[Role Based Access Control] Role definition for the Tunisia users and web platform

[dubdabasoduba]

Unicef Tunisia RBAC on web Requirements

Users

Supervisor

• Can Manage users

  • EDIT_KEYCLOAK_USERS
  • VIEW_KEYCLOAK_USERS

• Can manage teams

  • ORGANIZATION_VIEW
  • ORGANIZATION_CREATE
  • ORGANIZATION_UPDATE
  • ORGANIZATION_ASSIGN_LOCATION
  • ORGANIZATION_VIEW_LOCATIONS

• Can Manage locations

  • LOCATIONTAG_VIEW
  • LOCATIONTAG_CREATE
  • LOCATIONTAG_UPDATE
  • LOCATIONTAG_DELETE
  • LOCATION_VIEW
  • LOCATION_CREATE
  • LOCATION_UPDATE

• Can Manage the card support pieces

  • LOCATION_VIEW
  • ORGANIZATION_ASSIGN_LOCATION
  • ORGANIZATION_VIEW_LOCATIONS

• Can collect data on the app. Do supervisors interact with patients? If not this is not required.

  • EVENT_VIEW
  • EVENT_CREATE
  • EVENT_UPDATE
  • EVENT_OUT_OF_CATCHMENT_VIEW
  • OPENMRS
  • CLIENT_VIEW
  • CLIENT_CREATE
  • CLIENT_UPDATE

Provider

• Can collect data on the app

  • EVENT_VIEW
  • EVENT_CREATE
  • EVENT_UPDATE
  • EVENT_OUT_OF_CATCHMENT_VIEW
  • OPENMRS
  • CLIENT_VIEW
  • CLIENT_CREATE
  • CLIENT_UPDATE

• They can log in to the web but can not view any of the modules on the web. They can only update the profile.

Super admin

• Has all the roles

[AnnieMungai]

@dubdabasoduba

1. For the roles highlighted as supervisor - Let us call it Regional administrator. This team does not interact with patients.
2. Super Admin - Change that role name to National administrator. This team does not interact with patients.
3. Provider role - should not be able to edit any data on the web. They should not even be able to update their own profiles.

QQ; Dashboards are also managed via keycloak. I do not see any dashboard roles. Can we set them up here too?

[AnnieMungai]

@dubdabasoduba feedback from QA:
Web

• User, locations and team management:
• The superuser and the supervisors - can log in and conduct the administrative tasks - Looks fine
• The provider - can log in but cannot perform any tasks on the web - Looks fine
• Card support - superuser and supervisor are showing the option to select all locations - however, when you try to open up the other locations, only 1 location is shown on the drop-down and this is not the facility that users are assigned to.
  

Android

• Provider - can log in, sync data and conduct all actions highlighted.
• Supervisor - could log in and perform all the actions like a provider. There was no location at the top to show the location supervisor is assigned. Note! It is not necessary for supervisors to conduct all the provider actions.

[AnnieMungai]

https://unicef-tunisia-stage-acl.smartregister.org/opensrp/

[dubdabasoduba]

@AnnieMungai
I have added the required roles to the prod keycloak instance.
I have also added role mapping to the deployment script.

• Once the deployment is done then we will be able to config the roles correctly and they will kick in for OpenSRP web