OpenMRS uses basic RBAC <http://en.wikipedia.org/wiki/Rbac>. There's an overview on roles & privileges on this page<https://wiki.openmrs.org/x/uBEz> and this page <https://wiki.openmrs.org/x/WAA3AQ>. Within the code (for API & module service methods), we use @Authorize annotations<https://wiki.openmrs.org/x/CxIz#OpenMRSAnnotations-@Authorize>to specify which privileges are required. Web pages use JSTL tags like <openmrs:require> to require privileges to view that page and <openmrs:hasPrivilege> to restrict access to portions of a page. All uses of the API (whether from the web application or not) must be authenticated via org.openmrs.api.context.Context.authenticate(username,password)<http://resources.openmrs.org/doc/org/openmrs/api/context/Context.html#authenticate(java.lang.String, java.lang.String)> and pass the privilege checking on API methods.
The RBAC system provides a reasonably robust mechanism for restricting access to system behaviors; however, we do not yet have a mechanism for restricting access to specific data (e.g., you can see data for patient X, but not patient Y; or, you can see your patient's data except for specific lab results). Hope this helps. Cheers, -Burke On Tue, Jan 24, 2012 at 7:19 PM, Lasantha Ranraawee <[email protected]>wrote: > ** > Thanks for the lot of enthusiastic comments and suggestions. > > Can somebody point me document or Java code reference to understand > existing authorisation implementation of OpenMRS ? > > Looking forward to working with this vibrant community :-) . > > Cheers, > Lasantha > > > > On 01/24/2012 11:50 PM, Ben Wolfe wrote: > > This would be larger than just authentication though, more like > overhauling the privileges/roles than just allowing for ldap. But we do > need to get the LDAP fix in there, perhaps this is a way to sneak that in. > :-) > > Ben > > On Tue, Jan 24, 2012 at 12:56 PM, Burke Mamlin <[email protected]>wrote: > >> We modeled an AuthenticationScheme a while ago, but it hasn't been coded >> yet. There's probably a wiki page and/or ticket out there somewhere >> related to this and LDAP support... if it helps. >> >> -Burke >> >> On Tue, Jan 24, 2012 at 12:40 PM, Ben Wolfe <[email protected]> wrote: >> >>> There were also some projects that we heard about after they were >>> written doing finer based access control. Because of this we were unable >>> to incorporate them into the code base. Google should turn those up. >>> >>> There was also a discussion over a year ago about this on the dev list >>> with Jim Grace, that might give you some ideas too. >>> >>> Once you get some ideas, it'd be great to hear them on a design call >>> https://wiki.openmrs.org/display/RES/Design+Forum >>> >>> Ben >>> >>> >>> On Tue, Jan 24, 2012 at 11:18 AM, Friedman, Roger (CDC/CGH/DGHA) (CTR) >>> <[email protected]> wrote: >>> >>>> Lasantha -- Jembi did an overhaul of the security mechanism for OpenMRS >>>> for the South Africa sports organization, maybe Carl has some bandwidth to >>>> give you a hand >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On Behalf Of Lasantha >>>> Ranraawee >>>> Sent: Tuesday, January 24, 2012 10:08 AM >>>> To: [email protected] >>>> Subject: [OPENMRS-DEV] Policy based Access Control for OpenMRS >>>> >>>> Dear All, >>>> >>>> I am a student of Information Security Masters degree program in >>>> University of Colombo. As my final year project I am planning to implement >>>> Security policy based access control to OpenMRS. >>>> >>>> In this work we are planning to support XACML based security policies >>>> in the system. This work includes integrating existing XACML engine with >>>> OpenMRS code base and supporting various types of security policies with it >>>> (including usage control policies) . >>>> >>>> >>>> As I am a new comer to the OpenMRS community would like to get your >>>> feedback on this idea. Comments, suggestions and help are welcome and >>>> expected !!! >>>> >>>> Kind regards, >>>> Lasantha >>>> >>>> _________________________________________ >>>> >>>> To unsubscribe from OpenMRS Developers' mailing list, send an e-mail to >>>> [email protected] with "SIGNOFF openmrs-devel-l" in the >>>> body (not the subject) of your e-mail. >>>> >>>> [mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l] >>>> >>>> _________________________________________ >>>> >>>> To unsubscribe from OpenMRS Developers' mailing list, send an e-mail to >>>> [email protected] with "SIGNOFF openmrs-devel-l" in the >>>> body (not the subject) of your e-mail. >>>> >>>> [mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l] >>>> >>> >>> ------------------------------ >>> Click here to >>> unsubscribe<[email protected]?body=SIGNOFF%20openmrs-devel-l>from >>> OpenMRS Developers' mailing list >> >> >> ------------------------------ >> Click here to >> unsubscribe<[email protected]?body=SIGNOFF%20openmrs-devel-l>from >> OpenMRS Developers' mailing list > > > ------------------------------ > Click here to > unsubscribe<[email protected]?body=SIGNOFF%20openmrs-devel-l>from > OpenMRS Developers' mailing list > > > ------------------------------ > Click here to > unsubscribe<[email protected]?body=SIGNOFF%20openmrs-devel-l>from > OpenMRS Developers' mailing list > _________________________________________ To unsubscribe from OpenMRS Developers' mailing list, send an e-mail to [email protected] with "SIGNOFF openmrs-devel-l" in the body (not the subject) of your e-mail. [mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l]
