admin:managing_users

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
admin:managing_users [2024/09/03 10:52] – [Adding a group] Gary Willettsadmin:managing_users [2025/11/04 05:14] (current) – [Sync user across all login stores] Mark Glover
Line 2: Line 2:
 ====== 25.15. Managing users ====== ====== 25.15. Managing users ======
 ===== About users and groups ===== ===== About users and groups =====
 +mSupply has a comprehensive system of controlling user access, allowing you to manage in fine detail what each user can do and see in the system. You can manage users individually, in groups or a mixture of both - whichever is most suitable for your situation. 
 +
 User permissions are per-store, so a user can have different permissions when logged into different stores. User permissions are per-store, so a user can have different permissions when logged into different stores.
  
-If you have many users that need to have the same permissions (because they carry out the same role, for example), you can create a group and assign the users to the group. Once a group is set up and permissions for the group assigned, any users that are assigned to the group will inherit the group's permissions, rather than having to set permissions for each user individually. When you change a group's permissions, you change the permissions for all users who belong to that group.+If you have many users that need to have the same permissions (because they carry out the same role, for example), [[admin:managing_users#user_groups|User groups]] is for you.
  
-<WRAP center round tip 95%> +==== Users and sync ==== 
-If you want to change user's permissions and find out that all their permissions are greyed out and uneditable then it means they are a member of a group. To edit their permissions separately from the group, they must first be removed from the group: +A few points to remember if you are working with users on [[synchronisation:introduction|synced system]] and with newer versions of mSupply: 
-  * Edit the userchange the **Is member of** drop down list to ''None''click **OK** (see below for details). +  * Users are //normally// created and configured on the Legacy mSupply Central server.  These settings are then copied to remote sites when the store is transferred to the remote site. 
-  * Open the user again and their permissions will be editable+  * //Normally//when these configuration settings are altered on the Legacy mSupply Central server after store has been migrated, the settings do not get synced to the remote site.  It is now possible to sync user permission settings across all stores that they have permission to log in to, regardless of which site the store is on (on the Edit user > Login rights tab).  As mSupply is currently configured, this setting defaults to ‘off’, and needs to be turned on every time a user is edited
-Refer to [[admin:managing_users#using_groups|Using groups]] below for more detailsIf the user is to remain part of the group then you must change the group'permissions (see [[admin:managing_users#editing_a_group|Editing a group]] below) but beware, this will change the permissions for all users who belong to the group, not just the user you're interested in. +  * Users can be created and edited on a Legacy mSupply remote site.  Name details of any newly created user on a remote site will sync back to the Legacy mSupply Central server.  This is primarily for the sake of reporting transactions Any permission edits made on the remote site will //not// sync back to the Legacy mSupply Central server. 
-</WRAP>+  * As of 2025-07-28, users can not be created or permissions edited on [[https://docs.msupply.foundation/mobile/introduction/introduction/|mSupply Mobile (Deprecated)]] or [[https://docs.msupply.foundation/docs/introduction/introduction/|Open mSupply]] sites.
  
-<WRAP center round important 95%> 
-If you want to disable a user, perhaps because the staff member has left the organisation, then they must be made 'inactive': 
-  * Edit the user, uncheck the **Active** checkbox, click **OK**. 
- 
-If the **Active** checkbox is greyed out, it is because they are a member of a group. You will need to first remove them from the group before you can make them 'inactive': 
-  * Edit the user, change the **Is a member of** to ''None'' 
-  * Edit the user, uncheck the **Active** checkbox, click **OK**. 
- 
-Of course, if the whole group of users needs to be made inactive then you can just uncheck the **Active** checkbox for the group. 
-</WRAP> 
  
  
 ===== Adding and editing users and groups ===== ===== Adding and editing users and groups =====
-mSupply has a comprehensive system of controlling user access, allowing you to manage in fine detail what each user can do and see in the system. You can manage users individually, in groups or a mixture of both - whichever is most suitable for your situation. 
  
