dhis2-devs team mailing list archive
Mailing list archive
data level sharing and access control in 2.29
in 2.29 we introduced a significant change in the access control solution
in DHIS 2.
In essence, two new levels within the sharing solution were introduced: *Can
capture data* and *Can view data*. These levels applies to capturing
data/events and viewing data/events in analytics, and complements the two
existing levels so that we now have:
1. Can edit and view metadata
2. Can view metadata
3. Can capture and view data
4. Can view data
This means that you can now control who can capture data for data sets,
programs and program stages through the sharing solution. Previous to 2.29
this was done through user roles, where data sets and programs were
associated with user roles.
You can also control who can see data in analytics for programs and
category options through the new "can view data" sharing level.
We have updated the sharing user *documentation* to reflect this:
We have also have some excellent new *videos* which elaborates on this
topic - look for "Data level sharing":
The *motivation* behind this change in the access control model is:
- It provides a single place to control access to DHIS 2 objects. The user
role associations to data sets and programs have been removed and replaced
by the mentioned sharing levels.
- It opens for more flexibility in access control. Going forward we plan to
introduce more fine-grained data level sharing and include support for
entities like data elements and tracked entity attributes.
- It allows better control over who can view data in analytics, in
particular for program and tracker data.
The 2.29 *upgrade* script will create a user group per user role and share
those groups with the appropriate data sets and programs. You can of course
opt not to run this part of the script and instead do the upgrade manually.
PS. thanks Nick Dutta for excellent videos.
Lars Helge Øverland
Technical lead, DHIS 2
University of Oslo