We are configuring user management permissions within the DHIS2 User app and would like to achieve the following:
Allow province-level users to create user accounts at the district level.
Restrict these province-level users from viewing the complete list of existing users.
Prevent province-level users from creating users with admin-level permissions or any permissions equal to or higher than their own.
Could you please advise if this specific permissions setup is achievable within DHIS2? If yes, we would appreciate guidance on how to configure it correctly.
This is by default a security feature that a user can’t create a user with higher privileges than what the account itself has. For instance, a guest user can never create an admin user even if the guest user is granted access to the Users app.
Even if you give access to the Users app, you will need to select the authorities to the user for specific actions:
If you want the user to be able to create users only then give the role the Metadata authority (User) which means that the user will be able to create users but not view them.
However, if you give the user the System authority (View user) then the user will be able to view all the users in the system.
For your specific use-case, the best option seems to use managed groups. For details and explanation, please check out: Decentralize user management in the docs.
Please test the decentralize user management option and let us know how it goes. Thanks!
