and use by testing it thoroughly. Thanks for all the great hard work @wyclif

Hello @wyclif @mksd hope you are great.

Reverting as promised. I am running Datafilter version 2.2.0-SNAPSHOT on Ozone docker install. Please find below my findings.

1. On installing the module, i could no longer edit a users password from the legacy UI page but when i disabled the module, i was able to do this.

2. When i installed the module, i could no longer select a location at login. it makes me login twice before successful without giving option to select location. I checked the dev console and found the following errors below

image775×587 24.2 KB

disabling the module did not fix this i.e reverting it back to being able to select location. Also deleting the module did not also revert it back to this. please help

Hi @banji

If this is happening in a non prod environment you probably want to share actual logs and not a screenshot.

You also need to say what version of OpenMRS you are running, am not so familiar with ozone, have you tried a released version rather than a snapshot version? Always try to use a released version if possible.

Hello @wyclif

Many thanks for your swift response! Always a pleasure hearing from you.

Will do as you suggested regarding the logs. It’s not a production environment though but a test environment.

It’s currently running on OpenMRS 2.5.9 Build 0

I’m using the docker version ( not sure it’s currently based on a released source ) I hope @mksd and team can confirm though I’ll also look through the source to confirm. ( If you referring to Ozone? ) Or datafilter release version? Looking through it now, I git clone from master and compiled source to omod.

Looking at the things your raised now and will revert asap. Again many thanks for your swift response

NB please try Ozone, its an amazing system!!

i got the datafilter 2.10 version ( no snapshot ) so gonna try that

@wyclif

This is the server log after the module was installed but before org.openmrs.module.datafilter:debug was set and when i access the "manage users’ admin legacy UI and selected a user - i could not see the normal form display ( change password etc )

This is the server log after i enabled org.openmrs.module.datafilter:debug and access the "manage users’ admin legacy UI and selected a user - i could not also see the normal form display and also after i logged out of Ozone and logged back in

One changed i noticed now is that with the datafilter 2.10 version , i no longer have the error reported earlier. I can successfully log in and select location now. I am going to go ahead and try creating patients to location as per the use case. The only issue i see now is that with the module enabled, i cannot see the normal form after i select a use under ‘manager users’.

I would have to disable the module to see it.

But not a show stopper as i can create a new user with all fields showing or edit an existing user.

@wyclif many thanks work is on-going now as per use case, will surely revert with results.

I just have a quick question with respect to creating or modifying a new user’s location from the legacy admin ui wrt to the location hierarchy and how that relates to the datafilter? Because when this is done and i login as the user, i am asked for a location and can select any location so i am thinking what the impact will be, if i select a location on the OpenMRS 3 front end, different from the config done on the legacy admin ui and try to create a patient there. which location will the datafilter module respect? its a mis-use case but will surely test this out pending any expert response.

Update

Just checked the openmrs db table now and its empty

datafilter.patientLocationLinkingInterceptor.enabled is set to ‘true’ ( i created a new patient from a new location and provider account ) also log.level has ‘openmrs.module.datafilter:debug’ included and this is the server log as of last operation datafilter.runInStrictMode is not set.

using datafilter module version 2.1.0 on OpenMRS 2.5.9

i think i should move this to a new forum thread?

Update* Datafilter table now populating after restart though have not created any patients. things seem to working somehow , further testing ongoing

image1596×290 4.35 KB

Update

Datafilter working successfully on Ozone. Further testing still on going. Learning about Ozone, OpenMRS 3 Frontend and Core.

Many thanks @wyclif , @mksd we very much appreciate you and the whole community. You will forever have my support.

Update

image1617×384 6.99 KB

datafilter module working perfectly for all applicable use case. will study it more to understand others. You can please ignore my question regarding user context location @wyclif , i’ve figured it out. Many many thanks @wyclif . You absolutely rock!! you too @mksd ( and the whole Ozone and OpenMRS team!)