Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed

[James Busser]

-----Original Message-----

> Date: Thu Aug 06 07:14:39 PDT 2009
> From: "Karsten Hilbert" <address@hidden>
> Subject: Re: draft Re: [Gnumed-devel] Managing users: restricting access      
> within GNUmed
> To: address@hidden
>
> On Wed, Aug 05, 2009 at 11:19:47AM -0700, Jim Busser wrote:
> 
> > >a) enable GNUmed to create clerical and clinical users
> > >   (currently all users are clinically enabled)
> > 
> > create/add?
> > 
> >     gm-clinical
> >     gm-clerical
> 
> Yes. gm-doctors can be used as gm-clinical

So...

1) are you suggesting that the *database* groups be

   gm-clerical
   gm-doctors
   gm-clinical

where 

- gm-clerical will obsolete gm-staff_office
- gm-doctors will obsolete gm-staff_medical
- gm-doctors will have more access rights than gm-clinical (who would 
eventually be defined as having some in-between grants)?

2) if each member of dem.staff might be able to have more than one 
dem.staff_role, do we need a link table to support this one-to-many?

3) in 0.6 shall we provide

dem.staff_role of "doctor" member of gm-doctors
dem.staff_role of "clerical" member of gm-clerical

I would be happy to test some of the restriction that we intend to support 
using such a role. In order for this to work, will it need every schema and 
table (except those we wish to restrict) to be tagged accessible by 
gm_clerical, and all tagged accessible by gm-doctors. The alternative of 
specifying only those database groups which *cannot* access certain schemas and 
tables (if exists) may be attractive, but maybe also not a sane policy.