...
| Info | ||
|---|---|---|
| ||
| The proposed solution sacrifices the possibility of having different Access Scopes for different Permissions in order to gain simplicity both in the implementation and in the configuration of the Roles. |
Proposed EM
.png?version=1&modificationDate=1413880285287&cacheVersion=1&api=v2)
Each organizational unit (Organization, Facility, Workspace and Role) now has a corresponding table that grants access to individual roles. In this way, we could have a granularity up to the Room level.
In this new approach, the table RolePermission doesn't have the column OrganizationId anymore. The scope where a permission is applied is given by the join of all the *Access tables where the Role is present.
| Info | ||
|---|---|---|
| ||
| A Role that has access to Organization 'A' also has access to any organizational unit below it. |
Permission Mappings
The application currently supports 31 different permissions. The new design will reduce the number of permissions to 14. Some of the old permissions had a 'list' and 'read' version (i.e. read_users and list_users) that were actually never used in reality. The new design will merge those 2 kind of permissions into a single 'read' one.
The current implementation also has some permissions of the form *_from_all_organizations (i.e. list_users_from_all_organizations) that are no longer needed given the new Access Scopes. Same thing happens to the permissions of the form *_from_current_organization and *_from_current_facility.
Some other permissions like list_organizations, list_facilities, list_workspaces and list_rooms are no longer explicit permissions. They can now be related to a particular Access Scope.
The mappings between the current permissions and the proposed ones are:
Current Permission | New Permission | Used In | Comment |
|---|---|---|---|
| list_organizations | This permissions has no counterpart in the new design. List Organizations operation will return all the Organizations that are in the Access Scope of the user that is invoking the operation. Read Organization operation will fail if the invoker doesn't has access to the requested Organization. | ||
| read_organization | |||
| list_facilities | This permissions has no counterpart in the new design. List Facilities operation will return all the Facilities that are in the Access Scope of the user that is invoking the operation. Read Facility operation will fail if the invoker doesn't has access to the requested Facility. | ||
| read_facility | |||
| list_workspaces | This permissions has no counterpart in the new design. List Workspaces operation will return all the Workspaces that are in the Access Scope of the user that is invoking the operation. Read Workspace operation will fail if the invoker doesn't has access to the requested Workspace. | ||
| read_workspace | |||
| list_rooms |
| This permissions has no counterpart in the new design. List Rooms operation will return all the Rooms that are in the Access Scope of the user that is invoking the operation. Read Room operation will fail if the invoker doesn't has access to the requested Room. | |
| read_room |
| ||
| list_roles | |||
| read_role |
| ||
| list_users | |||
| list_users_from_all_organizations |
| ||
| read_user | |||
| delete_user | |||
| modify_user | |||
| modify_own_user | |||
modify_user_nfc_tag | |||
| list_patients_from_all_organizations | |||
| list_patients_from_current_organization | |||
| list_patients_from_current_facility | |||
| modify_patients_from_all_organizations |
| ||
| modify_patients_from_current_organization |
| ||
| modify_patients_from_current_facility |
| ||
| list_discharged_patients | |||
| discharge_patients | |||
| final_discharge_patients | |||
| send_messages | |||
read_alerts_only_from_associated_patients | |||
read_alerts_from_entire_organization | |||
| re_schedule_alerts_from_all_organizations | |||
| re_schedule_alerts_from_organization |