No Sharing Settings for Organisation Units

Hello,

I have a user account with access restricted to only 3 organisations units. When I login to this account, I can only see the assigned OUs in the interface.
However when I access the end-point /api/29/organisationUnits.json , I am able to view all the OUs in the DHIS2 instance, even though the account does not have permission to see them.

Additionally, there are no sharing settings applied to the OUs. Is there a way to protect the organization units?
@Gassim @dhis2-security

Thanks

if you mean you configured the user to limit the read/write of data on only 2 orgunits like here

image

I think it’s the “expected” behavior : this will only prevent the user to encode data for other orgunits or to see data or analytics of other orgunits.

by data dhis2 mean :

  • datavalues of a dataset or
  • datavalues of data element group or
  • events (tracker or simple)

the metadata (data elements, datasets, orgunits…) will probably be visible to him
except if you really configured the sharing settings to prevent that.

see on play user limitdUse_123 (password limitdUse_123)

Hi @Stephan_Mestach

Thank you for the response.

When I access the endpoint below using a user account that only has access to two organization units (OUs), they are still able to see all OUs, as shown in the attached screenshot. I want to restrict users from viewing all OUs.

@Gassim @Stephan_Mestach is there a way to restrict users from viewing all the OUs using the API?

/api/organisationUnits

image

@sami12111 : This is by design. In order to be able to properly render an organisation unit tree with the appropriate hierarchy, the user needs to have access to metadata for organisation units for which they do not have view or write access.

Please let us know if you have specific concerns about the current read access to organisation unit metadata.

1 Like