dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

On 23 April 2015 at 09:35, Rangarirai Matavire <matavirer@xxxxxxxxx> wrote:
> Thanks,
> Is it possible to create a user with no privileges?

Well as little as possible ...

Please check demo.dhis2.org.

I just created a role called "metadata client" and assigned no
authorities to it.

Then created a user called facility (password Facility1) with role
"metadata client".

You can see that with these credentials you can't do much with the
application, but you *can* browse the api at
https://apps.dhis2.org/demo/api/ including the orgunits at
https://apps.dhis2.org/demo/api/organisationUnits.

AFAIK that is the minimum level of access you can give an account, and
is sufficient to be able to export orgunits which is what you need.

Unfortunately the user also has access to all sorts of other metadata
like charts, reports, user details which is really not ideal if all we
want to expose is an interface for an orgunit synchronisation..  Would
be preferable to be able to tie it down to just orgunits,
orgunitgroups (and sets) and levels.

There are also other "standard" api like CSD and FRED, but for dhis2
synching you are best working with the native api.

Cheers
Bob

>
> On Thu, Apr 2, 2015 at 6:58 PM, Lars Helge Øverland <larshelge@xxxxxxxxx>
> wrote:
>>
>> Hi Bob,
>>
>> yes that is correct.
>>
>> You can read but of course not create org units without explicit
>> authority.
>>
>> For most objects we now have "sharing" applied, which means you could make
>> that meta-data private (hidden). We do not have sharing for org units due to
>> the nature of the hierarchy (would be problematic if some higher-level org
>> units were private/hidden).
>>
>> regards,
>>
>> Lars
>>
>>
>> On Thu, Apr 2, 2015 at 6:36 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> wrote:
>>>
>>> Hi
>>>
>>> I am struggling to find an required authority to create a user which
>>> has readonly access to the orgunits.
>>>
>>> Specifically I want to create an account for a facility registry type
>>> client who can read orgunits (+groups, levels, attributes) from the
>>> api - and no acces to anything else.  Am I missing something silly?
>>> The default seems to be If I create a user with no privileges
>>> whatsoever that user has access to the api metadata and resource
>>> endpoints.  Is that the way it is?
>>>
>>> Cheers
>>> Bob
>>>
>>> --
>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>