From c71a8f72537322661ec6c08c90823eb91ca26637 Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Thu, 17 Dec 2015 02:20:34 -0800
Subject: [PATCH] Fix #5 for MU2 item a8.

Mechanism for granular access control incorporating into CDR engine to control
which rules are used per user.
---
 .../reminder/active_reminder_popup.php             |  9 +---
 .../patient_file/reminder/clinical_reminders.php   | 15 ++++--
 .../summary/clinical_reminders_fragment.php        |  4 +-
 interface/patient_file/summary/demographics.php    |  8 +--
 .../super/rules/controllers/alerts/controller.php  |  4 +-
 .../rules/controllers/alerts/view/list_actmgr.php  | 58 +++++++++++++++++++++-
 .../super/rules/library/CdrAlertManager.class.php  |  7 +--
 interface/super/rules/library/CdrHelper.class.php  | 18 ++++++-
 library/clinical_rules.php                         | 51 +++++++++++++------
 sql/4_2_0-to-4_2_1_upgrade.sql                     | 35 +++++++++++++
 sql/database.sql                                   | 19 +++++++
 version.php                                        |  2 +-
 12 files changed, 190 insertions(+), 40 deletions(-)

diff --git a/interface/patient_file/reminder/active_reminder_popup.php b/interface/patient_file/reminder/active_reminder_popup.php
index 311b1881a..6a94e1d36 100644
--- a/interface/patient_file/reminder/active_reminder_popup.php
+++ b/interface/patient_file/reminder/active_reminder_popup.php
@@ -47,13 +47,6 @@ $(document).ready(function(){
 // Set the session flag to show that notification was last done with this patient
 $_SESSION['alert_notify_pid'] = $pid;
 
-// Ensure user is authorized
-if (!acl_check('patients', 'med')) {
-  echo "<p>(" . htmlspecialchars( xl('Not authorized'), ENT_NOQUOTES) . ")</p>\n";
-  echo "</body>\n</html>\n";
-  exit();
-}
-
 ?>
 <table cellspacing='0' cellpadding='0' border='0'>
 <tr>
@@ -63,7 +56,7 @@ if (!acl_check('patients', 'med')) {
 </table>
 <br><br>
 
-<?php echo active_alert_summary($pid,"reminders-due"); ?>
+<?php echo active_alert_summary($pid,"reminders-due",'','default',$_SESSION['authUser']); ?>
 
 </body>
 </html>
diff --git a/interface/patient_file/reminder/clinical_reminders.php b/interface/patient_file/reminder/clinical_reminders.php
index e024244d9..5f2dd7036 100644
--- a/interface/patient_file/reminder/clinical_reminders.php
+++ b/interface/patient_file/reminder/clinical_reminders.php
@@ -62,7 +62,7 @@ $patient_id = ($_GET['patient_id']) ? $_GET['patient_id'] : "";
 <?php
   // collect the pertinent plans and rules
   $plans_default = resolve_plans_sql('','0',TRUE);
-  $rules_default = resolve_rules_sql('','0',TRUE);
+  $rules_default = resolve_rules_sql('','0',TRUE,'',$_SESSION['authUser']);
 ?>
 
 <ul class="tabNav">
@@ -74,13 +74,13 @@ $patient_id = ($_GET['patient_id']) ? $_GET['patient_id'] : "";
 <div class="tabContainer">
   <div class="tab current text" style="height:auto;width:97%;">
     <?php
-      clinical_summary_widget($pid,"reminders-all");
+      clinical_summary_widget($pid,"reminders-all",'','default',$_SESSION['authUser']);
     ?>
   </div>
 
   <div class="tab text" style="height:auto;width:97%;">
     <?php
-      clinical_summary_widget($pid,"reminders-all",'',"plans");
+      clinical_summary_widget($pid,"reminders-all",'',"plans",$_SESSION['authUser']);
     ?>
   </div>
 
