I am just thinking out aloud
-
I foresee alot of complexity handling the storage of permissions both at user level and cohort level - IMO all permissions should be stored on the cohort definition
-
I would suggest not having user permissions at all, rather to this through Roles, which will simplify management
-
For the keys, I would not keep E+S, but rather bits for each permissions something like below
{
key: "org.openmrs.cohort.f4bca462-76d1-446b-8369-f8dab42e19b3",
role: "a3265110-b90b-474e-8f4b-c5a8fdf4e3d1"
permisions: {
"E":"true",
"V":"true",
"D":"false",
"S":"false"
}
}
- Following above if not specified, then false is assumed (principle of least privilege)
- This will probably remove the need for the share permission - which requires managing users at the role level and abstracts that away
- I know this is for patient lists, but can this be extended to manage patient records too, Obs etc (I know it is a stretch), but why not
- Leveraging UNIX permissions can we have - owner + group + staff to map to Cohort creator, group (role), staff (everyone else) and by default all Cohorts are visible only to the owner (principle of least privilege)
- Using UNIX again with role based access we only need 3 sets of actions, read (View), write (Edit), execute (Delete) - though would be part of write