Page tree
Skip to end of metadata
Go to start of metadata

Overview

This module helps you figure out what privileges are required to perform a particular task, and then assists you with assigning those privileges to roles.

Release notes

1.0

  • Recording privilege checks while performing a particular task by the given user
  • Assigning privileges to roles of the chosen user

Download

Installation

The module requires PrivilegeListener to be in core (currently available in 1.10 rev:27765, in 1.9.1 rev:27768 and in 1.8.4 rev:27769). You can also apply a simple patch to your version of OpenMRS to have the functionality. You can read more about PrivilegeListener here and in the related ticket TRUNK-3365.

If your version of OpenMRS supports PrivilegeListener you can download and install the module from our module repository.

User's guide

On the OpenMRS Administration screen, under "Privilege Helper Module", select the "Log privilege checks" link.

1. First you need to enter a user whose actions you want to observer. Typically you will choose a super user and perform a particular task so that you will not be denied access to any page. Later it will be possible to assign recorder privileges to a user of your choice. We recommend to use a different account for using a module and a different one for performing a task so that privileges required by the module are not logged.

2. Before you start logging you should make sure that a user you selected opens the first page needed to perform a task. This way you will log only privileges that are required for the particular task.

3. The moment you start logging, you will be taken to a page which displays recorded privilege checks. The page is not refreshed automatically so you should click Refresh to see the updated log.

The module tries to determine where a privilege was checked and provides you as much detail as possible such as class, method, line number or URL. It also determines if it was a required privilege or an optional privilege. Optional privileges are mostly used to hide some parts of pages which you are not authorized to see. They usually do not stop you from performing your task by displaying you the missing privilege page. This feature may not be 100% accurate.

4. When the task is done, you should click Stop logging. You will see Assign privileges and Discard this recording buttons. Logs are stored in memory and will be gone when you restart OpenMRS or start/stop any module. They will be also overwritten if you decide to start logging for the same user again.

5. When you click Assign privileges, you will be taken to a page which lets you select a user you want to assign recorder privileges to.

6. Next you will see a table with logged privileges in rows and user's roles in columns. From this page you can assign privileges to an existing role or create a new role and assign it to the selected user. To assign a privilege to a role you need to select a checkbox in the proper row and column. When you are done you need to cick Save changes.

  • No labels

1 Comment

  1. Some suggested enhancements:

    • Use the footer extension point used for in-page localization by the Custom Messages Module to display a toggle button in the footer that is displayed for someone with "Run Privilege Helper" privilege (or whatever you call the privilege to run this module) and let's them toggle between "Log privileges" and "Stop logging privileges".
    • Show simpler view by default 
    • Allow logged privileges to be checked against any given user or role – i.e., let me see logged privileges as if they were checked for user Foo, so I can quickly find the one or two missing privileges for that user.  Once this exists, an additional feature could be added to make it easy to assign any missing privileges to the user directly from this view (e.g., using a link or icon next to any missing privileges).
    • The privilege assignment page gets too complicated when you introduce assignment to users (that's the job of the user roles/privileges admin page and doesn't need to be here); rather, you could be simplified to show the unique list of privileges as you do and give the option for the admin to create a new roles with those privileges.  I can try to make you a mockup for this idea when I get a chance.

    Thanks for the module!

    Cheers,
    -Burke