openIMIS has 3 categories of 'users':
'real' users: people who interact with openIMIS via a user interface to accomplish some insurance management tasks)
external applications: other IT systems interfaced with openIMIS and which connect to openIMIS (backend) api
administrators: people who interact with openIMIS via dedicated consoles and terminals to configure openIMIS, manage users accesses,..
Note:
django has, by default, also a ‘staff’ users category. Theses users have access to the django management console, but without the ‘grant all rights’ mechanism in place for the administrators (called superusers in django).
We don’t use this user category in openIMIS: no ‘real’ user has access to django management console (i.e. no ‘real’ user is ‘staff’)... and the administrators are django superusers.
To support these 3 users types, we implemented the following model:
The InteractiveUser is the entity that implements the ‘real’ users. It is mapped on the tblUsers database table.
The TechnicalUser implements both applications and administrators users. They are mapped to the dedicated core_TechnicalUser database table.
The User entity is a proxy to either an InteractiveUser or TechnicalUser. In openIMIS the rights are granted towards these ‘proxy’ entity, using the django-provided auth.Permission (list of rights to be granted) and auth.Group (allowing to bind users to permissions by ‘profiles’).
Note:
Permissions can be extended via the rules’ provided ‘predicates’ (coded expressions/functions) for the object-level RBAC.