@@ -96,11 +96,20 @@ $patient_id = ($_GET['patient_id']) ? $_GET['patient_id'] : "";
           <th style="left-margin:1em;"><?php echo htmlspecialchars( xl('Practice Default Setting'), ENT_NOQUOTES); ?></th>
         </tr>
         <?php foreach ($plans_default as $plan) { ?>
+          <?php
+          //only show the plan if there are any rules in it that the user has access to
+          $plan_check = resolve_rules_sql('','0',TRUE,$plan['id'],$_SESSION['authUser']);
+          if (empty($plan_check)) {
+            continue;
+          }
+          ?>
           <tr>
             <td style="border-right:1px solid black;"><?php echo generate_display_field(array('data_type'=>'1','list_id'=>'clinical_plans'), $plan['id']); ?></td>
             <td align="center">
               <?php
+
               $patient_plan = collect_plan($plan['id'],$patient_id);
+
               // Set the patient specific setting for gui
               if (empty($patient_plan)) {
                 $select = "default";
diff --git a/interface/patient_file/summary/clinical_reminders_fragment.php b/interface/patient_file/summary/clinical_reminders_fragment.php
index 55a555cc0..7226f28a3 100644
--- a/interface/patient_file/summary/clinical_reminders_fragment.php
+++ b/interface/patient_file/summary/clinical_reminders_fragment.php
@@ -27,7 +27,5 @@ require_once("$srcdir/clinical_rules.php");
 // session work in the future, then will need to remove this line.
 session_write_close();
 
-clinical_summary_widget($pid,"reminders-due");
-
+clinical_summary_widget($pid,"reminders-due",'','default',$_SESSION['authUser']);
 ?>
-
diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
index 9dd209933..623656587 100644
--- a/interface/patient_file/summary/demographics.php
+++ b/interface/patient_file/summary/demographics.php
@@ -48,9 +48,9 @@ $fake_register_globals=false;
  }
 
   $active_reminders = false;
-  if ((!isset($_SESSION['alert_notify_pid']) || ($_SESSION['alert_notify_pid'] != $pid)) && isset($_GET['set_pid']) && acl_check('patients', 'med') && $GLOBALS['enable_cdr'] && $GLOBALS['enable_cdr_crp']) {
+  if ((!isset($_SESSION['alert_notify_pid']) || ($_SESSION['alert_notify_pid'] != $pid)) && isset($_GET['set_pid']) && $GLOBALS['enable_cdr'] && $GLOBALS['enable_cdr_crp']) {
     // showing a new patient, so check for active reminders
-    $active_reminders = active_alert_summary($pid,"reminders-due");
+    $active_reminders = active_alert_summary($pid,"reminders-due",'','default',$_SESSION['authUser']);
   }
 
 function print_as_money($money) {
@@ -1341,7 +1341,9 @@ expand_collapse_widget($widgetTitle, $widgetLabel, $widgetButtonLabel,
         $events = sortAppointments($events);
         //////
 
-     if ( (acl_check('patients', 'med')) && ($GLOBALS['enable_cdr'] && $GLOBALS['enable_cdr_crw']) ) {
+     // Show Clinical Reminders for any user that has rules that are permitted.
+     $clin_rem_check = resolve_rules_sql('','0',TRUE,'',$_SESSION['authUser']); 
+     if ( (!empty($clin_rem_check)) && ($GLOBALS['enable_cdr'] && $GLOBALS['enable_cdr_crw']) ) {
         // clinical summary expand collapse widget
         $widgetTitle = xl("Clinical Reminders");
         $widgetLabel = "clinical_reminders";
diff --git a/interface/super/rules/controllers/alerts/controller.php b/interface/super/rules/controllers/alerts/controller.php
index b411f76ce..c866935ac 100644
--- a/interface/super/rules/controllers/alerts/controller.php
+++ b/interface/super/rules/controllers/alerts/controller.php
@@ -32,6 +32,7 @@ class Controller_alerts extends BaseController {
 		$actives = $_POST["active"];
 		$passives =  $_POST["passive"];
 		$reminders =  $_POST["reminder"];
+                $access_controls = $_POST["access_control"];
 		
 			
 		// The array of check-boxes we get from the POST are only those of the checked ones with value 'on'.
@@ -39,6 +40,7 @@ class Controller_alerts extends BaseController {
 		$actives_final = array();
 		$passives_final = array();
 		$reminders_final = array();
+
 			
 		$numrows = count($ids);
 		for ($i = 0; $i < $numrows; ++$i) {
@@ -69,7 +71,7 @@ class Controller_alerts extends BaseController {
 
 		// Reflect the changes to the database.
          $c = new CdrAlertManager();
-         $c->update($ids, $actives_final, $passives_final, $reminders_final);
+         $c->update($ids, $actives_final, $passives_final, $reminders_final, $access_controls);
          
