Create a "admin-like" user with limited scope

Is there a way to create an “admin-like” role (one we’ve taken to call “support_admin”) that adheres to the following:

  • can view the “app management” portal
  • only view the “users” tab
  • restricted to a specific NPO (top level place) only being able to view all its users.
  • restricted to a subset or all of the following permissions: can_create_users, can_delete_users, and can_update_users.

The need is for a “support_admin” to manage switching auto created SMS users to credential users, password resets, new additions, and user deletions - without seeing all users across the system and being unable to change system wide configuration.

Hi @anro

Currently, I don’t believe there is a way to create an online user that is only restricted to a subset of data (be it subset of users or docs). Any online user role will have access to all data. You can, however, use existent permissions to restrict their access to certain APIs or pages.

Is it necessary for your user to only see a subset of users? Is it necessary for your user to only view the users tab in app management?

I see the benefit of having a role specialized in user management and nothing else.
Tagging @mrjones for the Product Allies perspective on this.

Hi @diana

Just to confirm, online and also with the role of admin?
We have a custom DHO (district health officer) role that’s online, that is assigned to specific NPO, so they will only be able to see that PLACE’s data correct?
Am I correct in assuming that no other user other than one with an admin role is able to access the “app management” portal at this time?
I believe originally had a misunderstanding about how the permissions allows for certain actions/visibility when drafting our permission matrix back in the day.

Thank you for the clarity regarding the permissions affecting API access and viewable pages.

Yes. Since the “support_admin” will be either be from a specific NPO, 1st or 2nd line support - they will be tasked with only managing the users from that relevant NPO.
Having a subset will reduce the availability/visibility of sensitive user data, and having a person outside of the dev team manage those users will allow for the dev team to continue focusing on delivering fixes and features.
Updating the users from SMS to credentials users, while not difficult, is a long process when there’s many users - and it’s easy to make mistakes especially when there’s names that are quite close to one another.

We believe so, as the system config should only ever be tweaked by the true admin (that’s also the couch admin user) - and ideally only via code.
There would also be no confusion as to what this support_admin role is indented to work on when they’re on the “app management” portal.

Thank you for your interest in this, and also getting more eyes on this topic.

Hi @Anro

Online roles have access to all data, and cannot be restricted to just one place (like offline roles).
You can restrict access to the app management page by removing the can_configure permission from your role.

Leaving the rest for product design feedback.

1 Like

Hi @diana

Just want to make sure I’m understanding correctly. They’re able to access all data via the API?
When logging in with the DHO role, which is online and on the NPO level, we seemed to get the expected results on the UI:
image
Is that simply a display thing, is all the data still pulled in the background?

Thank you for the clarity regarding the can_configure!

Looking forward to the verdict regarding “having a role specialized in user management”.

Hi @Anro

For users with online roles data is not stored locally, but all data is accessible in the app. If you go to the reports tab, you will see all reports for the whole instance. We have recently added a default facility filter specifically to reduce the data that is initially loaded on the reports tab (for example), but the users still have access to all data on the instance.

1 Like