Access Control and Account Management

An outline of concepts and approaches that govern access to the server. Some (sudo) may be inapplicable to Windows systems.

There are four basic levels of access to consider in a GNUmed system:

Physical machine access

This is the level where anything goes. Even without knowing any passwords one can boot up the machine from a live CD and copy or change anything on the machine as wanted. If necessary the machine can be disassembled and reassembled in a way that permits access (as in removing hard drives).

The only protection against this is encryption and not storing the key on the machine.

This is why U.S. Customs desires the powers to apply torture when Grandma and her laptop enter the U.S. for Thanksgiving.

OS level access

Root account

The root account for a server affords total control of the machine, including the ability to permanently prevent any and all access by others. Accordingly, any sharing of the root account, particularly for a server that would hold clinical data, must be kept to an extreme minimum. No one who cannot be absolutely trusted, or whose loyalties and integrity could ever be questioned, should be given access to the root password, lest they could change and it and hijack the server, or sneak their way into dubious activity.

If it were ever necessary to grant root access to someone for whom sudo access would not be enough (see sudo access below) then you must seriously consider changing the root password temporarily while witnessing the individual's work, and then changing it back.

At the same time, if many people would depend on this server, then the root password must exist somewhere more than just the memory of one person. At minimum, two trusted people must know it, and/or it must be somewhere recorded, and kept safe. Alternatively, if only one person is to know the password, access can nearly always be retrieved by accessing the machine physically.

It goes without saying that the root password must be nontrivial. Not only must it not be a person's name, and not only must it not be a word present in any language dictionary and not any known date of birth or address or phone number which may relate to you, but it should MINIMALLY be 12 and preferably 20 characters in length and consist of a mix of upper and lower case letters, numbers, and symbols.

If your situation warrants a password that cannot be remembered, in other words if it needs to be so challenging that it can only really ever be copied and pasted, you could obtain a password from grc.com "Perfect Passwords" and save that to two or more USB keys or disks. Keeping those in a "safe place" also goes without saying.

Sudo access

Sudo access (SUper user DO) is the next most powerful access to a server. Armed with sudo access, a user can do nearly everything as root or another system user only limited by the entries in =/etc/sudoers.

Sudo access should only ever granted to the individual system user accounts of actual humans. Sudo should not be granted to a system user account whose use might pass among more than one person, such as a system account gmadm which may have been set up to allow people to administer the gnumed databases.

System administrator accounts

These are system user accounts which individuals may "assume" in the course of administering one or more aspects of the server. It may be possible to disallow these accounts from connecting from the outside world, requiring people to instead connect under their own account, and then "switching" by means of the "su" (Switch User) command into the administrative account.

gmadm is an example of an administrative account which may have been set up to allow people to administer the gnumed databases.

Anyone with sudo access would be able to switch into one of these administrative accounts without needing to know the administrative account's password. They could even alter, reset, or lock the administrative account's password. People without sudo access would need to know the password. (This outline does not consider the creation of a "group", which is another method of managing access).

Application level access

Application (program)-specific system user accounts

Each program or application that is running on a server has the possibility of being owned and operated by a nonhuman account which, when they would be a system account, typically have no home directory or disk space assigned to them. Many of them start and run automatically, or at intervals, in order to take care of regular or intermittent tasks. Humans can "become" these accounts (through "su") in order to manually undertake certain tasks.

Postgres is one such system user account. Mirth, a system for managing HL7 messages and which can be used to import these into GNUmed, can be another such account.

Accounts like postgres are considered the super-user of the application, as opposed to root which is the superuser of the server overall. As such, root would be able to alter or lock the postgres password, or even delete the postgres account, not that you would want to do this. Although it might be rarely necessary if you had to remove and reinstall the entire PostgreSQL system, after having backed-up, of course!

Database level access

GNUmed accounts

We have already noted the possibility of creating a system-level account gmadm to assist operations at the server level.

We also need at least one "postgres" account dedicated to the administration of GNUmed from the "inside" of the postgres database server. For this purpose, we have designated gm-dbo as the "owner" (within postgres) of the GNUmed database.

Beyond the gm-dbo account, we will need individual accounts for each of the people (doctors, other clinicians, support staff) who will be entering data into GNUmed and interacting with the data that is in the GNUmed EMR. This is covered in the topic GmManualManagingUsers.