EMR Security and Access Control (OpenMRS)
Teresa Gracias
Gurpreet Luthra
Hanisha Potturi (Deactivated)
Purpose and Benefits
Bahmni has the ability to control the visibility of various applications within Bahmni (like access to Registration, Clinical modules, etc) using OpenMRS Privileges. In OpenMRS, a Role is a group of privileges.
Creating a User in Bahmni
To create a user that can login into Bahmni, one needs to create a user in OpenMRS. Bahmni re-uses the same session / credentials as of the underlying OpenMRS. Here are the steps needed to be performed for creating a login user for Bahmni:
- Go to OpenMRS (http://<ip>/openmrs).
- Open the Administration section (you should have admin rights to access this section in OpenMRS).
- Create a User in OpenMRS, by going to Users → Manage Users → Add User
- Give the user appropriate Roles based on what you would like them to access. At minimum you should choose Bahmni-User role, plus more depending on what types of access you want to give. See the table Built-in Roles below, to get an idea of the possible roles you can assign.
- Save and exit the Manage Users section.
- After adding the user, you also need to register the user as a Provider in OpenMRS. For that, you again go to the Administration section, and go to: Providers → Manage Providers → Add Provider. Add the above user, as a provider, by searching for the user by the "Name of the Person" in the Person field. You only need to enter a value in the Person field. You can leave others blank.
- Now, you can login using the above specified credentials, into OpenMRS, and into Bahmni. Depending on the Roles assigned to a user in OpenMRS, you will see only certain modules / icons on the Home Dashboard of Bahmni.
- When you change roles assigned to user. User have to logout and login for roles to be applied.
Built-in Roles
Below roles are applicable until 0.85 release. From 0.86 release onwards these have been changed.
These are the built-in roles that come with Bahmni. The table below mentions the list of roles, and the access that the role provides. Roles are additive in OpenMRS. Which means, you can give multiple roles to a user, and all privileges mentioned in each role, will be available to the user. For more details you can read OpenMRS Documentation on Users/Roles/Privileges.
| Role Name | Access | Notes |
|---|---|---|
Bahmni-User | Ability to login | |
Clinical-Read-Only | Will have read only access to clinical app | |
Clinical:FullAccess | Will have full access to clinical app | |
Patient-Listing | Will have access to all patient queues | |
Consultation-Save | Will have basic access to save consultation | |
Consultation-Observation | Will have access to consultation observation and save in both normal and retrospective mode | |
Consultation-Diagnosis | Will have access to consultation diagnosis and save in both normal and retrospective mode | |
Consultation-Disposition | Will have access to consultation disposition and save in both normal and retrospective mode | |
Consultation-Treatment | Will have access to consultation treatment and save in both normal and retrospective mode | |
Consultation-Orders | Will have access to consultation orders and save in both normal and retrospective mode | |
Registration | Will have access to all registration roles | |
Registration-Write | Will have access to update patient information | |
Registration-Visit-Action | Will have access to open and close visit | |
Registration-Additional | Will have access to additional actions like encounter | |
InPatient-Read | Ability to view the Inpatient dashboard | |
Inpatient-Patient-Movement | Ability to admit, discharge and transfer the patient | |
Registration-Read | Will have access to search patients | |
Patient-Documents-Upload | Ability to upload patient documents and radiology uploads | |
Admin-Role | Ability to upload and download csvs | |
Orders-Role | Ability to view and fulfill orders | |
Emr-Reports | Ability to run reports | |
Privilege Level: Full | A role that has all API privileges | |
Program-Enrollment | Ability to enroll a patient to a program and modify/end the program. |
Roles Available from 0.86 Release Onwards
The below table shows new roles created as part of 0.86 release update. Some of the roles must not be assigned to the user directly because it is only for internal use. Please refer notes column.
- If you are taking this/newer release for new implementation, then
- You will be using new db (or fresh db) and only these new roles will be available, the roles which are created earlier releases won’t be available.
There are privileges changed for some of the clinical tabs. Please refer this table and it is taken care by these new roles. So, assign the applicable role(s) to the user and the user will have sufficient privileges to access the system.
- If you are migrating any existing implementation to this release or newer
- New roles will be added apart from existing roles, the existing user will not affected and can use the system without any problem.
- If you want to use the new roles after migrate to this new release then there are privileges changed for some of the clinical tabs and it is taken care by new roles . Please refer this table. So, change the config accordingly and assign these new role(s) to user. Then, the user will have sufficient privileges to access the system.
