Relationship-Based Access Control for OpenMRS

OpenMRS uses Role-Based Access Control (RBAC) as its access control mechanism. A limitation of this RBAC implementation is that, if a user can access a patient’s file then he/she can access every patient’s file. To overcome this limitation, I have been working on implementing Relationship-Based Access Control (ReBAC) into OpenMRS. Instead of static role assignments, ReBAC bases its authorization decisions on the relationship between the user and the resource he/she is trying to access.

Recently, my co-authors and I had a publication in Symposium on Access Control Models and Technologies (SACMAT) regarding the implementation of ReBAC into OpenMRS. We are very eager to share this with the OpenMRS community. A version of this paper can be found at:

The project source code can be found at: This project is based on OpenMRS version 1.10, and includes core changes (instead of just an external module). The diff between the final project and the base code consists of 25,754 lines, 113 new files, 26 new database tables, and 15 new webpages.

Edit: A video demonstrating the basic capabilities of the project has been posted on YouTube.


Thanks Zain for the great work! Would you be available for any of our Developer/Design calls to take us through this and answer a few questions?

I think I will be available for Developer/Design calls. I am working on a video demo of this that I will post when it is completed. I can also answer any questions either on the Developer/Design calls and/or here.

1 Like

A video demonstrating the basic capabilities of the project has been posted on YouTube.

1 Like

Sounds very interesting!

@szrrizvi, since this is a very substantial change, could you point us to some highlights of the code? E.g. one particular example of the tables, and API for a particular piece of the data model?

Thank you @darius,

This is indeed a substantial change, and I would be more than happy to be part of discussions and explanations regarding this topic. The video demo discussed a component called Access Control Relationships. This is one of the simpler components, so we can focus on that for this example.

The Access Control Relationships are represented by two Java classes, “AccessRelationship” and “AccessRelationshipType” in the org.openmrs package. The “AccessRelationship” class represents the actual relationship, and the “AccessRelationshipType” class represents the type of the relationship. These class are created similar to the “Relationship” and “RelationshipType” classes that are already part of OpenMRS. An AccessRelationship object has 3 major components, “PersonA”, “PersonB”, and “AccessRelationshipType”. And an AccessRelationshipType object only has one major component, which is its label.

An API interface is generated to allow the webapp to interact with the Access Control Relationships. The API interface is called “AccessRelationshipService” and can be found in the org.openmrs.api package. This interface provides basic methods, such as “save”, “purge”, “get”, etc. The API interface is implemented by the “AccessRelationshipServiceImpl” class found in the org.openmrs.api.impl package. Following the OpenMRS architecture, the DAO interface is called “AccessRelationshipDAO” and can be found in org.openmrs.api.db. The DAO interface is implemented by the “HibernateAccessRelationshipDAO” class found in org.openmrs.api.db.hibernate.

On the database side, 2 tables have been created to save these objects, “access_relationship_type” and “access_relationship”. The schema for these tables can be found in the “liquibase-update-to-latest.xml” file, (under the “resources” folder) between the lines 7354 and 7423. The Hibernate mapping files for these objects can be found in the appropriate location (api/src/main/resources/org/openmrs/api/db/hibernate). These files are named “AccessRelationship.hbm.xml” and “AccessRelationshipType.hbm.xml”.

On the webapp side, 2 admin pages have been introduced for managing these objects directly. These pages can be found at /webapp/src/main/webapp/WEB-INF/view/admin/rebac. The first page, “accessRelationshipList.jsp”, allows admin users to search, add, and delete AccessRelationship objects. The second page, “accessRelationshipTypeList.jsp”, allows admin users to view, add, and delete AccessRelationshipType objects. Note: An AccessRelationshipType object cannot be deleted if it is part of an AccessRelationship object.

The controlled for the 2 admin pages can be found in the “web” module at the following location; /web/src/main/java/org/openmrs/web/controller/rebac. “” is the controller for “accessRelationshipList.jsp” and “” is the controller for “accessRelationshipTypeList.jsp”. The controllers allow interaction between the web application and the system backend.

The property editors for the AccessRelationship and AccessRelationshipType classes can be found in the org.openmrs.propertyeditor package, within the “api” module.



I had a few questions about this package:

  • Will this code be actively maintained for future releases?
  • Is this package compliant with the Open MRS module install system?

Thank you, YK

He did this in a fork. The code was never integrated back because it would require some more efforts to accomplish this, which the original author did not get. He made some changes in the core platform, and it would be great if these were instead moved to a module. Are you willing to take this up?

Hi. The code has not been maintained since the original post, since that research project was concluded and I had to move on. As Daniel mentioned, when I presented the project to the OpenMRS developers community, the response was that incorporating the changes back into the main stream of OpenMRS would be a big task and redoing the project as a module would be a better approach. Unfortunately, my workload does not allow me to take on this project, however I would be able to provide assistance as a consultant if someone wishes to develop the ReBAC module for OpenMRS.

Thank you, Zain Rizvi

1 Like