In SanteDB iCDR permits the grouping together of users into logical groups. Security groups are collections of users which have one or more policies associated with them.
Users which belong to multiple groups follow a most-restrictive policy enforcement scheme. Meaning a user who is a member of
ADMINISTRATORSmay effectively have no permissions. Consult the Most-Restrictive Policy Enforcementdocumentation for more information.
The summary screen for SanteDB groups shows a comprehensive list of all roles registered in the system. The group list provides controls to create, edit and delete groups in the iCDR system.
The are available in the group list screen are:
- Create: Creates a new group
- Show Deleted: Shows the groups which have been previously deleted
- Edit: Edit the indicated group details
- Delete: Deletes the group.
You can use the
Show Deletedbutton to list the groups which are not active (i.e. deleted) in the SanteDB system.
Un-Deletebutton will re-activate the group.
When a group is deleted, the users within that group will not carry any policies, permissions or attributes from the group.
There are several groups in SanteDB which are system groups. You can edit these groups and remove them, however doing so may cause system instability in SanteDB. These groups are:
Administrators may wish to create new groups for a variety of reasons. For example:
- To segregate users based on functional role (Data Reviewers, Approvers, Vaccine Managers, etc.)
- To isolate users based on class (Super Users, Power Users, etc.)
- To organize users by department (MRI Technicians, Emergency Room)
When creating a new group, the name and a brief description of the group is required.
When editing a group or after creating a new group, the detail view of the group will be shown.
This view shows the basic details of the group, and permits editing of the group name and description, as well as access to the groups security id (SID)
By default a new group will have no policies associated with the group. Administrators should use the
Policiessection to add or alter policies. Policies are added by first searching for the policy and then pressing the
By default a group will be assigned the policy with a GRANT permission. You can alter these by clicking the permission.
The permission types in SanteDB are:
- Grant - Users in the group will be granted access to any action or data carrying the policy
- Deny - Users in the group are not permitted to access any action or data carrying the policy.
- Elevate - Users in the group are, by default, DENY the request, and the server will send a authentication challenge back to the requestor. Users may be required to provide a reason for override and must provide their password.
Policies can be removed from a group by clicking the
Removebutton. When a policy is removed, it means that the group has no specific grant applied to the policy (i.e. if the user is in another group its grant will apply, otherwise the default of DENY is applied).
Users can be assigned and removed directly from the group using the group detail page. Users are assigned and removed in the
Memberssection of the group panel.
Adding users to the group is a similar process as adding policies, the user account is searched and then added to the group using the
Removing a user from their group does not immediately remove them from the group in their current session. The user's new permission set will apply when the user logs out and logs back into a new session.