API:- /apis/default/api/practitioner
@brady.miller would it make sense to add to the practitioner api the ability to create login credentials? Or would this fit better in a /api/users endpoint?
- Stephen
Either way is a scary thought to me.
Agree bit scary. Is this a required function for MU stuff?
I don’t see any MU requirement for this. I understand the use case desire for personnel management. If you are treating OpenEMR as a pure backend and want to reproduce administrative functionality by adding / managing providers through the REST api you would need this functionality.
Of course the danger is that if any hacker got an access token to this api functionality it’s an easy way to compromise the system.
It seems like if this was added we’d need to have it turned off by default for security, we’d also probably want a global option to email administrators if a user is added. Just thinking out loud for this functionality. I’m not too excited to add it myself, but if someone wants to put up a PR I’d be willing to review it.
2 Likes
Good answer Stephen and I agree.
This is one of those features we have to be very careful with. Someone may be authorized with a valid client that could go rogue, so without an audit trail of some sort I don’t see this happening.
3 Likes