How do I add role-based permission restrictions to a form?

How do I add role-based permission restrictions to a form?

Role-based permission restrictions levels allow the Admin of the project to set restrictions for the project’s collaborators. Unlike the normal project permissions, these restrictions are set for individual forms in the project and do not apply to all forms in the project.

By default, every project collaborator can have the following permission levels: Admin, Can view, Can view and download, Can submit and Can edit. With role-based permission restrictions, you can add more restrictions on the Can Submit and Can Edit roles. For example, you may use restrictions to hide sensitive data collected by other users or hide data collected by others if it is irrelevant to a user.

About the permission restriction levels

Above: Permission restriction options available in Ona

  1. Project collaborators with the Can Submit role can have any of the following access restrictions to a form:

    a) Allow access to all data - These users can view and download all the data submitted by all collaborators for that particular form. The collaborators will have access to the data, maps, charts, and dashboard.

    b) Block access to data submitted by other users - These users can view and download the data they have submitted. Data that has been been submitted by other collaborators is blocked. The users will only view the records they have submitted on table view.

    c) Block access to all data - These users cannot view or download any data, they will only be able to submit data. The table view, chart, and dashboard will be disabled.

  2. Project collaborators with Can Edit roles can have any of the below access restrictions to a form:

    a) Allow access to all data - The users can view, edit and download all the data submitted by all collaborators for that particular form.

    b) Block access to data submitted by other users - The collaborators can view and download only the data they have submitted. Data submitted by other collaborators is blocked.

How to change permission restrictions

Role-based permission restrictions are set under the form’s Settings page. Select the Permission Restrictions option as shown below.

The default permission restriction for the collaborators with Can Submit and Can Edit roles on every form allows them access to all data.

If you want to change the setting, select new permissions for each collaborator role (i.e Can Submit and Can Edit) you would like to modify, then click on the Update Permissions button to save the changes.

How changes are reflected when viewing data

Users with Can Edit and Can Submit permissions with Allow access to all data selected are able to view the map, table, charts and dashboard tab. These users can also download data. No data will be hidden as shown in the screenshot below.

Users with Can Edit and Can Submit permissions with Block access to data submitted by other users selected can only export data and view the data they submitted on the Table tab. The Charts and Dashboard tabs will be disabled, as shown below.

The table below shows users with Can Submit permission but are blocked from accessing data submitted by other users. They can only access data submitted the them.

Users with Can Edit permission but have been blocked to access data submitted by other users can only edit data submitted by them as shown below.

Blocking access to all data is not an option for users with Can Edit permission level, since you have to have access to data in order to edit data. For users with Can submit permission and have been blocked from accessing all data, they will not have access to any data as shown in the table below.

What non-admin users see on the permission restriction options

Only the Admin of a project can set these restrictions in both personal and organisation accounts. A user with a lesser permission will not be able to change the restriction and will see a notification when they select the Permission Restriction settings, as shown below.

Note:

  • When using Enketo, users will need to set require_auth true on the form to ensure the user authenticates when submitting. This will allow the ‘submitted by’ field to be populated with the user name. Please note that require authentication can only be turned on for the entire account and not just for one form. You can set this by following the below steps:
    • Go to https://classic.ona.io
    • Log in using your Ona account credentials.
    • Select the Settings Option under your profile.
    • Check the Require Phone Authentication option.
    • Select Update to save the changes.
  • If a project or form is public, the permissions restrictions will be overridden, and the forms will be accessible by anyone. These permissions only apply to private forms.