View only user able to edit profile in tracker program

Hi Community,

In DHIS2 version 2.39.3, we have encountered an issue where users with a view only role are able to edit existing records on tracker program profile.

Our understanding is that the view only role should strictly limit users to only viewing data, with no ability to edit or enter any information. As such, we wanted to check whether view only users being able to edit tracker program profiles is intended behavior or if it represents a bug where the view only permissions are not being properly enforced

Could someone from the community please advise if editing tracker program profiles is an expected functionality for the view only role? Or is this a bug that should be reported?

Any insights would be greatly appreciated. Thank you!

Hi @mutali

While trying to reproduce the issue on play, I encountered issues accessing the instances so I needed to test on a local instance instead.

I’m wondering what are the tracker authorities does the role provided for these users have? Does it have the authority to ‘update tracked entities’? If so I think this is the reason why they’re able to update the profiles:

image1834×1105 168 KB

I’m still investigating the issue as well, but would love to hear from you about my question. Thanks!

I’m testing a couple of scenarios with different access rights, so let me put them here:

First scenario, user has the right “can capture and view” data in the tracker program but doesn’t have the ‘update tracked entities’ authority nor the edit TEI (can view only), result: user can’t view the program listed in the Capture app. However, in the Tracker Capture app, the user is able to view the TEIs as well as the program and is not able to edit the TEIs attribute; additionally, the user is not able to register and enroll new TEIs.

Second scenario, same as first scenario but adding the ‘update tracked entities’ authority - no changes seem to take affect.

Third scenario, same as first scenario but changing the sharing setting of the program to ‘view only’ - no changes seem to take affect.

Fourth scenario, same as third scenario but changing the TEI sharing setting to ‘can capture and view’ so now the user is able to edit the TE attributes but not enroll TEI in the program (in Tracker Capture app and Capture app).

Fifth scenario, same as fourth but changed the TE attribute sharing setting for the user to view only; however, this didn’t change the result of the fourth scenario as the user is still able to edit the TE attribute but not enroll TEI in the program (Tracker Capture app and Capture app).

Sixth scenario, user given the ‘can capture and view’ to both the TEI type and the program, result: only when both sharing settings (TEI type and tracker program) are “capture and view” is the user able to enroll TEIs to the program which means that there is no way to allow the user to enroll TEIs but be stopped from changing their attributes but there is the option to allow the user to edit the attributes and not be able to enroll.

Thanks @mutali! I also would like to tell you that you’re not the only one asking about this, @maoengm