Hi Burke,
Thanks a lot and this will definitely help my work .
Regards,
Lasantha
On 01/25/2012 09:06 AM, Burke Mamlin wrote:
OpenMRS uses basic RBAC <http://en.wikipedia.org/wiki/Rbac>. There's
an overview on roles & privileges on this page
<https://wiki.openmrs.org/x/uBEz> and this page
<https://wiki.openmrs.org/x/WAA3AQ>. Within the code (for API &
module service methods), we use @Authorize annotations
<https://wiki.openmrs.org/x/CxIz#OpenMRSAnnotations-@Authorize> to
specify which privileges are required. Web pages use JSTL tags like
<openmrs:require> to require privileges to view that page and
<openmrs:hasPrivilege> to restrict access to portions of a page. All
uses of the API (whether from the web application or not) must be
authenticated via
org.openmrs.api.context.Context.authenticate(username,password)
<http://resources.openmrs.org/doc/org/openmrs/api/context/Context.html#authenticate%28java.lang.String,%20java.lang.String%29>
and pass the privilege checking on API methods.
The RBAC system provides a reasonably robust mechanism for restricting
access to system behaviors; however, we do not yet have a mechanism
for restricting access to specific data (e.g., you can see data for
patient X, but not patient Y; or, you can see your patient's data
except for specific lab results).
Hope this helps.
Cheers,
-Burke
On Tue, Jan 24, 2012 at 7:19 PM, Lasantha Ranraawee
<[email protected] <mailto:[email protected]>> wrote:
Thanks for the lot of enthusiastic comments and suggestions.
Can somebody point me document or Java code reference to
understand existing authorisation implementation of OpenMRS ?
Looking forward to working with this vibrant community :-) .
Cheers,
Lasantha
On 01/24/2012 11:50 PM, Ben Wolfe wrote:
This would be larger than just authentication though, more like
overhauling the privileges/roles than just allowing for ldap.
But we do need to get the LDAP fix in there, perhaps this is a
way to sneak that in. :-)
Ben
On Tue, Jan 24, 2012 at 12:56 PM, Burke Mamlin
<[email protected] <mailto:[email protected]>> wrote:
We modeled an AuthenticationScheme a while ago, but it hasn't
been coded yet. There's probably a wiki page and/or ticket
out there somewhere related to this and LDAP support... if it
helps.
-Burke
On Tue, Jan 24, 2012 at 12:40 PM, Ben Wolfe <[email protected]
<mailto:[email protected]>> wrote:
There were also some projects that we heard about after
they were written doing finer based access control.
Because of this we were unable to incorporate them into
the code base. Google should turn those up.
There was also a discussion over a year ago about this on
the dev list with Jim Grace, that might give you some
ideas too.
Once you get some ideas, it'd be great to hear them on a
design call https://wiki.openmrs.org/display/RES/Design+Forum
Ben
On Tue, Jan 24, 2012 at 11:18 AM, Friedman, Roger
(CDC/CGH/DGHA) (CTR) <[email protected] <mailto:[email protected]>>
wrote:
Lasantha -- Jembi did an overhaul of the security
mechanism for OpenMRS for the South Africa sports
organization, maybe Carl has some bandwidth to give
you a hand
-----Original Message-----
From: [email protected] <mailto:[email protected]>
[mailto:[email protected] <mailto:[email protected]>] On
Behalf Of Lasantha Ranraawee
Sent: Tuesday, January 24, 2012 10:08 AM
To: [email protected]
<mailto:[email protected]>
Subject: [OPENMRS-DEV] Policy based Access Control
for OpenMRS
Dear All,
I am a student of Information Security Masters degree
program in University of Colombo. As my final year
project I am planning to implement Security policy
based access control to OpenMRS.
In this work we are planning to support XACML based
security policies in the system. This work includes
integrating existing XACML engine with OpenMRS code
base and supporting various types of security
policies with it (including usage control policies) .
As I am a new comer to the OpenMRS community would
like to get your feedback on this idea. Comments,
suggestions and help are welcome and expected !!!
Kind regards,
Lasantha
_________________________________________
To unsubscribe from OpenMRS Developers' mailing list,
send an e-mail to [email protected]
<mailto:[email protected]> with "SIGNOFF
openmrs-devel-l" in the body (not the subject) of
your e-mail.
[mailto:[email protected]
<mailto:[email protected]>?body=SIGNOFF%20openmrs-devel-l]
_________________________________________
To unsubscribe from OpenMRS Developers' mailing list,
send an e-mail to [email protected]
<mailto:[email protected]> with "SIGNOFF
openmrs-devel-l" in the body (not the subject) of
your e-mail.
[mailto:[email protected]
<mailto:[email protected]>?body=SIGNOFF%20openmrs-devel-l]
------------------------------------------------------------------------
Click here to unsubscribe
<mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l>
from OpenMRS Developers' mailing list
------------------------------------------------------------------------
Click here to unsubscribe
<mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l>
from OpenMRS Developers' mailing list
------------------------------------------------------------------------
Click here to unsubscribe
<mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l>
from OpenMRS Developers' mailing list
------------------------------------------------------------------------
Click here to unsubscribe
<mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l> from
OpenMRS Developers' mailing list
------------------------------------------------------------------------
Click here to unsubscribe
<mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l>
from OpenMRS Developers' mailing list
_________________________________________
To unsubscribe from OpenMRS Developers' mailing list, send an e-mail to
[email protected] with "SIGNOFF openmrs-devel-l" in the body (not
the subject) of your e-mail.
[mailto:[email protected]?body=SIGNOFF%20openmrs-devel-l]
