I am interested in creating a User Role that allows users at the country-level of the organization to add/modify/delete users in their country. I have given this User Role the following permissions:
Metadata: User: Add/Update Public
Apps: Users app
System: Add/remove members in read-only user groups, Add/Update User Group Managing Relationships, Add/Update User within Managed Group, Replicate User, Send Email, View User, View User Group Managing Relationships.
When a user assigned to this role logs in, they can view users, and edit them, but there are no roles showing under Available Roles and Selected Roles. Without assigning a role, they cannot create a new user.
Thank you for your advice, and again I will put in a plug for some more detail in the documentation and some sample user roles or metadata templates that will make this process easier, with the minimum authorities that are needed for the basic roles that most organizations generally need.
@Mike_Johnson
What version of DHIS2 are you using?
I tried to replicate this on 2.30, and it seems there is some sort of dependency or constraint.
Like the “user admin” cannot create a new user with higher authorities than the “user admin” has.
Also, can you make sure your userroles are shared accordingly or can be accessed by these new user admins.
Hi Emma, Thanks for looking into this for me!
We are using Version: 2.30, Build revision: 17b47a2, Build date: 2019-02-05.
I checked the user roles and they are set to Public Access, anyone can find, edit, and view metadata for those roles.
I have tried to give access to the User Role metadata to this user admin role, and this did give the user permission to edit the role, but not permission to create a new user and assign them to any role.
Is this a use case that other organizations have, to give some users administration rights over other users, but not superuser authority?
Does any other organization have experience creating a role that will allow users to create new users in their geography? I know that I could promote these individuals to superuser status, but I would not want to do this if it is not necessary. Thank you!
I’m so disappointed that I deactivated my notifications and I only now am rediscovering my recent questions and answers in the community. Thank you for responding, I will see if this is still a need for our team and see if I can implement it soon.
I am still thinking about this setting: what does it actually mean? I hope it does not mean that a user can change their own role to promote themself to superuser.
Hope your doing well, Have you find or get any solution for above problem. We are also facing the same issue for this user roles are not loaded while user creation with same scenario where you were facing the issue. Thanks for your support.
@RameshReddy,
Thank you for the question and your patience! Happy New Year! Are you still facing this issue? What is the version of the DHIS2 instance that you are using, please?
Did you try the solution proposed by @paleu256 above to turn on the option in Access in the System Settings app? If it didn’t work, are you facing this issue even with a superuser account?
If you all the above is true, please check the network log in your browser’s developer tools and see if there’s an error when you attempt to create a new user.
The solution by @paleu256 works such that the user is able to grant/assign their own roles.
That is, if the user is a manager, he is able to create another user and assign manager role. But is not able to assign a lower level role, like CHW/Data collector.
How will a high level user be able to assign his own role and lower level roles?
There might be two options to solve this issue. One option is to give the user the authority to ‘replicate user’ and create the ‘type’ of user that this manager will need to create and when the user is replicated the authorities/roles will be the same and all the information can be edited.
Another option, is to make sure that the manager has the roles shared in the sharing settings; otherwise, they’ll probably not appear as in the first post.
@Gassim Thanks for the quick response.
I gave permission to ‘replicate users’. I then created users with the desired roles as suggested and cloned/replicated the existing user(s). This solves the problem.
Hie @Gassim
I have a similar case where I want to create a user who will be able to manage users in their Province or region (able to add/update a new user).
I created a user with similar permissions as below:
Metadata: User: Add/Update Public
Apps: Users app
System: Add/remove members in read-only user groups, Add/Update User Group Managing Relationships, Add/Update User within Managed Group, Replicate User, Send Email, View User, View User Group Managing Relationships.
This user belongs to a certain group X where they will be able to manage all users who are in that group.
To create a new user I am replicating a user with similar permissions to the one I want to create but my problem comes when I want to save, I am getting this error
I am not sure on what I need to do, the user has permission to create a new user but not understanding on the second part where it says the user should have the ability to manage at least one user group for the user.
How do I give this user permission to be able to manage the user group of the person being managed by the user I created.
