Location-Based Data Access and User Editing Restrictions

Owned by Former user (Deleted)
Last updated: Apr 17, 2024 by Gillian Javetski
2 min read

IMPORTANT: This feature dramatically limits what pages and reports are available.  In particular, things like app-building, messaging, and admin configurations are disabled for restricted users.  Be sure to log in as a restricted user to see what's available before committing to using this feature.

Organizations allow you to partition your project and restrict which data different users are allowed to view and edit.  You can limit data exports so that a web user can only export data in their assigned location, or limit mobile worker and location editing.  When you have organization-based restrictions turned on, users are only allowed to access the following:

  • Mobile Workers:  The web user can view and edit mobile workers who are also assigned to their location, or assigned to any of their location's child locations.  

  • Cases:  The web user can view cases that are assigned to their location, their child locations or any mobile workers they also have access to

  • Forms: The web user can view forms submitted by mobile workers that they have access to

  • Some Reports: As of this writing, following reports are accessible:

    • Submit History (and associated child pages)

    • Case List (and associated child pages)

    • Aggregate User Status

    • Application Status

    • Submissions By Form

    • Daily Form Activity

    • Form Completion Time

    • Form Completion vs Submission Trends

Restricting Access for a Web User Role

Create or edit a web user role that defines what the web user will be allowed to access.  When configuring the role, make sure you set "Full Organization Access" to false.  For more information about configuring roles see https://dimagi.atlassian.net/wiki/x/BzXKfw.

Setting up a Web User

Once you've setting roles, you can assign a web user to that role and their accessible locations. This is done by clicking on the web user from the web user management page. 

Restrictions to Routines and Pages on CommCareHQ

Once a user is location restricted, they will be able to access only pages on CommCareHQ that can have their information restricted by location.  These pages include:

  • Data Exports: The user will be able to export form and case data, but they will only be able to filter the data to their assigned location or their child locations.   If no filters are specified, all data from their assigned location (and that location's child locations) will be downloaded. 

  • Mobile Workers: The mobile workers page will only list mobile workers that the user has access to.  When creating a mobile worker, they will need to be assigned to one of the user's available locations

  • Organization Structure: Only locations that the web user has access to will be listed here and editable.