User Permissions: Assigning fine grained settings for user roles

Permissions are defined by the permissions object in the base_settings.json file. The list below illustrates the available system defined permissions. To utilize a permission, you will need to first add the permission as a property of the permissions object, and then associate the permission to user role(s).

Permissions can be assigned to user roles either directly in base_settings.json as an array of user role identifiers, or configured in the App Management app.

See Also: User roles

System defined permissions

can_editThis is probably one of the most important permissions in CHT Framework. It allows creating, editing and deleting documents in CouchDB’s medic database. This permission overrides any other role in this list.
can_access_gateway_apiAllows access to gateway API
can_aggregate_targetsAllows access to Target Aggregates page
can_bulk_delete_reportsAllows users to select multiple reports and delete
can_configureAllows update of configuration parameters
can_upgradeAllows upgrades of the CHT Core Framework version via the API or admin interface
can_create_peopleAllows creation & editing of person contacts
can_create_placesAllows creation & editing of place contacts
can_create_recordsAllows creation of reports
can_create_usersAllows creation of user logins
can_delete_contactsAllows deletion of people and places
can_delete_messagesAllows deletion of messages
can_delete_reportsAllows deletion of reports
can_delete_usersAllows deletion of users
can_edit_profileAllows editing of their own user profile
can_edit_verificationAllows setting and editing of report verification status. To block the user from updating the existing status, use can_verify_reports instead.
can_export_allAllows export of data including data they do not have access to
can_export_contactsAllows export of contacts
can_export_dhisAllows export of DHIS2 metrics
can_export_feedbackAllows export of user feedback
can_export_messagesAllows export of reports and messages
can_log_out_on_androidDisplays logout menu item in hamburger menu for android users and can be used to log out form the application
can_update_placesAllows editing of place documents
can_update_reportsAllows editing of report documents
can_update_usersAllows editing of user documents
can_verify_reportsAllows setting report verification status if no status is currently set. To allow the user to update the existing status, use can_edit_verification instead.
can_view_analyticsAllows access to in-app analytics
can_view_analytics_tabDisplays analytics tab on the application
can_view_call_actionDisplays a button to call the selected person
can_view_contactsAllows viewing contacts
can_view_contacts_tabDisplays the contacts tab in the application
can_view_last_visited_dateEnable display of the date a family was last visited
can_view_message_actionDisplays a button to send a message to the selected contact
can_view_messagesAllows viewing messages
can_view_messages_tabDisplays the messages tab in the application
can_view_outgoing_messagesAllows viewing outgoing messages when logged in as an administrator
can_view_reportsAllows viewing reports
can_view_reports_tabDisplays the reports tab in the application
can_view_tasksAllows viewing tasks
can_view_tasks_tabDisplays tasks tab in the application
can_view_tasks_groupDisplays all available tasks within same place after submitting
can_view_uhc_statsAllows users to view UHC metrics
can_view_unallocated_data_recordsAllows viewing reports that have no associated contact
can_view_usersAllows viewing all user accounts
can_write_wealth_quintilesAllows updating contacts with wealth quintile information
can_view_old_filter_and_searchAllows users to see the old filter and search in Reports Tab and Contact Tab which is considered deprecated and will be completely removed in a future release. Admin user will always see the new redesigned filter. See Feature Flags for more info.

Code sample

This sample shows how to define the permissions object in the base_settings.json file. Observe how can_edit permission has been associated to supervisor_role and chw_role user roles.

"permissions": {
  "can_edit": [ "supervisor_role", "chw_role" ],
  "can_access_gateway_api": [ "supervisor_role" ],
  "can_aggregate_targets": [ "supervisor_role", "chw_role" ],