Don’t have time to dig into this too much right now, but wanted to start this topic to let people know.
I have a user account on one system that had membership in multiple groups (all of them in fact).
For this particular system, (Administrators, Accounting, Clinicians, Data Clerk, Front Office, Physicians and Test.)
However, acl check seems to be incorrectly fail in some cases. (Expected behavior with membership in all groups ought to be access to anything/everything.) In this particular example, the Procedures/Labs module is unavailable.
Removing membership from all but Administrators provides the needed access.
I suspect that some of the ACL issues people have reported may be related to this same problem.
The issue I am describing is with existing levels of control.
To clarify further. This call in interface/orders/list_reports.php
$thisauth = acl_check(‘patients’, ‘med’);
returns false if the user belongs to two groups “Data Clerk” with permissions for Medical/History (write,addonly optional)
and
Administrator rights (which should cover everything…)
Administrator rights might sound all mighty, but to review Procedures and finalize Procedures only the Physician can handle this in the Demos of OpenEMR. It was just by accident I found this solution. This happened about a month ago, so it might have been corrected.
ACL is full of mysteries, but the tutorial/manual seems to do a good job, but you need to understand the different options of what is allowed and what is denied.
Somewhere hidden in the deep there are the options to give WRITE, READ adn VIEW options.
Have you confirmed this on a new install? Note that if users unknowingly mess around with the Advanced ACL screen, some odd things can happen (there is a lot of flexibility that allows turning on/off specific aco’s, even per user).
As an aside,
One way to avoid this is to never use the the ACL to decline access and only use it to allow access (ie. treat them like keys that open doors).
-brady