Access Control in Rhapsody

Rhapsody's User Manager enables an Administrator to manage user access to Rhapsody through Rhapsody IDE, the Management Console, or REST API.

Individual users who are to have access to Rhapsody IDE and the Management Console must be registered in Rhapsody with a unique username and password. Each user must also be assigned to at least one Access Group, which determines the functionality they can access.

The User Manager enables an administrator to:

• Assign different permissions for user access to, for example, Development, Test and Production servers.
• Restrict user access to PHI contained in messages in an engine. For example, you may not want someone who needs to view ADT messages to be able to see ORU messages.
• View and manage the entire configuration, while other users can only see the parts that they are allowed access to.
  
• Set up a user to have access to only components they are responsible for, without all the 'noise' that can be present on a large engine. The user can therefore quickly find what they are looking for.

Refer to LDAP Integration for details on how users are authenticated using an LDAP directory.

Access Control in Rhapsody

In Rhapsody versions 6.0 and earlier, access groups are used to accord global access rights to users. Users can belong to a single access group. If a user has permissions to view messages, they can see all the messages passing through the entire configuration. Access control in Rhapsody versions 6.1 and later handles situations where you want only specific users to have access to certain types of messages.

With the introduction of lockers in Rhapsody 6.1, access groups are used to accord global access rights and locker access rights to users. Global access rights apply to the whole engine or all lockers, whereas locker access rights are specific to each locker in that they refer only to the configuration and message data for that locker. Users can now belong to more than one access group.

User Manager

You can view a list of currently configured users, along with the access groups to which they are assigned, through the User Manager:

 

 The User Manager enables you to manage the following aspects of user access:

A typical workflow for managing user access is as follows:

Workflow Example

The following example illustrates how to use lockers to isolate your configuration and secure your PHI data from other users to satisfy legal requirements:

Create Lockers

1. Log onto Rhapsody IDE as the default Administrator user.
2. Create the following configuration including the lockers, All Msg_Process, Msg_ADT, and Msg_ORU:

ADT_Route

ORU_Route

Add Groups

Add two Groups: ADT Group and ORU Group.

Add the group ADT Group with the following access rights:

• All Lockers (Default Rights) - select all Presets (Development, Monitor Read and Monitor Write).
• All Msg_Process - use the default access rights.
• Msg_ADT - use the default access rights.
• Msg_ORU - deselect 'View locker'.

Add the group ORU Group with the following access rights:

• All Lockers (Default Rights) - select all Presets (Development, Monitor Read and Monitor Write).
• All Msg_Process - deselect 'Edit locker' and 'Start/Stop communication points and routes'.
• Msg_ADT - deselect 'View locker'.
• Msg_ORU - use the default access rights.

Add Users

Create a user for each group.

Add ADT_User to the ADT Group. The user has the following permissions:

• Has full access to the All Msg_Process locker.
• Has full access to the Msg_ADT locker.
• Cannot view the Msg_ORU locker.

Add ORU_User to the ORU Group. The user has the following permissions:

• Can view All Msg_Process locker but cannot modify components in it. 
• Has full access to the Msg_ORU locker.
• Cannot view Msg_ADT locker.

Viewing Messages

The users should be limited in their permissions as follows:

Log onto Rhapsody IDE as ADT_User. You can:

• Only view the All Msg_Process and Msg_ADT lockers and their components.
• Display the View Rights dialog for the Msg_ADT locker by right-clicking on the locker and selecting Properties.

Log onto the Management Console as ADT_User. You can:

• Only view the All Msg_Process and Msg_ADT lockers and its components on the Communication Points page.
• Only view the messages associated with the All Msg_Process and Msg_ADT lockers on the Hold Queue page.
• View only the messages associated with the All Msg_Process and Msg_ADT lockers when performing searches on the Input Search and Output Search pages.
• See a banner on message search results, warning you that you cannot see the full result set of messages on the engine.  

Log onto Rhapsody IDE as ORU_User. You can:

• Only view the All Msg_Process and Msg_ORU lockers and its components.
• Not modify (edit, start/stop) the components in All Msg_Process locker.

Log onto the Management Console as ORU_User. You can:

• Only view the All Msg_Process and Msg_ORU lockers and its components on the Communication Points page.
• Only view the messages associated with the  All Msg_Process and Msg_ORU lockers on the Hold Queue page.
• View a message across lockers:
  
  1. Click the View Input Archive link on the Communication Points page for the Input_ORUDynamic Router communication point to view its input message archive.
  2. Select one of the messages to view it in Message View. Any Messages Properties are transferred across lockers, whereas Message Events commence from Dynamic Router communication point and are intra-locker.
  3. Click the Message was redirected from another locker link under the Description column of the Message Events to display the Redirected Message and the Original Message.
  4. Click the View link for the Original Message under Message Properties or Message Body. The Original Message is displayed with a full set of message events, and the message path with all the components through which the message has traversed.