EMR Security and Access Control (OpenMRS)

Purpose and Benefits

Bahmni has the ability to control the visibility of various applications within Bahmni (like access to Registration, Clinical modules, etc) using OpenMRS Privileges. In OpenMRS, a Role is a group of privileges

Creating a User in Bahmni

To create a user that can login into Bahmni, one needs to create a user in OpenMRS. Bahmni re-uses the same session / credentials as of the underlying OpenMRS. Here are the steps needed to be performed for creating a login user for Bahmni: 

  1. Go to OpenMRS (http://<ip>/openmrs).
  2. Open the Administration section (you should have admin rights to access this section in OpenMRS).
  3. Create a User in OpenMRS, by going to Users → Manage Users → Add User
  4. Give the user appropriate Roles based on what you would like them to access. At minimum you should choose Bahmni-User role, plus more depending on what types of access you want to give. See the table Built-in Roles below, to get an idea of the possible roles you can assign. 
  5. Save and exit the Manage Users section.
  6. After adding the user, you also need to register the user as a Provider in OpenMRS. For that, you again go to the Administration section, and go to: Providers → Manage Providers → Add Provider. Add the above user, as a provider, by searching for the user by the "Name of the Person" in the Person field. You only need to enter a value in the Person field. You can leave others blank.
  7. Now, you can login using the above specified credentials, into OpenMRS, and into Bahmni. Depending on the Roles assigned to a user in OpenMRS, you will see only certain modules / icons on the Home Dashboard of Bahmni.
  8. When you change roles assigned to user. User have to logout and login for roles to be applied.

Built-in Roles


Below roles are applicable until 0.85 release. From 0.86 release onwards these have been changed.

 Roles until v0.85 release ...

These are the built-in roles that come with Bahmni. The table below mentions the list of roles, and the access that the role provides. Roles are additive in OpenMRS. Which means, you can give multiple roles to a user, and all privileges mentioned in each role, will be available to the user. For more details you can read OpenMRS Documentation on Users/Roles/Privileges.

Role NameAccessNotes

Bahmni-User

Ability to login


Clinical-Read-Only

Will have read only access to clinical app


Clinical:FullAccess

Will have full access to clinical app


Patient-Listing

Will have access to all patient queues


Consultation-Save

Will have basic access to save consultation


Consultation-Observation

Will have access to consultation observation and save in both normal and retrospective mode


Consultation-Diagnosis

Will have access to consultation diagnosis and save in both normal and retrospective mode


Consultation-Disposition

Will have access to consultation disposition and save in both normal and retrospective mode


Consultation-Treatment

Will have access to consultation treatment and save in both normal and retrospective mode


Consultation-Orders

Will have access to consultation orders and save in both normal and retrospective mode


Registration

Will have access to all registration roles


Registration-Write

Will have access to update patient information


Registration-Visit-Action

Will have access to open and close visit


Registration-Additional

Will have access to additional actions like encounter


InPatient-Read

Ability to view the Inpatient dashboard


Inpatient-Patient-Movement

Ability to admit, discharge and transfer the patient


Registration-Read

Will have access to search patients


Patient-Documents-Upload

Ability to upload patient documents and radiology uploads


Admin-Role

Ability to upload and download csvs


Orders-Role

Ability to view and fulfill orders


Emr-Reports

Ability to run reports


Privilege Level: Full

A role that has all API privileges


Program-Enrollment

Ability to enroll a patient to a program and modify/end the program.

Roles Available from 0.86 Release Onwards

The below table shows new roles created as part of 0.86 release update. Some of the roles must not be assigned to the user directly because it is only for internal use. Please refer notes column.

  1. If you are taking this/newer release for new implementation, then
    1. You will be using new db (or fresh db) and only these new roles will be available, the roles which are created earlier releases won’t be available.
    2. There are privileges changed for some of the clinical tabs. Please refer this table and it is taken care by these new roles. So, assign the applicable role(s) to the user and the user will have sufficient privileges to access the system.

