Authorities and regex
Hi all,
I did some digging today to figure out how to setup authorities. It looks like our authorities are scattered enough to warrant creation of quite a few authorities to make a meaningful role. It would be preferrable, to have fewer authorities to deal with.
For instance, I'd love to have authorities like: Nurse Create Auth, Nurse Read Auth, Nurse Save Auth.
The problem with this is that no single set of auths can be specified with a simple wildcard, and would need to be split out. So, I started digging into the code to see if regex is supported. Unfortunately, I'm not versed in the framework and got a little lost.
I guess question #1 is, are regular expressions supported here? I came across this, which would indicate support had been removed for this: https://openvpms.atlassian.net/browse/OBF-48. That's pretty old though.
If it's not supported, I'd suggest that this would greatly simplify, or perhaps enable, authority management.
Cheers, Paul
Re: Authorities and regex
Regular expressions aren't supported. I'd be reluctant to support them too, as they tend to be too complex for end users, and could end up granting more than expected.
In 1.5, Tony has put together sample roles which may simplify things.
Its located in <OPENVPMS_HOME>/import/data/roles.xml.
-Tim
Re: Authorities and regex
Thanks Tim,
I'll have a look.
Paul
Re: Authorities and regex
Hi Tim,
I've played around with the roles some. I haven't been able to accomplished what I'd hoped. In many instances, it appears that an act is created, and then saved all as a part of its initial creation. We'd hoped to prevent people from modifying things once they enter it the first time. This is particularly true of medical records. If the initial creation is both a create and a save internally, there's no way to distinguish between the two operations.
I also failed to figure out how to prevent users from doing account adjustments. I saw there was an authority in there for this, but some other authority must be granting this access. I have "Customer Charges" "Create and Save" authorities added, but still can't create an invoice.
Those were the two things I was after initially, as well as a way to prevent people from seeing the deposits reporting screen. It looks like either I'm very confused here, or it's not quite ready for my use case.
Cheers, Paul
Re: Authorities and regex
The existing authorities are not expressive enough to be able to restrict access to portions of the application, as they only cover archetypes. The way around this is to map those authorities to roles. At present, there is the Administration role, which provides access to the Administration workspace, amongst others.
With regards to adjustments, make sure you haven't assigned the Administration role to the user.
To enable a user to create and save charges but not adjustments, using the sample roles.xml, do the following:
1. Create a new role, "Create/Save/Remove Customer Charges"
2. Select the following authorities:
3. Edit a user and only select the following roles:
When you log in as the user, you should be able to create charges but not adjustments.
-Tim
Re: Authorities and regex
-
Re: Authorities and regex
Thanks Tim,
Who would have thought it would take me this long to get around to playing with this. I'm not sure if I'm doing something wrong here... but the attached screenshot shows a possible bug? This is v1.6-b3. I attempted to add all authorities to a role, and then delete the ones I don't want (thought it would be faster that way).
Cheers, Paul