          $this->forward("listactmgr");
     }
diff --git a/interface/super/rules/controllers/alerts/view/list_actmgr.php b/interface/super/rules/controllers/alerts/view/list_actmgr.php
index 6e2236fee..930838e9c 100644
--- a/interface/super/rules/controllers/alerts/view/list_actmgr.php
+++ b/interface/super/rules/controllers/alerts/view/list_actmgr.php
@@ -1,3 +1,31 @@
+<?php
+/**
+ * Script to configure the Rules.
+ *
+ * Copyright (C) 2015 Brady Miller <brady@sparmy.com>
+ *
+ * LICENSE: This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
+ *
+ * @package OpenEMR
+ * @author  Ensoftek
+ * @author  Brady Miller <brady@sparmy.com>
+ * @link    http://www.open-emr.org
+ */
+
+require_once(dirname(__FILE__)."/../../../../../../library/acl.inc"); 
+global $phpgacl_location;
+require_once("$phpgacl_location/gacl_api.class.php");
+?>
+
 <table class="header">
   <tr>
         <td class="title"><?php echo out( xl('Clinical Decision Rules Alert Manager') ); ?></td>
@@ -22,6 +50,8 @@
                 <th width="10px"><?php echo out( xl('Passive Alert') ); ?></th>
                 <th width="40px">&nbsp;</th>
                 <th width="10px"><?php echo out( xl('Patient Reminder') ); ?></th>
+                <th width="40px">&nbsp;</th>
+                <th width="100px"><?php echo out( xl('Access Control') ); ?> <span title='<?php echo out( xl('User is required to have this access control for Active Alerts and Passive Alerts') ); ?>'>?</span></th>
                 <th></th>
         </tr>
         <?php $index = -1; ?>
@@ -46,7 +76,33 @@
                 	<td><input type="checkbox" name="reminder[<?php echo $index ?>]]" checked="yes"></td>
                 <?php }else {?>
 	                <td><input type="checkbox" name="reminder[<?php echo $index ?>]]"></td>
-				<?php } ?>                
+				<?php } ?>               
+                 <td>&nbsp;</td>
+                 <td>
+                        <?php //Place the ACO selector here
+                        $gacl_temp = new gacl_api(); 
+                        $list_aco_objects = $gacl_temp->get_objects(NULL, 0, 'ACO');
+                        foreach ($list_aco_objects as $key => $value) {
+                          asort($list_aco_objects[$key]);
+                        }
+                        echo "<select name='access_control[" . $index . "]'>";
+                        foreach ($list_aco_objects as $section => $array_acos) {
+                          $aco_section_data = $gacl_temp->get_section_data($section, 'ACO');
+                          $aco_section_title = $aco_section_data[3];
+                          foreach ($array_acos as $aco) {
+                            $aco_id = $gacl_temp->get_object_id($section, $aco,'ACO');
+                            $aco_data = $gacl_temp->get_object_data($aco_id, 'ACO');
+                            $aco_title = $aco_data[0][3];
+                            $select = '';
+                            if ($rule->access_control() == $section.":".$aco) {
+                              $select = 'selected';
+                            }
+                            echo "<option value='" . attr($section) . ":" . attr($aco) . "' " . $select . ">" . xlt($aco_section_title) . ": " . xlt($aco_title)  . "</option>";
+                          }
+                        }
+                        echo "</select>";
+                        ?>
+                 </td> 
                 <td><input style="display:none" name="id[<?php echo $index ?>]]" value=<?php echo out($rule->get_id()); ?> /></td>								
         </tr>
 		<?php }?>
diff --git a/interface/super/rules/library/CdrAlertManager.class.php b/interface/super/rules/library/CdrAlertManager.class.php
index 6e088dc41..2332ee6af 100644
--- a/interface/super/rules/library/CdrAlertManager.class.php
+++ b/interface/super/rules/library/CdrAlertManager.class.php
@@ -41,20 +41,21 @@ class CdrAlertManager{
         	    
         	    foreach( $rules as $rowRule ) {
 		              $rule_id = $rowRule['id'];
-		              $cdra[] = new CdrResults($rule_id, $rowRule['active_alert_flag'], $rowRule['passive_alert_flag'], $rowRule['patient_reminder_flag']);
+		              $cdra[] = new CdrResults($rule_id, $rowRule['active_alert_flag'], $rowRule['passive_alert_flag'], $rowRule['patient_reminder_flag'], $rowRule['access_control']);
         	    }
         	    
 		        return $cdra;
         }
         
-        function update($rule_ids, $active_alert_flags, $passive_alert_flags, $patient_reminder_flags) {
+        function update($rule_ids, $active_alert_flags, $passive_alert_flags, $patient_reminder_flags, $access_controls) {
         	
         	    for($index=0; $index < count($rule_ids); $index++) { 
 		              $rule_id = $rule_ids[$index];
 		              $active_alert_flag = $active_alert_flags[$index];
 		              $passive_alert_flag = $passive_alert_flags[$index];
         	          $patient_reminder_flag = $patient_reminder_flags[$index];
-		              $cdra = new CdrResults($rule_id, $active_alert_flag, $passive_alert_flag, $patient_reminder_flag);
+                              $access_control = $access_controls[$index];
+		              $cdra = new CdrResults($rule_id, $active_alert_flag, $passive_alert_flag, $patient_reminder_flag, $access_control);
 		              $cdra->update_table();
         	    }  
         	    
diff --git a/interface/super/rules/library/CdrHelper.class.php b/interface/super/rules/library/CdrHelper.class.php
index 6df30255b..06053b70a 100644
--- a/interface/super/rules/library/CdrHelper.class.php
+++ b/interface/super/rules/library/CdrHelper.class.php
@@ -23,13 +23,15 @@ class CdrResults{
         var $passive_flag;
         var $active_flag;
         var $reminder_flag;
+        var $access_control;
         
-	  function CdrResults($rule_id = "", $active_alert_flag = "", $passive_alert_flag = "", $patient_reminder_flag = "") {
+	  function CdrResults($rule_id = "", $active_alert_flag = "", $passive_alert_flag = "", $patient_reminder_flag = "", $access_control = "") {
 	  	    $this->id = $rule_id;
                     $this->rule = getLabel($this->id,'clinical_rules');
 			$this->active_flag = $active_alert_flag;
 			$this->passive_flag = $passive_alert_flag;
 			$this->reminder_flag = $patient_reminder_flag;
+                        $this->access_control = $access_control;
       }
       
       function active_alert_flag() {
@@ -51,15 +53,27 @@ class CdrResults{
       function patient_reminder_flag() {
                 return $this->reminder_flag;
       }
+
+      function access_control() {
+                return $this->access_control;
+      }
       
       function update_table() {
-      	
+
+                        // Set the settings that only apply to the main rule (pid = 0)      	
     			$query = "UPDATE clinical_rules SET active_alert_flag = ?" .
     			                  ", passive_alert_flag = ?" .
     			                  ", patient_reminder_flag = ?" .
 					  		  " WHERE id = ? AND pid = 0";
     
 			   sqlStatement($query, array($this->active_flag,$this->passive_flag,$this->reminder_flag,$this->id) );
+                        
+                        // Set the settings that apply to all rules including the patient custom rules (pid is > 0)
+                        $query = "UPDATE clinical_rules SET access_control = ?" .
+                                                          " WHERE id = ?";
+
+                           sqlStatement($query, array($this->access_control,$this->id) );
+
     
       }
           
diff --git a/library/clinical_rules.php b/library/clinical_rules.php
index c3d8bd121..f18c40a6d 100644
--- a/library/clinical_rules.php
+++ b/library/clinical_rules.php
@@ -46,14 +46,15 @@ require_once(dirname(__FILE__) . "/jsonwrapper/jsonwrapper.php");
  * @param  string   $mode           choose either 'reminders-all' or 'reminders-due' (required)
  * @param  string   $dateTarget     target date (format Y-m-d H:i:s). If blank then will test with current date as target.
  * @param  string   $organize_mode  Way to organize the results (default or plans)
+ * @param  string   $user           If a user is set, then will only show rules that user has permission to see.
  */
-function clinical_summary_widget($patient_id,$mode,$dateTarget='',$organize_mode='default') {
+function clinical_summary_widget($patient_id,$mode,$dateTarget='',$organize_mode='default',$user='') {
   
   // Set date to current if not set
   $dateTarget = ($dateTarget) ? $dateTarget : date('Y-m-d H:i:s');
 