  2. If you are migrating any existing implementation to this release or newer
    1. New roles will be added apart from existing roles, the existing user will not affected and can use the system without any problem.
    2. If you want to use the new roles after migrate to this new release then there are privileges changed for some of the clinical tabs and it is taken care by new roles . Please refer this table. So, change the config accordingly and assign these new role(s) to user. Then, the user will have sufficient privileges to access the system.
RoleDescriptionNotes
SuperAdminWill give FULL access to Bahmni and OpenMRSRemove this role for a user, if you wish to give access to only some modules.
Bahmni-AppWill have FULL access to all Bahmni appsRemove this role for a user, if you wish to give access to only some modules.
Registration-AppWill have full access for Registration app
Programs-AppWill have full access for Programs appThis will have full access to Clinical-App
Clinical-AppWill have full access to Clinical app
InPatient-AppWill have full access for InPatient app
Radiology-AppWill have full access for Radiology app
PatientDocuments-AppWill have full access for Patient Documents app
Admin-AppWill have full access for Admin app in EMR (including the Audit Log screen)
Reports-AppWill have full access for Reports app
OrderFulfillment-AppWill have full access for OrdersFulfillment app
Implementer-Interface-AppWill have full access to Implementer Interface app
Registration-App-Read-OnlyWill have read-only access for Registration app
Clinical-App-Read-OnlyWill have read-only access to Clinical app
Clinical-App-ObservationsWill have full access for Observations tab in Clinical app
Clinical-App-DiagnosisWill have full access for Diagnosis tab in Clinical app
Clinical-App-DispositionWill have full access for Disposition tab in Clinical app
Clinical-App-OrdersWill have full access for Orders tab in Clinical app
Clinical-App-TreatmentWill have full access for Treatment tab in Clinical appTreatment role represent for "Medication" tab in Bahmni
Clinical-App-BacteriologyWill have full access for Bacteriology tab in Clinical app
InPatient-App-Read-OnlyWill have read-only access for InPatient app
Bahmni-App-User-LoginWill give ability to login to the application and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
Clinical-App-SaveWill have save privileges used by other Clinical roles and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
Clinical-App-CommonWill have common privileges used by other Clinical roles and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
bypass2FARole if assigned disables two factor authentication for that user and used internally, should not be assigned to user directly.This is an internal role, should not be assigned to user directly.
Privilege Level: FullA role that has all API privilegesProvided by emr-api omod
System DeveloperDevelopers of the OpenMRS .. have additional access to change fundamental structure of the database modelPredefined by OpenMRS
AnonymousPrivileges for non-authenticated users.Predefined by OpenMRS
AuthenticatedPrivileges gained once authentication has been established.Predefined by OpenMRS
ProviderAll users with the 'Provider' role will appear as options in the default InfopathPredefined by OpenMRS

Built-in Privileges


Every User has an associated Role. Every Role comprises of a SET of Privileges. You should preferably only assign Roles to Users. Roles are already setup with appropriate privileges when you install Bahmni, so that by reading the name of the role, you understand what Privileges have been assigned to the role. Don't modify privileges of a role, else people will get confused, or they might add a too powerful role to a user.

 Privileges in Bahmni. Click here to expand...
Privilege NameAccessNotes

app:admin

Bahmni admin app access privilege

app:adt

Bahmni adt access privilege


app:clinical

Bahmni clinical app access privilege


app:clinical:consultationTab

View Consultation tab

app:clinical:deleteDiagnosis


Bahmni delete diagnosis privilege
app:clinical:diagnosisTabView and Edit Diagnosis tab
app:clinical:dispositionTabView Disposition tab
app:clinical:grantProviderAccessBahmni clinical app grant access for other Provider
app:clinical:historyBahmni observation history view and edit
app:clinical:locationPickerView Location Picker option
app:clinical:observationTabView Observation tab
app:clinical:onbehalfView On behalf of option
app:clinical:retrospectiveBahmni clinical app retrospective access privilege
app:clinical:treatmentTabPrivilege for treatment tab
app:common:closeVisitAdding close visit privilege
app:common_registration_consultation_linkAdding Registration to/from Consultation Link
app:dhisDHIS app access privilege
app:document-uploadbahmni document upload access privilege
app:emergencybahmni emergency app access privilege
app:ordersBahmni Orders App Access Privilege
app:radiologyOrdersBahmni radiology orders access privilege
app:reportsView Reports
app:registrationBahmni registration app access privilege
Manage Order FrequenciesAble to add/edit/retire Order Frequencies
Get Care SettingsAble to get Care Settings
app:clinical:bacteriologyTabView Bacteriology tabavailable from 0.86 release
app:clinical:treatmentTabView Treatment tabavailable from 0.86 release
app:clinical:ordersTabView Orders tabavailable from 0.86 release
app:implementer-interfaceWill give access to implementer interface appavailable from 0.86 release
app:radiology-uploadWill give access to radiology appavailable from 0.86 release
app:patient-documentsWill give access to patient documents appavailable from 0.86 release

Roles for Appointment Scheduling

Please see users and roles for appointment scheduling for details

Roles for Operation Theatre Scheduling

Please see users and roles for operation theatre scheduling for details