feature request: user access control (groups level access) for CRUX #28
Comments
|
@eric-jahn we are adding this on the to do list. Thank you for suggesting this |
|
@ashaban: The company I work for, hslynk.com, is open source, and we use OpenCR, so we would be happy to test this with you, as you develop it. We use OAuth2. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We can't use the CRUX UI equivalent, because users would be able to see patient records from outside their organization. So we will have to make a new, restricted UI for viewing matched clients which were added already by their organization, or which were shared from another organization. Some HIE implementations may allow the Client Registry participating member organizations to see all identifiers across all organizations, but we can't have that for our human services purposes.
I think this could be implemented by allowing an external ACL system (OAuth 2 implementation) to determine if the user requesting access to CRUX for a given person/patient id should be granted access, based on group "ownership" or sharing permissions, for that record. In our system, the ACL uses a combination of client consent, agency internal roles, and inter-agency sharing rules, to determine whether access should be granted. I imagine every system using Open CR will use a different ACL regime, so Open CR could just rely on that external ACL system's "accept" or "reject" response.
The text was updated successfully, but these errors were encountered: