I have a user account with access restricted to only 3 organisations units. When I login to this account, I can only see the assigned OUs in the interface.
However when I access the end-point /api/29/organisationUnits.json , I am able to view all the OUs in the DHIS2 instance, even though the account does not have permission to see them.
Additionally, there are no sharing settings applied to the OUs. Is there a way to protect the organization units? @Gassim@dhis2-security
I think it’s the “expected” behavior : this will only prevent the user to encode data for other orgunits or to see data or analytics of other orgunits.
by data dhis2 mean :
datavalues of a dataset or
datavalues of data element group or
events (tracker or simple)
the metadata (data elements, datasets, orgunits…) will probably be visible to him
except if you really configured the sharing settings to prevent that.
see on play user limitdUse_123 (password limitdUse_123)
When I access the endpoint below using a user account that only has access to two organization units (OUs), they are still able to see all OUs, as shown in the attached screenshot. I want to restrict users from viewing all OUs.
@Gassim@Stephan_Mestach is there a way to restrict users from viewing all the OUs using the API?
@sami12111 : This is by design. In order to be able to properly render an organisation unit tree with the appropriate hierarchy, the user needs to have access to metadata for organisation units for which they do not have view or write access.
Please let us know if you have specific concerns about the current read access to organisation unit metadata.