Cloud Sentrics Docs

Access Policies

Define granular access control using policies, groups, and user assignments.

Access Policies follow the AWS IAM model with implicit deny. Users not assigned to any group have no access by default (when groups are configured).

How It Works

  1. Create a Policy — select which modules the policy grants access to (checkboxes)
  2. Create a Group — attach one or more policies to the group
  3. Add Users to Groups — users inherit combined permissions from all attached policies

Key Features

  • Multiple policies per group — attach several focused policies to one group (AWS-style)
  • Multiple groups per user — users can belong to multiple groups (permissions are merged)
  • Default-deny — sidebar tabs are hidden until explicitly granted
  • Discharge & Release Approval — special permission required for ward discharge/transfer/deceased actions

Available Permissions

Clinical: Emergency, Patient Queue, Appointments, Consultations, Prescriptions, Maternal & Child Health, Nursing Care, Theatre & Procedures, Ward Management, Discharge & Release Approval, Vaccination Records

Patients: Register Patient, View Patients, Medical Records, Patient Communications

Laboratory: Lab Orders, Lab Results

Finance: Front Desk Billing, Billing, Cashier, Financial Reports, HMO & Insurance

Operations: Pharmacy, Inventory, Analytics & Reports, Facility Settings, Calendar

Staff: Register Staff, Staff Directory, Staff Scheduling, Staff Attendance, Staff Docs, Staff Messages

Training: Training & Assessments

Enforcement

  • Frontend: Sidebar tabs hidden for unauthorized users (default-deny)
  • Backend: Every API endpoint checks permissions — returns 403 if denied
  • Admin bypass: Super Admin always sees everything

Zero-Trust Default

When access groups are configured in your facility:

  • No groups configured at all — all users have full role-based access (facility has not set up policies yet). Nobody gets locked out.
  • Groups exist, user NOT in any group — zero trust: all clinical tabs hidden.
  • Groups exist, user in a group — only assigned tabs shown.

What a zero-trust user sees

Someone not assigned to any group (when groups ARE configured):

  • Sidebar: Only Records and Secure Delivery remain visible
  • Dashboard home: Greeting, their own audit trail, upcoming events
  • Direct tab navigation: Access Denied screen (frontend enforcement)
  • Direct API call: 403 Forbidden (backend enforcement)

Important edge case

No groups configured yet = full access for everyone. This is intentional — if a school or hospital has not set up access policies yet, nobody gets locked out. Zero-trust only activates once you create at least one group.

Important Notes

  • Access Policies → Groups → Manage Members is the single source of truth for group assignment. Use this to add or remove users from groups.
  • Changes take effect on next login or page refresh
  • Deleting a group removes access for all members (implicit deny)
  • Access Policies work alongside Multi-Branch filtering — both enforced simultaneously
Last updated: May 2026