- Our basic role-based security involves basic SQL CRUD permissions on each table. In addition, we have permissions for viewing/editing forms. We have encountered the same issues described in Dominic Duggan's presentation – many privileges to assign, many facilities avoiding problems by giving people more rights than they should have.
- Restrict by roles module https://modules.openmrs.org/modules/view.jsp?module=restrictbyrole. This is currently unsupported and apparently did not work quite as desired. It can do both location and role limitation if each location is given its own role.
- In OpenMRS 1.10 it is possible to define a privilege required to view or edit an encounter. TRUNK-3377
- A prototype implementation of the British Medical Association (BMA) security model was created as part of a senior design project. See this wiki page..
- Lasantha Ranaweera created an XACML version of OpenMRS, see the discussion at https://groups.google.com/a/openmrs.org/forum/?fromgroups#!topic/dev/ZABGquZ8vdg and the Resources below
- Philip Fong and Syed Zain Rizvi have implemented a Relationship-Based Access Control (ReBAC) system in OpenMRS. An important feature of ReBAC is the explicit tracking of relationships between individuals in the system, and making authorization decisions based on these relationships.Role-Based Access Control (RBAC), which OpenMRS implements, provides a reasonably robust mechanism for restricting access to information; however, OpenMRS does not yet have a mechanism for restricting access to specific data (e.g., a clinician is allowed to access the record of patient X, but not patient Y; or, a clinician is permitted to access a patient's data except for specific lab results). An important feature of ReBAC is the explicit tracking of relationships between individuals in the system, and making authorization decisions based on these relationships. See Resources below.