Need Guidance in enabling DataFilter module + Location-Based Access Control (LBAC)

jonathan · November 21, 2025, 5:40am

Hi everyone,

I’m requesting help on properly enabling Location-Based Access Control (LBAC) using the DataFilter module. I have followed the available documentation and older threads, but I am still unable to get patient filtering to work for normal users. Only the admin account can see patients, while all other users get zero results.

I’m trying to set up a basic scenario using the DataFilter module with LBAC where I have

Dr X who works at Location T. All of Dr X’s patients belong to Location T. Dr X also can have staff who should only see those same patients. At the same time, Dr Y works at Location W with his own patients. These two clinics should not see each other’s data.

The goal is when Dr X or any of his staff search for patients, the system should only return patients from Location T. When Dr Y or his staff search, they should only see patients from Location W. Admin can see everything, but normal users must only see patients from their assigned location.

One specific question

Do we need to manually configure datafilter.personAttributeTypeUuids, or does DataFilter automatically detect any Person Attribute whose datatype is “Location”? If manual configuration is required, what exactly should be set and where?

Any guidance on how to fully enable DataFilter’s location-based filtering for this scenario would be very helpful.

cc @jnsereko @wyclif @mksd @ibacher

ruhanga · November 21, 2025, 9:01am

@jonathan, could you please refer to the documentation on the Data Filter wiki page…

The data model has been kept simple deliberately such that only two concepts matter: 1) which entity is being restricted by the filtering and 2) on what basis does this filtering restriction operate?

The basis is the metadata on which the data access is based. Eg. Program for program-based access, Location for location-based access, … etc.

The entity is what is authorised to access the data. Eg. Role or User .

This is all controlled and stored in a single table modelled by EntityBasisMap and can be configured through DataFilterService .

Initializer provides a convenient way to configure EntityBasisMap entries through its datafiltermappings domain. A configuration similar to the one below could serve as a useful starting point:

+-------------+----------------------+------------------------+----------------------+------------------------+
| Void/Retire |     Entity UUID      |      Entity class      |     Basis UUID       |      Basis class       |
+-------------+----------------------+------------------------+----------------------+------------------------+
|             | docker-x-user-uuid   | org.openmrs.User       | location-t-uuid      | org.openmrs.Location   |
|             | docker-y-user-uuid   | org.openmrs.User       | location-w-uuid      | org.openmrs.Location   |
+-------------+----------------------+------------------------+----------------------+------------------------+

jonathan · November 21, 2025, 10:16am

Thanks @ruhanga meaning in this sense the datafilter module is not required since this functionality comes in bundled within the Iniz module if am right?

ibacher · November 21, 2025, 2:23pm

You still need the datafilter module to enforce the rules. Iniz just helps you configure the datafilter module.

horaira · November 21, 2025, 3:11pm

Any input on this ?

ruhanga · November 22, 2025, 7:52pm

I guess that part of the documentation talking about datafilter.personAttributeTypeUuids is likely outdated. It should rather be the datafilter.patientLocationLinkingInterceptor.enabled GP to be set to true.

tendomart · November 23, 2025, 9:57pm

@jonathan I aslo came across this thread UgandaEMR: Use cases for the Data Filter module - #51 by tendomart

though personal interest is in RBAC for certain frontend apps