/
EMR Security and Access Control (OpenMRS)

EMR Security and Access Control (OpenMRS)

Jun 30, 2023

Purpose and Benefits

Bahmni has the ability to control the visibility of various applications within Bahmni (like access to Registration, Clinical modules, etc) using OpenMRS Privileges. In OpenMRS, a Role is a group of privileges

Creating a User in Bahmni

To create a user that can login into Bahmni, one needs to create a user in OpenMRS. Bahmni re-uses the same session / credentials as of the underlying OpenMRS. Here are the steps needed to be performed for creating a login user for Bahmni: 

  1. Go to OpenMRS (http://<ip>/openmrs).

  2. Open the Administration section (you should have admin rights to access this section in OpenMRS).

  3. Create a User in OpenMRS, by going to Users → Manage Users → Add User

  4. Give the user appropriate Roles based on what you would like them to access. At minimum you should choose Bahmni-User role, plus more depending on what types of access you want to give. See the table Built-in Roles below, to get an idea of the possible roles you can assign. 

  5. Save and exit the Manage Users section.

  6. After adding the user, you also need to register the user as a Provider in OpenMRS. For that, you again go to the Administration section, and go to: Providers → Manage Providers → Add Provider. Add the above user, as a provider, by searching for the user by the "Name of the Person" in the Person field. You only need to enter a value in the Person field. You can leave others blank.

  7. Now, you can login using the above specified credentials, into OpenMRS, and into Bahmni. Depending on the Roles assigned to a user in OpenMRS, you will see only certain modules / icons on the Home Dashboard of Bahmni.

  8. When you change roles assigned to user. User have to logout and login for roles to be applied.

Built-in Roles

 

Below roles are applicable until 0.85 release. From 0.86 release onwards these have been changed.

These are the built-in roles that come with Bahmni. The table below mentions the list of roles, and the access that the role provides. Roles are additive in OpenMRS. Which means, you can give multiple roles to a user, and all privileges mentioned in each role, will be available to the user. For more details you can read OpenMRS Documentation on Users/Roles/Privileges.

Role Name

Access

Notes

Role Name

Access

Notes

Bahmni-User

Ability to login

 

Clinical-Read-Only

Will have read only access to clinical app

 

Clinical:FullAccess

Will have full access to clinical app

 

Patient-Listing

Will have access to all patient queues

 

Consultation-Save

Will have basic access to save consultation

 

Consultation-Observation

Will have access to consultation observation and save in both normal and retrospective mode

 

Consultation-Diagnosis

Will have access to consultation diagnosis and save in both normal and retrospective mode

 

Consultation-Disposition

Will have access to consultation disposition and save in both normal and retrospective mode

 

Consultation-Treatment

Will have access to consultation treatment and save in both normal and retrospective mode

 

Consultation-Orders

Will have access to consultation orders and save in both normal and retrospective mode

 

Registration

Will have access to all registration roles

 

Registration-Write

Will have access to update patient information

 

Registration-Visit-Action

Will have access to open and close visit

 

Registration-Additional

Will have access to additional actions like encounter

 

InPatient-Read

Ability to view the Inpatient dashboard

 

Inpatient-Patient-Movement

Ability to admit, discharge and transfer the patient

 

Registration-Read

Will have access to search patients

 

Patient-Documents-Upload

Ability to upload patient documents and radiology uploads

 

Admin-Role

Ability to upload and download csvs

 

Orders-Role

Ability to view and fulfill orders

 

Emr-Reports

Ability to run reports

 

Privilege Level: Full

A role that has all API privileges

 

Program-Enrollment

Ability to enroll a patient to a program and modify/end the program.

Roles Available from 0.86 Release Onwards

The below table shows new roles created as part of 0.86 release update. Some of the roles must not be assigned to the user directly because it is only for internal use. Please refer notes column.

  1. If you are taking this/newer release for new implementation, then

    1. You will be using new db (or fresh db) and only these new roles will be available, the roles which are created earlier releases won’t be available.

    2. There are privileges changed for some of the clinical tabs. Please refer this table and it is taken care by these new roles. So, assign the applicable role(s) to the user and the user will have sufficient privileges to access the system.

  2. If you are migrating any existing implementation to this release or newer

    1. New roles will be added apart from existing roles, the existing user will not affected and can use the system without any problem.

    2. If you want to use the new roles after migrate to this new release then there are privileges changed for some of the clinical tabs and it is taken care by new roles . Please refer this table. So, change the config accordingly and assign these new role(s) to user. Then, the user will have sufficient privileges to access the system.

Role

Description

Notes

Role

Description

Notes

SuperAdmin

Will give FULL access to Bahmni and OpenMRS

Remove this role for a user, if you wish to give access to only some modules.

Bahmni-App

Will have FULL access to all Bahmni apps

Remove this role for a user, if you wish to give access to only some modules.

