Skip to content
General Hospital Lab

Build the hospital clinics

The hospital layer turns the directory into General Hospital: specialty clinics, back-office functions, and the shared folders each can reach. It builds on top of seeded users and is fully idempotent.

Build it

Section titled “Build it”
Terminal window
make clinics

That runs two scripts in order:

  1. scripts/seed-er-cast.sh seeds the ER (TV show) cast as clinical staff into OU=Clinical, each with a role (title) and a clinic (department).
  2. scripts/setup-clinics.sh creates one security group per clinic, the nested meta-groups, the back-office group membership for the 80s admin staff, and the group-gated shares.

Inspect the result:

Terminal window
make show-clinics        # every group's members, the meta-groups, and the shares

What gets created

Section titled “What gets created”

Per-department groups (19): one per clinic and ancillary service (Cardiology, Pediatrics, Radiology, …) plus the four admin functions (Administration, Billing, Medical-Records, IT).

Nested meta-groups, the load-bearing trick:

  • Clinicians contains the 15 clinical and ancillary groups (not individual people). It gates patient data.
  • GH-Staff contains Clinicians plus the four admin groups. It gates the all-staff share.

Three share shapes under /srv/shares on the DC:

ShareGateBehaviour
[cardiology] … (19)valid users = @AD\<Group>, read-writeTeam folder, members collaborate
[all-staff]valid users = @AD\GH-Staff, read only = Yes, write list = @AD\AdministrationEveryone reads, only Administration writes
[phi]valid users = @AD\Clinicians, read-writePatient records, clinicians only

Prove the boundary

Section titled “Prove the boundary”
Terminal window
make test-clinic-access

A clinician (john.carter) reaches cardiology and phi but not billing; an admin user (madonna) reaches billing but is denied phi, and can read but not write all-staff. The reason this works with nobody named on the phi share is group nesting.

Edit the clinics

Section titled “Edit the clinics”

Both scripts are driven by tables you can edit:

  • The clinical roster (who works in which clinic) is the ER_CAST table in scripts/seed-er-cast.sh.
  • The groups, their members, the nesting, and the shares are the CLINIC_ROWS, NESTED, and share tables in scripts/setup-clinics.sh.

Change a table, re-run make clinics, and the domain converges. The full group-and-share map is in the groups and shares reference.