   // Collect active actions
-  $actions = test_rules_clinic('','passive_alert',$dateTarget,$mode,$patient_id,'',$organize_mode);
+  $actions = test_rules_clinic('','passive_alert',$dateTarget,$mode,$patient_id,'',$organize_mode, array(),'primary',NULL,NULL,$user);
 
   // Display the actions
   $current_targets = array();
@@ -236,15 +237,16 @@ function compare_clinical_summary_widget($patient_id,$current_targets,$userid=''
  * @param  string   $mode           choose either 'reminders-all' or 'reminders-due' (required)
  * @param  string   $dateTarget     target date (format Y-m-d H:i:s). If blank then will test with current date as target.
  * @param  string   $organize_mode  Way to organize the results (default or plans)
+ * @param  string   $user           If a user is set, then will only show rules that user has permission to see
  * @return string                   html display output.
  */
-function active_alert_summary($patient_id,$mode,$dateTarget='',$organize_mode='default') {
+function active_alert_summary($patient_id,$mode,$dateTarget='',$organize_mode='default',$user='') {
 
   // Set date to current if not set
   $dateTarget = ($dateTarget) ? $dateTarget : date('Y-m-d H:i:s');
 
   // Collect active actions
-  $actions = test_rules_clinic('','active_alert',$dateTarget,$mode,$patient_id,'',$organize_mode);
+  $actions = test_rules_clinic('','active_alert',$dateTarget,$mode,$patient_id,'',$organize_mode, array(),'primary',NULL,NULL,$user);
 
   if (empty($actions)) {
     return false;
@@ -450,9 +452,10 @@ function test_rules_clinic_batch_method($provider='',$type='',$dateTarget='',$mo
  * @param  string       $pat_prov_rel  How to choose patients that are related to a chosen provider. 'primary' selects patients that the provider is set as primary provider. 'encounter' selectes patients that the provider has seen. This parameter is only applicable if the $provider parameter is set to a provider or collation setting.
  * @param  integer      $start         applicable patient to start at (when batching process)
  * @param  integer      $batchSize     number of patients to batch (when batching process)
+ * @param  string       $user          If a user is set, then will only show rules that user has permission to see(only applicable for per patient and not when do reports).
  * @return array                       See above for organization structure of the results.
  */
-function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patient_id='',$plan='',$organize_mode='default',$options=array(),$pat_prov_rel='primary',$start=NULL,$batchSize=NULL) {
+function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patient_id='',$plan='',$organize_mode='default',$options=array(),$pat_prov_rel='primary',$start=NULL,$batchSize=NULL,$user='') {
 
   // If dateTarget is an array, then organize them.
   if (is_array($dateTarget)) {
@@ -474,7 +477,7 @@ function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patien
     $ures = sqlStatementCdrEngine($query);
     // Second, run through each provider recursively
     while ($urow = sqlFetchArray($ures)) {
-      $newResults = test_rules_clinic($urow['id'],$type,$dateTarget,$mode,$patient_id,$plan,$organize_mode,$options,$pat_prov_rel,$start,$batchSize);
+      $newResults = test_rules_clinic($urow['id'],$type,$dateTarget,$mode,$patient_id,$plan,$organize_mode,$options,$pat_prov_rel,$start,$batchSize,$user);
       if (!empty($newResults)) {
         $provider_item['is_provider'] = TRUE;
         $provider_item['prov_lname'] = $urow['lname'];
@@ -504,7 +507,7 @@ function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patien
         // Second, run through each provider recursively
         $provider_results = array();
         while ($urow = sqlFetchArray($ures)) {
-          $newResults = test_rules_clinic($urow['id'],$type,$dateTarget,$mode,$patient_id,$plan_item['id'],'default',$options,$pat_prov_rel,$start,$batchSize);
+          $newResults = test_rules_clinic($urow['id'],$type,$dateTarget,$mode,$patient_id,$plan_item['id'],'default',$options,$pat_prov_rel,$start,$batchSize,$user);
           if (!empty($newResults)) {
             $provider_item['is_provider'] = TRUE;
             $provider_item['prov_lname'] = $urow['lname'];
@@ -523,7 +526,7 @@ function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patien
       }
       else {
         // (not collate_inner, so do not nest providers within each plan)
-        $newResults = test_rules_clinic($provider,$type,$dateTarget,$mode,$patient_id,$plan_item['id'],'default',$options,$pat_prov_rel,$start,$batchSize);
+        $newResults = test_rules_clinic($provider,$type,$dateTarget,$mode,$patient_id,$plan_item['id'],'default',$options,$pat_prov_rel,$start,$batchSize,$user);
         if (!empty($newResults)) {
           $plan_item['is_plan'] = TRUE;
           array_push($results,$plan_item);
@@ -559,11 +562,11 @@ function test_rules_clinic($provider='',$type='',$dateTarget='',$mode='',$patien
   if ($mode != "report") {
     // Use per patient custom rules (if exist)
     // Note as discussed above, this only works for single patient instances.
-    $rules = resolve_rules_sql($type,$patient_id,FALSE,$plan);
+    $rules = resolve_rules_sql($type,$patient_id,FALSE,$plan,$user);
   }
   else { // $mode = "report"
     // Only use default rules (do not use patient custom rules)
-    $rules = resolve_rules_sql($type,$patient_id,FALSE,$plan);
+    $rules = resolve_rules_sql($type,$patient_id,FALSE,$plan,$user);
   }
 
