Access management
Access management in openIMIS
Role manangement:
Only super admin (is_admin==True) are able to add all roles, any other user with the authority to create user can only add his own role
Access management dimensions:
Authorities (Configuration Items, roles and Authorities)
Location (Configuration Items, User District, User Village)
External affiliation ( Organisation affiliation ? )
HF user (Configuration Items, Claim Administrator)
PolicyHolder User (Configuration Items, PolicyHolder user)
Q: should we develop the organization concept, each organisation
ORG
0-N services (HistoryBusiness Model), eg. Group policy, Medical Claim, catchment, etc …
service as Module that define additionnal tabs in case the service is active (checkbox for unactive service) in addition to the general menu
the principle of service iso org type is more flexible
0*-N Users
How access is checked
for general user:
the user role must have the authorities required to the the action and the recipient of the action must belong to a location or service provider within the user districts
for affiliated user
the user must have the External/affiliated user authority in action to a register relation with the external partner/affiliation attached the the recipient (ex. CA on HF for a claim )
Change to be done:
add HF user specific authorities
PortalRead that will require a link to the HF in addition to the right
create an HF user table (or make PH user more generic)
link to HF
link to user
Update the claim to take a user instead of a CA
CA table should become a view for compatibility
id = User ID
uuid = user UUID
code = user login
lastname = User Name
other_name = User other name
dob = user DOB (to be added if not existing)
email_id = user email
phone = user phone
HF = HF user HF
support all kind of location for the user location (not only disctrict)
Partially done, multilevel parent to be uspported
have an helper to check the right per level of location and adapt all queries to use it (could be a function that return a filter)
Done: LocationManager.build_user_location_filter
drop the EO table (use normal user + location = village or disctrict
create a EO view for compatibility
Question : Should we create a “contact” table to have CA without user ? (could be reused for practitioner) or have a user that cannot login
reuse individual + some kind of many to many
Action upon deletion of an user
all related access CI must be “deleted“ too (flag deleted to True)
Action upon deletion of an external partner
in all case the relation between the users and the external partner must de “deleted“ too
if the users are only related to that given external partner (have no relation to other external partner) then the user must be “deactivated”
Full admin
Every system need super admin to solve issues experienced by other user
change required:
add a “is_admin“ to interactive user
if “is_admin“ is true all “check permission“ must return True
only a super admin can define a user a super admin
block Technical user
Allow user with is_admin = True to connect to django admin
nice to have: impersonation of super admin as other user - all restriction of the selected user should be applied
add a impersonator token + possibility to generate another user token to do the impersonation
Did you encounter a problem or do you have a suggestion?
Please contact our Service Desk
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/