| Role | Description | Notes |
|---|---|---|
| SuperAdmin | Will give FULL access to Bahmni and OpenMRS | Remove this role for a user, if you wish to give access to only some modules. |
| Bahmni-App | Will have FULL access to all Bahmni apps | Remove this role for a user, if you wish to give access to only some modules. |
| Registration-App | Will have full access for Registration app | |
| Programs-App | Will have full access for Programs app | This will have full access to Clinical-App |
| Clinical-App | Will have full access to Clinical app | |
| InPatient-App | Will have full access for InPatient app | |
| Radiology-App | Will have full access for Radiology app | |
| PatientDocuments-App | Will have full access for Patient Documents app | |
| Admin-App | Will have full access for Admin app in EMR (including the Audit Log screen) | |
| Reports-App | Will have full access for Reports app | |
| OrderFulfillment-App | Will have full access for OrdersFulfillment app | |
| Implementer-Interface-App | Will have full access to Implementer Interface app | |
| Registration-App-Read-Only | Will have read-only access for Registration app | |
| Clinical-App-Read-Only | Will have read-only access to Clinical app | |
| Clinical-App-Observations | Will have full access for Observations tab in Clinical app | |
| Clinical-App-Diagnosis | Will have full access for Diagnosis tab in Clinical app | |
| Clinical-App-Disposition | Will have full access for Disposition tab in Clinical app | |
| Clinical-App-Orders | Will have full access for Orders tab in Clinical app | |
| Clinical-App-Treatment | Will have full access for Treatment tab in Clinical app | Treatment role represent for "Medication" tab in Bahmni |
| Clinical-App-Bacteriology | Will have full access for Bacteriology tab in Clinical app | |
| InPatient-App-Read-Only | Will have read-only access for InPatient app | |
| Bahmni-App-User-Login | Will give ability to login to the application and used internally, should not be assigned to user directly. | This internal role is used by other roles, should not be assigned to user directly. |
| Clinical-App-Save | Will have save privileges used by other Clinical roles and used internally, should not be assigned to user directly. | This internal role is used by other roles, should not be assigned to user directly. |
| Clinical-App-Common | Will have common privileges used by other Clinical roles and used internally, should not be assigned to user directly. | This internal role is used by other roles, should not be assigned to user directly. |
| bypass2FA | Role if assigned disables two factor authentication for that user and used internally, should not be assigned to user directly. | This is an internal role, should not be assigned to user directly. |
| Privilege Level: Full | A role that has all API privileges | Provided by emr-api omod |
| System Developer | Developers of the OpenMRS .. have additional access to change fundamental structure of the database model | Predefined by OpenMRS |
| Anonymous | Privileges for non-authenticated users. | Predefined by OpenMRS |
| Authenticated | Privileges gained once authentication has been established. | Predefined by OpenMRS |
| Provider | All users with the 'Provider' role will appear as options in the default Infopath | Predefined by OpenMRS |
Built-in Privileges
Every User has an associated Role. Every Role comprises of a SET of Privileges. You should preferably only assign Roles to Users. Roles are already setup with appropriate privileges when you install Bahmni, so that by reading the name of the role, you understand what Privileges have been assigned to the role. Don't modify privileges of a role, else people will get confused, or they might add a too powerful role to a user.
| Privilege Name | Access | Notes |
|---|---|---|
app:admin | Bahmni admin app access privilege | |
app:adt | Bahmni adt access privilege | |
| app:clinical | Bahmni clinical app access privilege | |
| app:clinical:consultationTab | View Consultation tab | |
app:clinical:deleteDiagnosis | Bahmni delete diagnosis privilege | |
| app:clinical:diagnosisTab | View and Edit Diagnosis tab | |
| app:clinical:dispositionTab | View Disposition tab | |
| app:clinical:grantProviderAccess | Bahmni clinical app grant access for other Provider | |
| app:clinical:history | Bahmni observation history view and edit | |
| app:clinical:locationPicker | View Location Picker option | |
| app:clinical:observationTab | View Observation tab | |
| app:clinical:onbehalf | View On behalf of option | |
| app:clinical:retrospective | Bahmni clinical app retrospective access privilege | |
| app:clinical:treatmentTab | Privilege for treatment tab | |
| app:common:closeVisit | Adding close visit privilege | |
| app:common_registration_consultation_link | Adding Registration to/from Consultation Link | |
| app:dhis | DHIS app access privilege | |
| app:document-upload | bahmni document upload access privilege | |
| app:emergency | bahmni emergency app access privilege | |
| app:orders | Bahmni Orders App Access Privilege | |
| app:radiologyOrders | Bahmni radiology orders access privilege | |
| app:reports | View Reports | |
| app:registration | Bahmni registration app access privilege | |
| Manage Order Frequencies | Able to add/edit/retire Order Frequencies | |
| Get Care Settings | Able to get Care Settings | |
| app:clinical:bacteriologyTab | View Bacteriology tab | available from 0.86 release |
| app:clinical:treatmentTab | View Treatment tab | available from 0.86 release |
| app:clinical:ordersTab | View Orders tab | available from 0.86 release |
| app:implementer-interface | Will give access to implementer interface app | available from 0.86 release |
| app:radiology-upload | Will give access to radiology app | available from 0.86 release |
| app:patient-documents | Will give access to patient documents app | available from 0.86 release |
Roles for Appointment Scheduling
Please see users and roles for appointment scheduling for details
Roles for Operation Theatre Scheduling
Please see users and roles for operation theatre scheduling for details
On this Page
The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)