   foreach( $rules as $rowRule ) {
@@ -1254,9 +1257,10 @@ function set_plan_activity_patient($plan,$type,$setting,$patient_id) {
  * @param  integer  $patient_id       pid of selected patient. (if custom rule does not exist then will use the default rule)
  * @param  boolean  $configurableOnly true if only want the configurable (per patient) rules (ie. ignore cqm and amc rules)
  * @param  string   $plan             collect rules for specific plan
+ * @param  string   $user             If a user is set, then will only show rules that user has permission to see
  * @return array                      rules
  */
-function resolve_rules_sql($type='',$patient_id='0',$configurableOnly=FALSE,$plan='') {
+function resolve_rules_sql($type='',$patient_id='0',$configurableOnly=FALSE,$plan='',$user='') {
 
   if ($configurableOnly) {
     // Collect all default, configurable (per patient) rules into an array
@@ -1290,6 +1294,19 @@ function resolve_rules_sql($type='',$patient_id='0',$configurableOnly=FALSE,$pla
 
   // Need to select rules (use custom if exist)
   foreach ($returnArray as $rule) {
+
+    // If user is set, then check if user has access to the rule
+    if (!empty($user)) {
+      $access_control = explode(':',$rule['access_control']);
+      if ( !empty($access_control[0]) && !empty($access_control[1]) ) {
+        // Section and ACO filters are not empty, so do the test for access.
+        if (!acl_check($access_control[0],$access_control[1],$user)) {
+          // User does not have access to this rule, so skip the rule.
+          continue;
+        }
+      }
+    }
+
     $customRule = sqlQueryCdrEngine("SELECT * FROM `clinical_rules` WHERE `id`=? AND `pid`=?", array($rule['id'],$patient_id) );
 
     // Decide if use default vs custom rule (preference given to custom rule)
@@ -1374,19 +1391,23 @@ function set_rule_activity_patient($rule,$type,$setting,$patient_id) {
     $setting = NULL;
   }
 
+  //Collect main rule to allow setting of the access_control
+  $original_query = "SELECT * FROM `clinical_rules` WHERE `id` = ? AND `pid` = 0";
+  $patient_rule_original = sqlQueryCdrEngine($original_query, array($rule) );
+
   // Collect patient specific rule, if already exists.
   $query = "SELECT * FROM `clinical_rules` WHERE `id` = ? AND `pid` = ?";
   $patient_rule = sqlQueryCdrEngine($query, array($rule,$patient_id) );
 
   if (empty($patient_rule)) {
     // Create a new patient specific rule with flags all set to default
-    $query = "INSERT into `clinical_rules` (`id`, `pid`) VALUES (?,?)";
-    sqlStatementCdrEngine($query, array($rule, $patient_id) ); 
+    $query = "INSERT into `clinical_rules` (`id`, `pid`, `access_control`) VALUES (?,?,?)";
+    sqlStatementCdrEngine($query, array($rule, $patient_id, $patient_rule_original['access_control']) ); 
   }
 
   // Update patient specific row
-  $query = "UPDATE `clinical_rules` SET `" . add_escape_custom($type) . "_flag`= ? WHERE id = ? AND pid = ?";
-  sqlStatementCdrEngine($query, array($setting,$rule,$patient_id) );
+  $query = "UPDATE `clinical_rules` SET `" . add_escape_custom($type) . "_flag`= ?, `access_control` = ? WHERE id = ? AND pid = ?";
+  sqlStatementCdrEngine($query, array($setting,$patient_rule_original['access_control'],$rule,$patient_id) );
 
