EMR Security and Access Control (OpenMRS)

Purpose and Benefits

Bahmni has the ability to control the visibility of various applications within Bahmni (like access to Registration, Clinical modules, etc) using OpenMRS Privileges. In OpenMRS, a Role is a group of privileges

Creating a User in Bahmni

To create a user that can login into Bahmni, one needs to create a user in OpenMRS. Bahmni re-uses the same session / credentials as of the underlying OpenMRS. Here are the steps needed to be performed for creating a login user for Bahmni: 

  1. Go to OpenMRS (http://<ip>/openmrs).
  2. Open the Administration section (you should have admin rights to access this section in OpenMRS).
  3. Create a User in OpenMRS, by going to Users → Manage Users → Add User
  4. Give the user appropriate Roles based on what you would like them to access. At minimum you should choose Bahmni-User role, plus more depending on what types of access you want to give. See the table Built-in Roles below, to get an idea of the possible roles you can assign. 
  5. Save and exit the Manage Users section.
  6. After adding the user, you also need to register the user as a Provider in OpenMRS. For that, you again go to the Administration section, and go to: Providers → Manage Providers → Add Provider. Add the above user, as a provider, by searching for the user by the "Name of the Person" in the Person field. You only need to enter a value in the Person field. You can leave others blank.
  7. Now, you can login using the above specified credentials, into OpenMRS, and into Bahmni. Depending on the Roles assigned to a user in OpenMRS, you will see only certain modules / icons on the Home Dashboard of Bahmni.
  8. When you change roles assigned to user. User have to logout and login for roles to be applied.

Built-in Roles

 Roles until v0.85 release ...

Below roles are applicable until 0.85 release. From 0.86 release onwards these have been changed.

These are the built-in roles that come with Bahmni. The table below mentions the list of roles, and the access that the role provides. Roles are additive in OpenMRS. Which means, you can give multiple roles to a user, and all privileges mentioned in each role, will be available to the user. For more details you can read OpenMRS Documentation on Users/Roles/Privileges.

Role NameAccessNotes


Ability to login


Will have read only access to clinical app


Will have full access to clinical app


Will have access to all patient queues


Will have basic access to save consultation


Will have access to consultation observation and save in both normal and retrospective mode


Will have access to consultation diagnosis and save in both normal and retrospective mode


Will have access to consultation disposition and save in both normal and retrospective mode


Will have access to consultation treatment and save in both normal and retrospective mode


Will have access to consultation orders and save in both normal and retrospective mode


Will have access to all registration roles


Will have access to update patient information


Will have access to open and close visit


Will have access to additional actions like encounter


Ability to view the Inpatient dashboard


Ability to admit, discharge and transfer the patient


Will have access to search patients


Ability to upload patient documents and radiology uploads


Ability to upload and download csvs


Ability to view and fulfill orders


Ability to run reports

Privilege Level: Full

A role that has all API privileges


Ability to enroll a patient to a program and modify/end the program.

Roles Available from 0.86 Release Onwards

The below table shows new roles created as part of 0.86 release update. Some of the roles must not be assigned to the user directly because it is only for internal use. Please refer notes column.

  1. If you are taking this/newer release for new implementation, then
    1. You will be using new db (or fresh db) and only these new roles will be available, the roles which are created earlier releases won’t be available.
    2. There are privileges changed for some of the clinical tabs. Please refer this table and it is taken care by these new roles. So, assign the applicable role(s) to the user and the user will have sufficient privileges to access the system.

