Roles and Privileges

See: Controlling User Access___Roles and Privileges

Privileges define what can or cannot be done in the system (view information, edit information, add information, etc).
Roles group Privileges into manageable sets.
Roles can inherit all the Privileges from another Role.

OpenMRS comes with special predefined Roles that can't be deleted.

The best practice for creating and managing Roles is to create Roles based on job function and have Roles inherit common Privileges from more restricted Roles.

For example, you set up the default Authenticated role to be able to view all patient information on the system. You create a new role called Data Entry Clerk that can edit patient information. You let the Data Entry Clerk role inherit the privileges from the Authenticated role. The Data Entry Clerk role can now view what information is available to the Authenticated role with the additional editing privileges assigned to the Data Entry Clerk role. If you change the privileges of the Authenticated role, you also change the privileges of the Data Entry Clerk role since the Data Entry clerk role has inherited privileges from the Authenticated role. You could then create a Data Entry Manager role that inherits privileges from the Data Entry Clerk and then assign additional privileges to the Data Entry Manager.


Inherited Roles

New Privileges

Inherited Privileges





Data Entry Clerk




Data Entry Manager

Data Entry Clerk

Create patients

Edit + View

Adding a User

01) To add a user, log into OpenMRS as an administrator and click on the "Administration" menu:

02) From there, you will see see a list of options. Click on "Manage Users"

03) Click on "Add User"

04) Click on the "Next" button under "Create a new person"

05) Type in the name of the person and the person's gender

06) Set up a username and password for the person
The password has to be at least 8 characters long
The password has to have uppercase, lowercase, and at least one number

07) Select a Role for the person

08) Click on "Save User" button to add the person

Resetting User Passwords

If a user is locked out, it is possible to reset their password using the "Edit User" administration site. However, if said user is actually the administrator, you may have to reset things manually.

Managing User Lockout

Starting with 1.5, authorization controls were added:

At least the second one is configurable as a global properties: security.loginAttemptsAllowedPerIP