 }
 
diff --git a/sql/4_2_0-to-4_2_1_upgrade.sql b/sql/4_2_0-to-4_2_1_upgrade.sql
index 3d2114342..c33eab091 100644
--- a/sql/4_2_0-to-4_2_1_upgrade.sql
+++ b/sql/4_2_0-to-4_2_1_upgrade.sql
@@ -12549,3 +12549,38 @@ CREATE TABLE `clinical_rules_log` (
 ) ENGINE=MyISAM AUTO_INCREMENT=1 ;
 #EndIf
 
+#IfMissingColumn clinical_rules access_control
+ALTER TABLE `clinical_rules` ADD `access_control` VARCHAR(255) NOT NULL DEFAULT 'patients:med' COMMENT 'ACO link for access control';
+#EndIf
+
+#IfNotRow clinical_rules id rule_socsec_entry
+INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
+#EndIf
+
+#IfNotRow2D list_options list_id clinical_rules option_id rule_socsec_entry
+INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_socsec_entry', 'Data Entry - Social Security Number', 1500, 0);
+#EndIf
+
+#IfNotRow2D list_options list_id rule_action option_id act_soc_sec
+INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_soc_sec', 'Social Security Number', 155, 0);
+#EndIf
+
+#IfNotRow rule_action id rule_socsec_entry
+INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule_socsec_entry', 1, 'act_cat_assess', 'act_soc_sec');
+#EndIf
+
+#IfNotRow2D rule_action_item category act_cat_assess item act_soc_sec
+INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_message`, `custom_flag` ) VALUES ('act_cat_assess', 'act_soc_sec', '', '', 0);
+#EndIf
+
+#IfNotRow rule_reminder id rule_socsec_entry
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'clinical_reminder_pre', 'week', '2');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'clinical_reminder_post', 'month', '1');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'patient_reminder_pre', 'week', '2');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'patient_reminder_post', 'month', '1');
+#EndIf
+
+#IfNotRow rule_target id rule_socsec_entry
+INSERT INTO `rule_target` ( `id`, `group_id`, `include_flag`, `required_flag`, `method`, `value`, `interval` ) VALUES ('rule_socsec_entry', 1, 1, 1, 'target_database', '::patient_data::ss::::::ge::1', 0);
+#EndIf
+
diff --git a/sql/database.sql b/sql/database.sql
index 097470dae..7a05fb703 100644
--- a/sql/database.sql
+++ b/sql/database.sql
@@ -439,6 +439,7 @@ CREATE TABLE `clinical_rules` (
   `funding_source` VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'Clinical Rule Funding Source',
   `release_version` VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'Clinical Rule Release Version',
   `web_reference` VARCHAR(255) NOT NULL DEFAULT '' COMMENT 'Clinical Rule Web Reference',
+  `access_control` VARCHAR(255) NOT NULL DEFAULT 'patients:med' COMMENT 'ACO link for access control',
   PRIMARY KEY  (`id`,`pid`)
 ) ENGINE=MyISAM ;
 
@@ -573,6 +574,10 @@ INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_
 -- Coumadin Management - INR Monitoring
 INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag` ) VALUES ('rule_inr_monitor', 0, 0, 1, 0, '', '', 0, '', 0);
 --
+-- Rule to specifically demonstrate MU2 for CDR engine
+--
+INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
+--
 -- MU2 AMC rules
 --
 INSERT INTO `clinical_rules` 
@@ -3665,8 +3670,11 @@ INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_cs_colon', 'Cancer Screening: Colon Cancer Screening', 640, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_cs_prostate', 'Cancer Screening: Prostate Cancer Screening', 650, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_inr_monitor', 'Coumadin Management - INR Monitoring', 1000, 0);
+INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_socsec_entry', 'Data Entry - Social Security Number', 1500, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('clinical_rules', 'rule_appt_reminder', 'Appointment Reminder Rule', 2000, 0);
 
+
+
 INSERT INTO `list_options` (`list_id`, `option_id`, `title`, `seq`, `is_default`, `option_value`, `mapping`, `notes`, `codes`, `toggle_setting_1`, `toggle_setting_2`) VALUES
 ('clinical_rules', 'image_results_amc', 'Image Results', 3000, 0, 0, '', '', '', 0, 0);
 INSERT INTO `list_options` (`list_id`, `option_id`, `title`, `seq`, `is_default`, `option_value`, `mapping`, `notes`, `codes`, `toggle_setting_1`, `toggle_setting_2`) VALUES
@@ -3814,6 +3822,7 @@ INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_colon_cancer_screen', 'Colon Cancer Screening', 130, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_prostate_cancer_screen', 'Prostate Cancer Screening', 140, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_lab_inr', 'INR', 150, 0);
+INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_soc_sec', 'Social Security Number', 155, 0);
 INSERT INTO `list_options` ( `list_id`, `option_id`, `title`, `seq`, `is_default` ) VALUES ('rule_action' ,'act_appointment', 'Appointment', 160, 0);
 
 -- Clinical Rule Reminder Intervals
@@ -5483,6 +5492,8 @@ INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule
 INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule_cs_colon', 1, 'act_cat_assess', 'act_colon_cancer_screen');
 INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule_cs_prostate', 1, 'act_cat_assess', 'act_prostate_cancer_screen');
 INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule_inr_monitor', 1, 'act_cat_measure', 'act_lab_inr');
+INSERT INTO `rule_action` ( `id`, `group_id`, `category`, `item` ) VALUES ('rule_socsec_entry', 1, 'act_cat_assess', 'act_soc_sec');
+
 
 -- --------------------------------------------------------
 
@@ -5519,6 +5530,7 @@ INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_
 INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_message`, `custom_flag` ) VALUES ('act_cat_assess', 'act_colon_cancer_screen', '', '', 1);
 INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_message`, `custom_flag` ) VALUES ('act_cat_assess', 'act_prostate_cancer_screen', '', '', 1);
 INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_message`, `custom_flag` ) VALUES ('act_cat_measure', 'act_lab_inr', '', '', 0);
+INSERT INTO `rule_action_item` ( `category`, `item`, `clin_rem_link`, `reminder_message`, `custom_flag` ) VALUES ('act_cat_assess', 'act_soc_sec', '', '', 0);
 
 -- --------------------------------------------------------
 
@@ -5963,6 +5975,11 @@ INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES
 INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_inr_monitor', 'clinical_reminder_post', 'month', '1');
 INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_inr_monitor', 'patient_reminder_pre', 'week', '2');
 INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_inr_monitor', 'patient_reminder_post', 'month', '1');
+-- Data Entry - Social Security Number
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'clinical_reminder_pre', 'week', '2');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'clinical_reminder_post', 'month', '1');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'patient_reminder_pre', 'week', '2');
+INSERT INTO `rule_reminder` ( `id`, `method`, `method_detail`, `value` ) VALUES ('rule_socsec_entry', 'patient_reminder_post', 'month', '1');
 
 -- --------------------------------------------------------
 
@@ -6055,6 +6072,8 @@ INSERT INTO `rule_target` ( `id`, `group_id`, `include_flag`, `required_flag`, `
 INSERT INTO `rule_target` ( `id`, `group_id`, `include_flag`, `required_flag`, `method`, `value`, `interval` ) VALUES ('rule_inr_monitor', 1, 1, 1, 'target_interval', 'week', 3);
 INSERT INTO `rule_target` ( `id`, `group_id`, `include_flag`, `required_flag`, `method`, `value`, `interval` ) VALUES ('rule_inr_monitor', 1, 1, 1, 'target_proc', 'INR::CPT4:85610::::::ge::1', 0);
 
+INSERT INTO `rule_target` ( `id`, `group_id`, `include_flag`, `required_flag`, `method`, `value`, `interval` ) VALUES ('rule_socsec_entry', 1, 1, 1, 'target_database', '::patient_data::ss::::::ge::1', 0);
+
 -- --------------------------------------------------------
 
 -- 
diff --git a/version.php b/version.php
index 96102e7e8..942357aff 100644
--- a/version.php
+++ b/version.php
@@ -17,7 +17,7 @@ $v_realpatch = '0';
 // is a database change in the course of development.  It is used
 // internally to determine when a database upgrade is needed.
 //
-$v_database = 148;
+$v_database = 149;
 
 // Access control version identifier, this is to be incremented whenever there
 // is a access control change in the course of development.  It is used
-- 
2.11.4.GIT