dhis2-users team mailing list archive

Thread
Date

Re: User Authorities and Dashboards

To: Jason Pickering <jason.p.pickering@xxxxxxxxx>
From: Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 4 May 2017 13:21:24 +0000
Accept-language: en-US
Authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=logicaloutcomes.net;
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, "dhis2-devs@xxxxxxxxxxxxxxxxxxx" <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADsNmhve2t2i9g0CuaAocjLDgxvMzQj44ymbfWbcFwr5SXoVPg@mail.gmail.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
Thread-index: AQHSxMVs6Nm7UxMvTTanM4UY3mz6UKHkBeYAgAAHzLCAAATcAIAAAU5QgAAE5ICAABA2kA==
Thread-topic: [Dhis2-users] User Authorities and Dashboards

Thank you Jason! Your help is much appreciated!

From: Jason Pickering [mailto:jason.p.pickering@xxxxxxxxx]
Sent: Thursday, May 4, 2017 3:23 PM
To: Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx>
Cc: Antonia - Pro <antonia@xxxxxxxxxxx>; dhis2-users@xxxxxxxxxxxxxxxxxxx; dhis2-devs@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Dhis2-users] User Authorities and Dashboards

Hi Georgi,

Just go to the category option in question, choose set "Public access" to "None" and then add the appropriate user group.

From here

https://play.dhis2.org/demo/dhis-web-maintenance/#/list/dataElementSection/categoryOption

choose "Sharing settings" and then set it as appropriate.

[cid:image001.jpg@01D2C4F2.767E8AE0]

Again, depending on the complexity of your setup, you may need to script this directly with the API.

Regards,
Jason

On Thu, May 4, 2017 at 2:14 PM, Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>> wrote:
Hi Jason,

Thanks again!
Last question, I promise: How do you share only one category option with one user/group of users? I mean option, not the entire category combination.

Regards,

Georgi

From: Jason Pickering [mailto:jason.p.pickering@xxxxxxxxx<mailto:jason.p.pickering@xxxxxxxxx>]
Sent: Thursday, May 4, 2017 3:01 PM
To: Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>>
Cc: Antonia - Pro <antonia@xxxxxxxxxxx<mailto:antonia@xxxxxxxxxxx>>; dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>; dhis2-devs@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>

Subject: Re: [Dhis2-users] User Authorities and Dashboards

Hi Georgi,
Good. You are on the  right track then.

From the user management app, each investor needs to be restricted by the dimension you mentioned.

[cid:image002.jpg@01D2C4F2.767E8AE0]

Like from the demo site, you might decide to restrict a user to the "Funding agency" dimension.

In order for you to obfuscate data from other users, the category option which is part of that dimension, should only be shared with a user group which the user actually belongs to and with no other users.

The category option should have "Public access" set to none and should be shared with a group with at least "Can view" which the user also belongs to. This will allow the user to see these analytics values, but will not allow other users to see them.

Even if you were able to restrict which pivots the users could see, savvy users could always use the API to extract data from the system, thus, it must be protected by proper configuration of sharing. With correct use of sharing between users and category options, you should be able to achieve this.

Regards,
Jason

On Thu, May 4, 2017 at 1:52 PM, Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>> wrote:
Hi Jason,

Thank you for your response!

This is exactly how I have structured my data originally. I have organized each investor as an Attribute category options and have created Attribute option combos and assigned to selected data sets. Here are my questions:

1)      How do I share only one category option with one user?

2)      What do you mean by "Selected dimension restrictions for data analytics"? Unless I allow users to “See Pivot table module” they do not see the reports on the dashboard. And from within the Pivot they have access to other Attribute options (namely investors). I cannot assign authorities to only part of the Pivot table functions, regretfully.

Regards,

Georgi

From: Dhis2-users [mailto:dhis2-users-bounces+georgi<mailto:dhis2-users-bounces%2Bgeorgi>=logicaloutcomes.net@xxxxxxxxxxxxxxxxxxx<mailto:logicaloutcomes.net@xxxxxxxxxxxxxxxxxxx>] On Behalf Of Jason Pickering
Sent: Thursday, May 4, 2017 2:15 PM
To: Antonia - Pro <antonia@xxxxxxxxxxx<mailto:antonia@xxxxxxxxxxx>>
Cc: dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>; dhis2-devs@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Dhis2-users] User Authorities and Dashboards

Hi Georgi,

To be most specific I think, you will need to use the "Attribute option combo" to control who can see what. This is basically a way to disaggregate data by a custom dimension, in this case, by an investor group. Its often used in situations where multiple partners are entering data for the same health facility, but you do not want one partner to be able to see another partners data.  Once you disaggregate your data set this way, you can then use sharing to control who can see what, by only sharing the category option which is applicable to a given user, with that user.  Each investor would need to be belong to a common group with "their" category option. You would then need to restrict users in their user role  with "Selected dimension restrictions for data analytics" as well.

This type of setup can get complex quickly, but has been used in larger implementations (i.e with the PEPFAR system) , but usually only when the groups are properly designed and the creation of users is done in a scripted way, to ensure that all of the permissions are set correctly.

Hope that helps!

