user manager role

I’m trying to create a role that can manage users. I’ve added every ability that has ‘user’ in it to that role, but still none of the users show up. Is there something magic I’m missing?

Thanks,

Tom

···

This message was scanned for viruses with Trend Micro ScanMail, GFI MailSecurity and GFI MailEssentials by the World Health Organization Regional Office for the Western Pacific. However, the recipient is advised to scan this e-mail and any attached files for viruses.

Disclaimer:

This e-mail, together with any attachments, is intended for the named recipients only and is confidential. It may also be privileged or otherwise protected by law.

If you have received it in error, please notify the sender immediately by reply e-mail and delete it and any attachments from your system. You may not copy or disclose its contents to anyone.

My Understanding is that the User Manager ONLY sees the people he will add. If this is the case, then I am sure it is Kind of a Bug that needs to be looked at.

···

Sent from my BlackBerry® smartphone provided by Airtel Uganda.

-----Original Message-----
From: <hiattt@wpro.who.int>
Sender: dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net
Date: Tue, 26 Jun 2012 04:00:02
To: <dhis2-users@lists.launchpad.net>
Subject: [Dhis2-users] user manager role

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Hi Tom,

the arrangement is that the current user must himself have all of the
authorities of the users visible to him. This was done to allow
decentralization of user management, e.g. a district user can create
and manage facility users for his district, but not create super-users
or other district users.

The problem with creating users who should only be allowed to create
and manage any type of users is that is gives a false sense of
security - they could easily create a new user account for themselves,
log in with it and perform whatever task they are allowed to give
others.

Lars

···

On Tue, Jun 26, 2012 at 6:00 AM, <hiattt@wpro.who.int> wrote:

I’m trying to create a role that can manage users. I’ve added every ability
that has ‘user’ in it to that role, but still none of the users show up. Is
there something magic I’m missing?

On the other hand, I perfectly prefer that arrangement that a user manager simply sees the activities of those accounts he created as he has no business looking at views that should be visible from those with higher privileges than him.

@stephocay: what did you mean by 'ONLY see the people he will add' -- only the list of accounts or only the activities of these accounts?

···

Sent from my BlackBerry® wireless handheld

-----Original Message-----
From: stephocay@gmail.com
Sender: dhis2-users-bounces+alvin.marcelo=gmail.com@lists.launchpad.net
Date: Tue, 26 Jun 2012 04:57:40
To: <hiattt@wpro.who.int>; <dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net>; <dhis2-users@lists.launchpad.net>
Reply-To: stephocay@gmail.com
Subject: Re: [Dhis2-users] user manager role

My Understanding is that the User Manager ONLY sees the people he will add. If this is the case, then I am sure it is Kind of a Bug that needs to be looked at.
Sent from my BlackBerry® smartphone provided by Airtel Uganda.

-----Original Message-----
From: <hiattt@wpro.who.int>
Sender: dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net
Date: Tue, 26 Jun 2012 04:00:02
To: <dhis2-users@lists.launchpad.net>
Subject: [Dhis2-users] user manager role

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

Okay, thanks for your help. I think I’m getting this.

So,

· A user manager can only see the users who have privileges that are within his list of privileges.

· A user manager can only assign roles (see them listed) that are within his list of priveleges.

· This actually doesn’t have to do with who added the user (as stephocay mentioned), so if a superuser adds a user with sufficiently limited privileges, then the user manager will be able to see that user.

Some odd behavior I noticed:

· A user manager can see users assigned to org units that he is not assigned to.

· If a user manager has the role of ‘editor’ and ‘user manager’ with associated privileges for each he cannot view other users even though he has all their privileges with his 2 roles combined. But if these privileges are combined into one role he can see them.

Tom

···

-----Original Message-----

From: Alvin B. Marcelo [mailto:alvin.marcelo@gmail.com]

Sent: 27 June 2012 05:33

To: stephocay@gmail.com; Hiatt, Mr Tom (WPRO); dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net; dhis2-users@lists.launchpad.net

Subject: Re: [Dhis2-users] user manager role

On the other hand, I perfectly prefer that arrangement that a user manager simply sees the activities of those accounts he created as he has no business looking at views that should be visible from those with higher privileges than him.

@stephocay: what did you mean by ‘ONLY see the people he will add’ – only the list of accounts or only the activities of these accounts?

Sent from my BlackBerry® wireless handheld

-----Original Message-----

From: stephocay@gmail.com

Sender: dhis2-users-bounces+alvin.marcelo=gmail.com@lists.launchpad.net

Date: Tue, 26 Jun 2012 04:57:40

To: hiattt@wpro.who.int; dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net; dhis2-users@lists.launchpad.net

Reply-To: stephocay@gmail.com

Subject: Re: [Dhis2-users] user manager role

My Understanding is that the User Manager ONLY sees the people he will add. If this is the case, then I am sure it is Kind of a Bug that needs to be looked at.

Sent from my BlackBerry® smartphone provided by Airtel Uganda.

-----Original Message-----

From: hiattt@wpro.who.int

Sender: dhis2-users-bounces+stephocay=gmail.com@lists.launchpad.net

Date: Tue, 26 Jun 2012 04:00:02

To: dhis2-users@lists.launchpad.net

Subject: [Dhis2-users] user manager role


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


This message was scanned for viruses with Trend Micro ScanMail, GFI MailSecurity and GFI MailEssentials by the World Health Organization Regional Office for the Western Pacific. However, the recipient is advised to scan this e-mail and any attached files for viruses.

Disclaimer:

This e-mail, together with any attachments, is intended for the named recipients only and is confidential. It may also be privileged or otherwise protected by law.

If you have received it in error, please notify the sender immediately by reply e-mail and delete it and any attachments from your system. You may not copy or disclose its contents to anyone.

Okay, thanks for your help. I think I'm getting this.

So,

· A user manager can only see the users who have privileges that are
within his list of privileges.

· A user manager can only assign roles (see them listed) that are
within his list of priveleges.

· This actually doesn't have to do with who added the user (as
stephocay mentioned), so if a superuser adds a user with sufficiently
limited privileges, then the user manager will be able to see that user.

This is correct.

Some odd behavior I noticed:

· A user manager can see users assigned to org units that he is not
assigned to.

Yes that is right. If you need to restrict this you can remove the
authority for viewing all users (through the "Users" menu item) and
only give those users the authority to view users within their org
unit sub-tree through the "User by Organisation Unit" menu item.

· If a user manager has the role of 'editor' and 'user manager' with
associated privileges for each he cannot view other users even though he has
all their privileges with his 2 roles combined. But if these privileges are
combined into one role he can see them.

OK. There is also a rule saying a user can not view/modify other users
with the same user role as yourself - could this be the reason why you
get this?

Lars

···

On Fri, Jun 29, 2012 at 6:26 AM, <hiattt@wpro.who.int> wrote: