Missing roles and authorities
Greetings all...
The clinic construction is just about over with a target opening date in earliest January. Woohoo! Finally! Next week we will be doing OpenVPMS training with the new staff. For that, we'll be using the practice version of OpenVPMS that I had set up some time ago, using the full sample database off of subversion. As best I can remember, however, in setting up our production version of OpenVPMS, I just did the installation as outlined in the 1.7 installation notes, so it is pretty pristine.
In trying to set up users in the production version, however, I noticed today that there is only one role exposed: administrator, and authorities are limited to Create.All, Save.All and Remove.All. In the demo version using the subversion database, there are like 7 pages of authorities from which roles can be created.
From what I have been able to find on the forums, I'm thinking that I should at least find Clinician as a role in the basic database.
I must be missing something. Where are all the authorities... and the clinician role?
Thanks,
Sam Longiaru
Kamloops, BC
Re: Missing roles and authorities
I think your getting ROLES and USER TYPES confused
currently there are 4 default user types
Found under Lookups - User Types
The default load out only includes the administration role which can create and do anything
You can load the ROLES.xml file which is in the zip which gives a few more custom role settings.
Roles are not well implemented in my opinion and it can be confusing to get them setup correctly...often you find you need to give roles to users that dont entirely make sense to allow basic functionality.
Re: Missing roles and authorities
OK... Thanks. I did find that I needed to look a couple of tabs over to CATEGORY in order to specify a new user as either an Administrator, Clinician, Nurse or Receptionist and that does have an effect as to whether they have access to the Adminstration menu or not. But beyond that, I don't see what's happening. Administration > Lookups > User Types shows the four "Categories" but nothing is specified there beyond their names. Using the Subversion sample database, Administration > Roles lists two, Administration and Base, and it is in clicking on those, that you arrive at the Edit Role window where you can assign any number of up to 117 authorities to the Role. In the basic installation database, only the type Administration is available under Administration > Roles, and editing the role only displays three authorities, all of which are selected: Create.All, Remove.All and Save.All. There are no other roles or authorities listed. It is strange that when I Alt-F1 while in the Edit Role window, what comes up is a help screen that appears far more like the Subversion sample database (listing numerous available authorities) and I only have three available. That's why I was wondering if I'm doing anything wrong... like skipping a step here... or did something wrong in the installation.
Perhaps the extended sample database in the Subversion source is a proof-of-concept DB, and the authorities granted to Adminisrator, Clinician, Nurse or Receptionist are hard-coded in the 1.7 release? That's all I can figure. I'll look into the roles.xml as you suggest though.
Thanks, again
Sam
Re: Missing roles and authorities
Basically
the User types dictate certain things
1. Clinician dictates a user who can fill that field in consults and invoices
2. Administrator dictates a person who can see the admin menus
Roles control stuff in a more fine grained way...but as I said they can be finicky
You must have the Admin usertype to edit products
user types are hardcoded
Re: Missing roles and authorities
Sam - I did a fair amount of work on this when I was doing our conversions from RxWorks, and I subsequently sent some emails to Tony & Tim A. Below is an extract from one on these, and I have attached the xml file. [I have changed the extension from.xml to .txt so that I can attach it. So change the extension back and load it with dataload - AFTER doing some edits. If you simply load it you will probably end up with some duplicate roles and authorities in your system. You may just want to look through the file and manually update your system.]
You will see that the attached file creates the following roles:
So when creating a user, assuming that they are not to be administrators, then you give them the Base Role, and their “job role”, ie one of Clinician, Nurse, Reception, and then if they have a logistics responsibility, then give then Logistics as well. [Note that seeing that in this setup, the Clinician, Nurse, and Reception roles have no extra authorities, giving these roles has no real effect. However, I think that it is a sensible thing to do as it allows for some authorities to be removed from the base role and added to one or more of these roles.] I suppose that one could also remove my concept of Base+”job role” by deleting the Base role after copying its authorities completely into the Clinician, Nurse and Reception roles. However I think that the Base+ approach makes the set up clearer.
Note that (as per http://www.openvpms.org/documentation/csh/1.7/concepts/users ) the Logistics staff must have Administrator as one of their categories, otherwise they will not be able to do product and price maintenance.
I hope this helps.
Regards, Tim G
Re: Missing roles and authorities
Hi Tim G,
Thanks very much for the additional information. I'm very slowly starting to get the picture here. My understanding now is that the subversion db I am using in our training version of OVPMS already had imported into it the included roles.xml or some incarnation of your attached setup-roles-auth.xml and that when doing a fresh install from the release zip, calling dataload with the "setup" option does not load the included roles.xml... at least I don't see it being loaded by the dataload script.
This expanded access to authorities does seem like a very useful way to go. Since roles.xml is included in the release, I suppose that OVPMS is moving in this direction. I'm sorry then that roles.xml is not included in the default "base" or "setup" options in dataload. It does seem like an "undocumented feature".
If you don't think that I will be boxing myself in down the road in any way on our production database by importing your set-up-roles-auths.xml, then I will do some editing (particularly the upper section duplicated from base.xml) and import it by modifying dataload to include a third option... "roles". If this seems like a reasonable, approach, then I'll try it out on my VBox test servers first. I think I need to go this way as I'm not clear at all has to how I would manually update the system... particularly in regards to the security.archetypeAuthorities.
Thanks again for your help. I see a small light.
Sam
edit: Oh I see that I may not have to modify dataload.sh. It looks like if you don't specify "base" or "setup" that it takes a filename as a command-line parameter and executes with that. Nice.
Re: Missing roles and authorities
Sam - I should have perhaps added more background as follows:
The history of this is as follows:
a) when I was doing the RxWorks conversion, I was rebuilding the database on a daily basis, so I had a reset.bat that did as follows:
cd \openvpms\current-release\HKG
mysql -u root --password=openvpms <dbdrop.sql
mysql -u root --password=openvpms <..\db\createdb.sql
mysql -u root --password=openvpms openvpms <db\db-nd.sql
[db-nd.sql is a clone of the standard db.sql frm the releaase package modified to remove the document templates so I could load my own versions]
cd ..\bin
call archload [ie load standard archetypes]
echo on
cd ..\HKG
call archload-tpre [ie load my modified archetypes ]
call dataload-t setup-hkg
call dataload-t lookups
call dataload-t hkg-postcodes
call dataload-t breeds-dogs
call dataload-t breeds-cats
call dataload-t breeds-other
call dataload-t macros
call dataload-t apptReason
The setup-hkg.xml file contained all the role and user setup stuff
b) I was asked by Adrian Simons to fix some of his role setup, so I carved out the role stuff from setup-hkg.xml and made a setup-eve.xml to add the necessary into his system. The renamed version of this is what I sent you - however I screwed up in not realising that I would add some duplicate authorities into his system and then I had to spend some time manually cleaning out the duplicates.
c) after doing the above setup, I then ran a large set of Kettle transforms to suck in 10 years worth of RxWorks data and build the equivalent dataset in OpenVPMS. With a bit of post processing and loading 26,000 attachments, the OpenVPMS system went live 5 hours after shutting down RxWorks.
I will try and get time to have a look at the setup.xml that will be part of the 1.8 release and see how it sets up the roles and authorities.
Regards, Tim G
Re: Missing roles and authorities
Hi Tim,
Thanks for the additional information. Much to ruminate on. You seem to have your archetype types much more separated into topics. I like that approach.
Anyway, I laid out your setup-roles-auth.xml against the release versions of base.xml, setup.xml and roles.xml and found the duplications, but decided in the end to load the release version of roles.xml. I thought that doing an edit and installation of setup-roles-auth.xml after base and setup had already been loaded was for me a potential source of error. It was going to rely on a very careful edit... not always an entirely error-proof process on my part!
So for the time being, I am where I need to be with the flexibility of having the base role present as well as having all the authorities exposed. That should give us the flexibility to set up what we need in terms of user functions.
I'm not sure how much of what we do with now in setting up user authorities will survive an upgrade however. I just looked into the upgrade instructions in the release notes for 1.7 and see that in an upgrade, the archetypes are loaded anew. Oh well... will cross that bridge when we get there with 1.8.
Yes, I think that a review of the installation xmls would be great. Right now, following the installation notes does not lead to having a base role and any of the authorities exposed... unlike what is shown in the help popup screens. And if your are looking, I believe that the four roles and three authorities that I had originally, came from base.xml. Setup.xml seems to hold mostly practice placeholder data, common lookups and breeds.
We're excited about starting the staff training next week. No one really has much experience with OVPMS and so it will turn into a bit of a group exploration party I think. But I'm sure that it will work out fine. Great software and great support.
Thank you Tim and Ben for your help on this.
Sam
Re: Missing roles and authorities
Sam - some comments on the above;
1. Upgrades: I have done a large number of these (as part of the 1.7 beta testing), and have done 3 on the production system (1.7beta to 1.7 to 1.7.1). With an approprate scrip to automate things, the actual upgrade takes under 10 minutes. All the work in is editing our modified archetypes (some 33 of them), and the messages, default, and help.properties files to apply any changes in the new version. I use Ultra Edit/Ultra Compare for this - and a *nix man you are probably happier with diff and vi.
If you have not found it, you may find the archdiff utility (in <OpenVPMS-Home>/bin) to be of use.
It is also worth noting that the sql migration script is re-runnable - if if you use it to upgrade the database from 1.7 to 1.8 beta, then you can happily run the 1.7 to 1.8 script again when you go from 1.8beta to 1.8 so as to include any 1.8 beta to 1.8 final changes.
2. Training: Trilby (my daugher-in-law who manages the practice) ran the training in Hong Kong. The biggest difficulty was to get the staff (and especially the vets) to play hard with the test/training system - and as a result problems surfaced post cut-over that could have been identified and addressed prior to cutover if the staff and vets has played more with the test/training system. However, to be fair, in a busy practice it is difficult to get time away from the standard work to play with a new system.
3. Preload: Remember that adding entries to the various lookup files is an admin function. Hence if a customer comes in with a pet whose breed is not in the system, some admin person needs to add it. Hence it pays to preload as much as possible prior to cutover.
Good luck with the training.
Regards, Tim G
Re: Missing roles and authorities
The upgrades sound fairly straightforward then, as long as one has kept track of their mods and customizations... as I have tried to do. So thanks for settling my mind on that score.
As for the training... truer words were never spoken... or written. I have had the practice/demo version of OVPMS up and available for several months now but as the system admin, it is frustrating to see how little time has ben spent on it by the staff. Granted, building a new hospital is pretty time consuming, but despite my encouragement and dire warnings about the chaos of opening day, all other jobs seem to have taken priority. Oh well, it will just be rougher start than it could have been. But at least I know that they will be using a piece of quality software with the best support I have ever seen.
Many, many thanks to all who have helped me along the way in setting this up.
Sam
Re: Missing roles and authorities
As you've noted, the roles.xml included in the release distribution isn't loaded by default. You need to load it explicitly using either:
or: