Reporting Database User Permissions

From Galen Healthcare Solutions - Allscripts TouchWorks EHR Wiki
Jump to navigation Jump to search


Granting permissions for users directly accession the SQL Server where clinical data is stored should be done carefully. The primary concerns that we think of include: access to information, and ability to edit/delete information in the database. Carefully evaluate the need for a particular individual's need for information when reporting - do they need access to all data? Only user data? Also evaluate whether there are any reasons to grant anything by read (db_datareader) access to the user.


Here we share some recommended configurations for users reporting from the Allscripts Enterprise EHR.

Full report-only access

Create a new SQL Login with the following access, for each person who will be reporting from the database. Grant the user the db_datareader database role on all EHR-related databases, and any other permissions defined below:

  • AHSCharge
  • AHSDelta
  • AHSLibrary
  • AHSMessage
  • AHSOCD (if exists)
  • chInfoscan
  • chMedcinSearch
  • chMedispan
  • IDXwf
  • Impact (if exists)
  • Impact_AUDIT_* (if exists, any Impact Audit databases)
  • Winscribe (if exists)
  • Works
    • Execute on common functions:
      • dbo.fnPhone
      • dbo.fnGetIntListToTable
      • dbo.fnGetChrToTable