Registration-App

Will have full access for Registration app

 

Programs-App

Will have full access for Programs app

This will have full access to Clinical-App

Clinical-App

Will have full access to Clinical app

 

InPatient-App

Will have full access for InPatient app

 

Radiology-App

Will have full access for Radiology app

 

PatientDocuments-App

Will have full access for Patient Documents app

 

Admin-App

Will have full access for Admin app in EMR (including the Audit Log screen)

 

Reports-App

Will have full access for Reports app

 

OrderFulfillment-App

Will have full access for OrdersFulfillment app

 

Implementer-Interface-App

Will have full access to Implementer Interface app

 

Registration-App-Read-Only

Will have read-only access for Registration app

 

Clinical-App-Read-Only

Will have read-only access to Clinical app

 

Clinical-App-Observations

Will have full access for Observations tab in Clinical app

 

Clinical-App-Diagnosis

Will have full access for Diagnosis tab in Clinical app

 

Clinical-App-Disposition

Will have full access for Disposition tab in Clinical app

 

Clinical-App-Orders

Will have full access for Orders tab in Clinical app

 

Clinical-App-Treatment

Will have full access for Treatment tab in Clinical app

Treatment role represent for "Medication" tab in Bahmni

Clinical-App-Bacteriology

Will have full access for Bacteriology tab in Clinical app

 

InPatient-App-Read-Only

Will have read-only access for InPatient app

 

Bahmni-App-User-Login

Will give ability to login to the application and used internally, should not be assigned to user directly.

This internal role is used by other roles, should not be assigned to user directly.

Clinical-App-Save

Will have save privileges used by other Clinical roles and used internally, should not be assigned to user directly.

This internal role is used by other roles, should not be assigned to user directly.

Clinical-App-Common

Will have common privileges used by other Clinical roles and used internally, should not be assigned to user directly.

This internal role is used by other roles, should not be assigned to user directly.

bypass2FA

Role if assigned disables two factor authentication for that user and used internally, should not be assigned to user directly.

This is an internal role, should not be assigned to user directly.

Privilege Level: Full

A role that has all API privileges

Provided by emr-api omod

System Developer

Developers of the OpenMRS .. have additional access to change fundamental structure of the database model

Predefined by OpenMRS

Anonymous

Privileges for non-authenticated users.

Predefined by OpenMRS

Authenticated

Privileges gained once authentication has been established.

Predefined by OpenMRS

Provider

All users with the 'Provider' role will appear as options in the default Infopath

Predefined by OpenMRS

Built-in Privileges

 

Every User has an associated Role. Every Role comprises of a SET of Privileges. You should preferably only assign Roles to Users. Roles are already setup with appropriate privileges when you install Bahmni, so that by reading the name of the role, you understand what Privileges have been assigned to the role. Don't modify privileges of a role, else people will get confused, or they might add a too powerful role to a user.

Privilege Name

Access

Notes

Privilege Name

Access

Notes

app:admin

Bahmni admin app access privilege

 

app:adt

Bahmni adt access privilege

 

app:clinical

 

Bahmni clinical app access privilege

 

app:clinical:consultationTab

 

View Consultation tab

 

app:clinical:deleteDiagnosis

 

Bahmni delete diagnosis privilege

 

app:clinical:diagnosisTab

View and Edit Diagnosis tab

 

app:clinical:dispositionTab

View Disposition tab

 

app:clinical:grantProviderAccess

Bahmni clinical app grant access for other Provider

 

app:clinical:history

Bahmni observation history view and edit

 

app:clinical:locationPicker

View Location Picker option

 

app:clinical:observationTab

View Observation tab

 

app:clinical:onbehalf

View On behalf of option

 

app:clinical:retrospective

Bahmni clinical app retrospective access privilege

 

app:clinical:treatmentTab

Privilege for treatment tab

 

app:common:closeVisit

Adding close visit privilege

 

app:common_registration_consultation_link

Adding Registration to/from Consultation Link

 

app:dhis

DHIS app access privilege

 

app:document-upload

bahmni document upload access privilege

 

app:emergency

bahmni emergency app access privilege

 

app:orders

Bahmni Orders App Access Privilege

 

app:radiologyOrders

Bahmni radiology orders access privilege

 

app:reports

View Reports

 

app:registration

Bahmni registration app access privilege

 

Manage Order Frequencies

Able to add/edit/retire Order Frequencies

 

Get Care Settings

Able to get Care Settings

 

app:clinical:bacteriologyTab

View Bacteriology tab

available from 0.86 release

app:clinical:treatmentTab

View Treatment tab

available from 0.86 release

app:clinical:ordersTab

View Orders tab

available from 0.86 release

app:implementer-interface

Will give access to implementer interface app

available from 0.86 release

app:radiology-upload

Will give access to radiology app

available from 0.86 release

app:patient-documents

Will give access to patient documents app

available from 0.86 release

Roles for Appointment Scheduling

Please see users and roles for appointment scheduling for details

Roles for Operation Theatre Scheduling

Please see users and roles for operation theatre scheduling for details 

On this Page

Other Security Roles and Privileges
Related Links

OpenMRS documentation on Roles and Privileges 

(Video) Overview of Roles/Privileges in OpenMRS and Bahmni

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)