As a part of the GSoC project “Improving Functionalities of DHIS Connector Module”, we are going to add a Role/Privilege based access control system for the DHIS Connector module. I’ll use this new thread for the updates of this section of the GSoC project.
Basically my plan is to create the privileges first, so the roles can be created later according to the user requirements. We can secure the Different pages and options in Module UI with these privileges.
So these are the privileges I suggest for the DHIS Connector module.
View_Data
Push_Data
Manage_Metadata
Previously I thought to create a new privilege for Import/export options. But in a previous meeting @k.joseph suggested to include that too in the manage_metadata privilege
This is how the module will work for the users with/without these privileges.
Users without any privilege
Can’t access the module
Users with View_Data privilege
Can access the module
Have read access to these pages
Configure DHIS Server (Read only)
Location Mapping (Read only)
Automation (Read only)
Users with Push_Data privilege
Can access the module
Have access to these pages
Configure DHIS Server (Read only)
Location Mapping (Read only)
Automation
Can’t add/delete records
Can run/re-run automated mappings
Run Reports
Can push data or download ADX or JSON
Failed Data
Can push failed data
Users with Manage_Metadata privilege
Can access the module
Have access to these pages
Configure DHIS Server
Can update the connection
Location Mapping
Can edit/add mappings
Automation
Can add/delete records
Can’t push data
Create Mappings
Manage Mappings
Import/Export mappings
Import/Export DHIS2 API
After creating the privileges, we have to update the pages and options to display according to the user privileges. Also the backend endpoints will be updated to work according to the privileges.
Then we can create roles with the combinations of these privileges.
This is the approach I thought to take. I would love to have your suggestions too. Is it ok to proceed with this or do I have to change anything?
Users who don’t have any of these 2 privileges can’t see the page or the link in the navbar.
Will be redirected to the login page if the user try to access by using the URL
Users with Run Automation privilege can see the mappings. And also can run or rerun the mappings. (But the user should have Manage Global Properties in order to run/rerun)
Users with Manage Automation privilege can see the mappings. And also can add new mappings to automation and toggle the automation. (But the user should have Manage Global Properties in order to run/rerun or toggle automation)
Users with the Run Reports privilege can run reports and push data.
(User may need Get Identifier Types, Get Locations, Get Users privileges to load the locations and reports)
Users who doesn’t have the privileges can’t access or see the link in the navbar
Failed Data UI
There are 1 privilege related to Failed Data UI.
Run Failed Data
Users with the Run Failed Data privilege can push failed data.
Users who doesn’t have the privileges can’t access or see the link in the navbar
I have sent the draft Pull request for this feature.
I have also updated the Configure DHIS Connection UI. There are 2 privileges related to Configure DHIS Connection UI.
View Connection
Manage Connection
This is how the UI will work after adding the module privileges.
Users with View Connection privilege can only see the URL and the username of the connection. Also a button to test the connection status will be added later as a new feature.
Users with the Manage Connection privilege or both privileges can edit the connection details and save them.
(The user should have the Manage Global Properties privilege in order to save the connection details)
Also added privileges to the Create/Manage Mappings UI. It only has one privilege which is Manage Mappings. So only the users with the Manage Mappings privilege can access the Create Mappings and Manage Mappings UI.
Note: But users may require the privileges related to each period indicator report (Ex: Get Users privilege)
Other users can’t access these pages and ca’t see the links on navbar.