  2. If you are migrating any existing implementation to this release or newer
    1. New roles will be added apart from existing roles, the existing user will not affected and can use the system without any problem.
    2. If you want to use the new roles after migrate to this new release then there are privileges changed for some of the clinical tabs and it is taken care by new roles . Please refer this table. So, change the config accordingly and assign these new role(s) to user. Then, the user will have sufficient privileges to access the system.
SuperAdminWill give FULL access to Bahmni and OpenMRSRemove this role for a user, if you wish to give access to only some modules.
Bahmni-AppWill have FULL access to all Bahmni appsRemove this role for a user, if you wish to give access to only some modules.
Registration-AppWill have full access for Registration app
Programs-AppWill have full access for Programs appThis will have full access to Clinical-App
Clinical-AppWill have full access to Clinical app
InPatient-AppWill have full access for InPatient app
Radiology-AppWill have full access for Radiology app
PatientDocuments-AppWill have full access for Patient Documents app
Admin-AppWill have full access for Admin app in EMR (including the Audit Log screen)
Reports-AppWill have full access for Reports app
OrderFulfillment-AppWill have full access for OrdersFulfillment app
Implementer-Interface-AppWill have full access to Implementer Interface app
Registration-App-Read-OnlyWill have read-only access for Registration app
Clinical-App-Read-OnlyWill have read-only access to Clinical app
Clinical-App-ObservationsWill have full access for Observations tab in Clinical app
Clinical-App-DiagnosisWill have full access for Diagnosis tab in Clinical app
Clinical-App-DispositionWill have full access for Disposition tab in Clinical app
Clinical-App-OrdersWill have full access for Orders tab in Clinical app
Clinical-App-TreatmentWill have full access for Treatment tab in Clinical appTreatment role represent for "Medication" tab in Bahmni
Clinical-App-BacteriologyWill have full access for Bacteriology tab in Clinical app
InPatient-App-Read-OnlyWill have read-only access for InPatient app
Bahmni-App-User-LoginWill give ability to login to the application and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
Clinical-App-SaveWill have save privileges used by other Clinical roles and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
Clinical-App-CommonWill have common privileges used by other Clinical roles and used internally, should not be assigned to user directly.This internal role is used by other roles, should not be assigned to user directly.
bypass2FARole if assigned disables two factor authentication for that user and used internally, should not be assigned to user directly.This is an internal role, should not be assigned to user directly.
Privilege Level: FullA role that has all API privilegesProvided by emr-api omod
System DeveloperDevelopers of the OpenMRS .. have additional access to change fundamental structure of the database modelPredefined by OpenMRS
AnonymousPrivileges for non-authenticated users.Predefined by OpenMRS
AuthenticatedPrivileges gained once authentication has been established.Predefined by OpenMRS
ProviderAll users with the 'Provider' role will appear as options in the default InfopathPredefined by OpenMRS

Built-in Privileges

Every User has an associated Role. Every Role comprises of a SET of Privileges. You should preferably only assign Roles to Users. Roles are already setup with appropriate privileges when you install Bahmni, so that by reading the name of the role, you understand what Privileges have been assigned to the role. Don't modify privileges of a role, else people will get confused, or they might add a too powerful role to a user.

 Privileges in Bahmni. Click here to expand...
Privilege NameAccessNotes


Bahmni admin app access privilege


Bahmni adt access privilege


Bahmni clinical app access privilege


View Consultation tab


Bahmni delete diagnosis privilege
app:clinical:diagnosisTabView and Edit Diagnosis tab
app:clinical:dispositionTabView Disposition tab
app:clinical:grantProviderAccessBahmni clinical app grant access for other Provider
app:clinical:historyBahmni observation history view and edit
app:clinical:locationPickerView Location Picker option
app:clinical:observationTabView Observation tab
app:clinical:onbehalfView On behalf of option
app:clinical:retrospectiveBahmni clinical app retrospective access privilege
app:clinical:treatmentTabPrivilege for treatment tab
app:common:closeVisitAdding close visit privilege
app:common_registration_consultation_linkAdding Registration to/from Consultation Link
app:dhisDHIS app access privilege
app:document-uploadbahmni document upload access privilege
app:emergencybahmni emergency app access privilege
app:ordersBahmni Orders App Access Privilege
app:radiologyOrdersBahmni radiology orders access privilege
app:reportsView Reports
app:registrationBahmni registration app access privilege
Manage Order FrequenciesAble to add/edit/retire Order Frequencies
Get Care SettingsAble to get Care Settings
app:clinical:bacteriologyTabView Bacteriology tabavailable from 0.86 release
app:clinical:treatmentTabView Treatment tabavailable from 0.86 release
app:clinical:ordersTabView Orders tabavailable from 0.86 release
app:implementer-interfaceWill give access to implementer interface appavailable from 0.86 release
app:radiology-uploadWill give access to radiology appavailable from 0.86 release
app:patient-documentsWill give access to patient documents appavailable from 0.86 release

Roles for Appointment Scheduling

Please see users and roles for appointment scheduling for details

Roles for Operation Theatre Scheduling

Please see users and roles for operation theatre scheduling for details 

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)