All Collections
Beta features
Role-based access control
Managing user roles (role-based access control)
Managing user roles (role-based access control)
Updated this week

⚠️ Important: This is currently a beta feature, available to a few CHR beta users in order to test and provide feedback. It will be available to more users once the beta period is complete.

You can use roles to apply default user permissions to groups of users based on their role in the clinic. For example, you can enable providers to prescribe medications and create encounters, while preventing front-end staff from performing these actions.

With role-based access control enabled, each user must have a role assigned. Resource sets that define the data that can be accessed (e.g. patient charts at a specific location) are applied to a user account when assigning a role to that user. You cannot apply user-specific permissions outside of a role.

You must have the Edit Roles and Edit Other Users permissions enabled to create new roles and modify role permissions.

📌 Note: When you modify a role's permissions, the permission changes are applied to all users assigned that role.

⚠️ Important: If you have restricted access to patient charts by location, if a user does not have access to that location, they will not see the patient in the CHR at all. If providers across locations cover for each other or need to access the chart of a patient from another location in case of emergency, create a resource set for patients and include all available locations in the filter. Create a corresponding "Patient Search" role that allows only List access to patients. Then assign that role and resource set to the appropriate users. These users will see all patients in the Patients window when they search for a patient (i.e. list access) but they will have to "break the glass" to gain access to a patient's chart in a location they do not have access to. This is also helpful to avoid creating duplicate patient charts in the CHR; if a user cannot view or search the entire list of patients in the CHR, a warning will not appear when adding a patient if the last name, first name, and identifier match an existing patient's.


1. From the main menu, click Settings > Account > Roles. The list of existing Roles is displayed.

📌 Note: a built-in role Breaking Glass Permissions is automatically included when role-based access control is enabled, and you cannot edit the permissions for this role. You do not need to assign this role to users as it is dynamically assigned to a user at the time of gaining access to a restricted chart.

2. Perform one of the following actions:

  • To add a role, click Add Role.

  • To modify an existing role, beside the role, click Edit.

The New Role or Edit Role window opens.

3. In the Role Name field, type a name for the role.

4. Optionally, in the Description field, type a description for the role. For example, you can describe the types of users who should have this role assigned.

5. Under Permissions, select the checkbox beside all permissions these users should have by default for that specific area of the CHR. For detailed information about each permission area, see Role permission options (using role-based access control).

If you select a permission that requires another to also be selected, a message appears. For example, selecting Read for Encounters also requires selecting List. If you click Okay in the message, the other required permissions are automatically selected for you.

💡 Tip: Selecting All will hide the other checkboxes in that section. To modify the permissions, clear the All checkbox.

6. Click Save when you finished selecting permissions.

7. Re-enter your password when prompted, and click Submit.

If you added a new role, it appears in the list of Roles. You can now assign that role to an individual user or group of users. For more information, see Assigning a role and resource set to a user or Assigning a role to a group of users.

Updated June 28, 2022

Did this answer your question?