Access management

Owned by Patrick Delcroix
Last updated: Apr 06, 2023

Access management in openIMIS

 

Role manangement:

Only super admin (is_admin==True) are able to add all roles, any other user with the authority to create user can only add his own role

 

Access management dimensions:

  • Authorities (Configuration Items, roles and Authorities)

  • Location (Configuration Items, User District, User Village)

  • External affiliation

    • HF user (Configuration Items, Claim Administrator)

    • PolicyHolder User (Configuration Items, PolicyHolder user)

 

How access is checked

for Scheme user:

  • the user role must have the authorities required to the the action and the recipient of the action must belong to a location or service provider within the user districts

for External user

  • the user must have the External user authority in action to a register relation with the external partner attached the the recipient (ex. CA on HF for a claim )

 

Change to be done:

  • add HF user specific authorities

  • create an HF user table (or make PH user more generic)

    • link to HF

    • link to user

  • Update the claim to take a user instead of a CA

  • CA table should become a view for compatibility

    • id = User ID

    • uuid = user UUID

    • code = user login

    • lastname = User Name

    • other_name = User other name

    • dob = user DOB (to be added if not existing)

    • email_id = user email

    • phone = user phone

    • HF = HF user HF

  • support all kind of location for the user location (not only disctrict)

  • have an helper to check the right per level of location and adapt all queries to use it (could be a function that return a filter)

  • drop the EO table (or merged to Policyholder table into an External user table ? )

  • create a EO view for compatibility

 

  • Question : Should we create a “contact” table to have CA without user ? (could be reused for practitioner) or have a user that cannot login

Action upon deletion of an user

all related access CI must be “deleted“ too (flag deleted to True)

Action upon deletion of an external partner

in all case the relation between the users and the external partner must de “deleted“ too

if the users are only related to that given external partner (have no relation to other external partner) then the user must be “deactivated”

Full admin

Every system need super admin to solve issues experienced by other user

change required:

  • add a “is_admin“ to interactive user

  • if “is_admin“ is true all “check permission“ must return True

  • only a super admin can define a user a super admin

  • block Technical user

  • Allow user with is_admin = True to connect to django admin

  • nice to have: impersonisation of super admin as other user - all restriction of the selected user should be applied

 

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/