Jason

On Thu, May 4, 2017 at 12:58 PM, Antonia - Pro <antonia@xxxxxxxxxxx<mailto:antonia@xxxxxxxxxxx>> wrote:
Exactly Morten.
For Dashboards, sharing also works at user level after the last update 2.26, but reports (data, event visualizer and reports and pivot tables) only work at group level currently (on the demo server).

[Image removed by sender.]
Eng. Antonia Bezenchek
CIO - ICT Engineer
InformaPRO S.r.l. via Guido Guinizelli, 98/100, Roma 00152, Italy

2017-05-04 12:29 GMT+02:00 Morten Olav Hansen <morten@xxxxxxxxx<mailto:morten@xxxxxxxxx>>:
Hm, I think maybe we support this only for the dashboards, so it might not help you (you can share dashboards directly to users, but reporting apps are not updated for that yet).

--
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Thu, May 4, 2017 at 5:28 PM, Antonia - Pro <antonia@xxxxxxxxxxx<mailto:antonia@xxxxxxxxxxx>> wrote:
Permissions for Dashboard and Favorites are managed at the group level, so if they are not groupable, you need to create a group for each user.

Regards,
Antonia

2017-05-04 9:47 GMT+02:00 Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>>:
Hi Alex,

Thanks for the response!

I have 150 investors and none of them should be able to see the reports of the other investors.
Does this mean that I have to create 150 user groups with one investor each?

Regards,

Georgi

From: Alex Tumwesigye [mailto:atumwesigye@xxxxxxxxx<mailto:atumwesigye@xxxxxxxxx>]
Sent: Thursday, May 4, 2017 8:53 AM
To: Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>>
Cc: dhis2-devs@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-devs@xxxxxxxxxxxxxxxxxxx>; dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Dhis2-users] User Authorities and Dashboards

Dear Georgi,

The solution is Sharing and User Groups

Implement the same sharing on each report/chart/gis map as you did on the dashboard.
That is Set Public to None and then add the Investor User Group (which is has access) and set sharing to View

Alex

On Wed, May 3, 2017 at 7:27 PM, Georgi Chakarov <georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx>> wrote:
Hello all,

I have a big problem setting up the correct authorities so that users see what I need them to.
In brief, I am reporting on financial data. I have a few investors for whom I have prepared personal dashboards with pivots on how much return they have earned. I DO NOT want investors to be able to see each other’s data.

This is what I have done:

1)      User Authorities:

-          See dashboards

-          See browser cache

-          See pivot table module
IMPORTANT: If I remove the “See pivot table module” the users are not able to see the saved pivot tables on their dashboard! So I need this authority.

2)      Dashboards

-          Created personal dashboard for each investor

-          Shared the dashboard only with the respective investor

Every investor is able to see only their dashboard. Here comes the BIG PROBLEM: When an investor clicks “Explore” pivot table from the dashboard it takes him to the Pivot table app. From there, they can go to Favorites and open a saved report for any of the other investors and see data.

Two questions here:

1)      Is there a way for user to see pivots on a dashboard without necessarily having access to the Pivot reporting module?

2)      If not, is there a way to restrict user of opening reports saved as favorites in the Pivot reporting module?

Your comments are highly appreciated!
Georgi

Georgi Chakarov, CIA | georgi@xxxxxxxxxxxxxxxxxxx<mailto:georgi@xxxxxxxxxxxxxxxxxxx> | +1-647-478-5634 x 104<tel:(647)%20478-5634> | LogicalOutcomes c/o Centre for Social Innovation, 720 Bathurst Street, Toronto Canada M5S 2R4 | You may unsubscribe from receiving commercial electronic messages from LogicalOutcomes by emailing info@xxxxxxxxxxxxxxxxxxx<mailto:info@xxxxxxxxxxxxxxxxxxx>

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

--
Alex Tumwesigye

Technical Advisor - DHIS2 (Consultant),
Ministry of Health/AFENET  | HISP Uganda
Kampala
Uganda
+256 774149 775, + 256 759 800161<tel:+256%20759%20800161>
Skype ID: talexie

IT Consultant (Servers, Networks and Security, Health Information Systems - DHIS2, Disease Outbreak & Surveillance Systems) & Solar Consultant

"I don't want to be anything other than what I have been - one tree hill "

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx<mailto:dhis2-users@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~dhis2-users
More help   : https://help.launchpad.net/ListHelp

--
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx<mailto:jason.p.pickering@xxxxxxxxx>
tel:+46764147049<tel:076-414%2070%2049>

--
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx<mailto:jason.p.pickering@xxxxxxxxx>
tel:+46764147049

--
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx<mailto:jason.p.pickering@xxxxxxxxx>
tel:+46764147049

References

Re: User Authorities and Dashboards
From: Antonia - Pro, 2017-05-04
Re: User Authorities and Dashboards
From: Jason Pickering, 2017-05-04
Re: User Authorities and Dashboards
From: Georgi Chakarov, 2017-05-04
Re: User Authorities and Dashboards
From: Jason Pickering, 2017-05-04
Re: User Authorities and Dashboards
From: Georgi Chakarov, 2017-05-04
Re: User Authorities and Dashboards
From: Jason Pickering, 2017-05-04