This page contains notes on Single Sign-On for OpenLMIS so Superset can leverage.

Single Sign-On is different from Roles and Rights that filter data.

Single Sign-On

• Superset depends on Flask App builder which supports OAuth2.
• OpenLMIS uses OAuth2
• We need to work to integrate these

Questions:

• Should we use JWT, or just get the username?
  • The username is returned from the token authorization response.

Filtering Data based on Rights and Roles

OpenLMIS has a concept called permission strings that is provided by the reference data service. Permission strings provides three types of rights and is constructed as RIGHT|FACILITY|PROGRAM.

Suggested Steps:

• Step 1: The first right that you have is, do you have the right to see a particular report.
• Step 2: Now you need to determine what data to see in the report
  • This right is going to be oriented around being able to see the topic area like view_requisition|FacilityUuid|ProgramUuid ← This is important because it filters
• Rights provide the claim to see the data. Once we get to this point, the query is run.

How do we handle this with the database?

• We want to be able to just pass in the User ID and have the view filtered by that based on a table join.

Questions:

• Do we take all of these permissions that we are interested in and ignore all the ones we don't want?
• Should we load the permission strings into the data warehouse from OpenLMIS?
  • We need to research if we can join based on permission strings.
  • How do we do intelligent indexes?
• Should we hit the permission strings endpoint?
  • We need to create an endpoint that returns all permission strings for all users in JSON format. This endpoint should have a "since" parameter
    • Nifi will have to query this every 30 seconds.