 User access is managed by choosing **File > Edit users** from the menus, or by choosing **Admin > Edit users** in the Navigator. When clicking on this option you are presented with a list of current users: User access is managed by choosing **File > Edit users** from the menus, or by choosing **Admin > Edit users** in the Navigator. When clicking on this option you are presented with a list of current users:
Line 52: Line 43:
  
 ===== User details window ===== ===== User details window =====
 +<WRAP center round tip 95%>
 +If you want to change a user's permissions and find out that all their permissions are greyed out and uneditable then it means they are a member of a group. To edit their permissions separately from the group, they must first be removed from the group:
 +  * Edit the user, change the **Is a member of** drop down list to ''None'', click **OK** (see below for details).
 +  * Open the user again and their permissions will be editable.
 +Refer to [[admin:managing_users#using_groups|User groups]] below for more details. If the user is to remain part of the group then you must change the group's permissions (see [[admin:managing_users#editing_a_group|Editing a group]] below) but beware, this will change the permissions for all users who belong to the group, not just the user you're interested in.
 +</WRAP>
 {{ :admin:edit_user_general.png?600 |}} {{ :admin:edit_user_general.png?600 |}}
  
Line 68: Line 65:
 === Active === === Active ===
 If this checkbox is checked, then that user has permission to use the system, and their name will appear in the login window. If this checkbox is unchecked the user will not be allowed to login to the system and their name will not appear in the login window. If this checkbox is checked, then that user has permission to use the system, and their name will appear in the login window. If this checkbox is unchecked the user will not be allowed to login to the system and their name will not appear in the login window.
 +<WRAP center round important 95%>
 +If you want to disable a user, perhaps because the staff member has left the organisation, then they must be made 'inactive':
 +  * Edit the user, uncheck the **Active** checkbox, click **OK**.
 +
 +If the **Active** checkbox is greyed out, it is because they are a member of a group. You will need to first remove them from the group before you can make them 'inactive':
 +  * Edit the user, change the **Is a member of** to ''None''
 +  * Edit the user, uncheck the **Active** checkbox, click **OK**.
 +
 +Of course, if the whole group of users needs to be made inactive then you can just uncheck the **Active** checkbox for the group.
 +</WRAP>
  
 === Can be responsible officer === === Can be responsible officer ===
Line 123: Line 130:
  
 === Buttons on the Permissions tabs === === Buttons on the Permissions tabs ===
-  * The //Store// drop down list: Selects the store for which permissions are being displayed and set on the current tab. Select the store you want to see or set permissions for in this drop down list.   +== Store ==
-  * The **All on** button: Checks all the permissions on the current tab i.e. turns them all on. There are exceptions to this for safety reasons; the //Update pack size, cost and sell price//, //Add/edit users// and //Access server administration// permissions on the **Permissions** tab are not turned on with the **All on** button. +
-  * The **Copy** button: Copies the state of all the checkboxes on the tab for this store to an internal clipboard for that tab. From version 5.03 onwards, the button opens this window:{{ :admin:pasted:20230509-121327.png?300 }} +
-    * In the //Permission tabs// section, select which tabs you want to copy the permissions from by checking their checkboxes. +
-    * In the table, select the stores you want to copy the permissions of the current store to by checking them in the //Selected// column. +
-    * Click the **OK** button to copy the selected permissions tabs of the current store to the selected stores. Click the **Cancel** button to close the window without doing anything.+
  
-  * The **Paste** button: Only exists for versions before 5.03Pastes the checkbox settings saved to the clipboard for the current tab to the same tab for another storeIn this way, the Copy and Paste buttons are a great way of copying permission settings for tabs between stores really handy when users have similar permissions in different stores.+The **Store** drop down list allows you to select the store for which permissions are being displayed and set on the current tab.<WRAP tip center round 90%> 
 +You can type in the drop down listIf you do this, when you click on the down arrow to open it, you will only be shown stores in the list which start with what you typed. Or, if you prefix it with the mSupply wildcard character, "@", you only see stores which contain what you typed. Very helpful if you have many, many stores and want to find a specific one or group of stores. 
 +</WRAP> 
 + 
 +== All on == 
 +The **All on** button turns on all the permissions on the current tab. There are exceptions to this for safety reasons; the //Update pack size, cost and sell price//, //Add/edit users// and //Access server administration// permissions on the **Permissions** tab are not turned on with the **All on** button. 
 + 
 +== Copy == 
 + 
 +The **Copy** button copies the permission for this store to an internal clipboard.  The following window opens:{{ :admin:pasted:20230509-121327.png?300 }} 
 +  - In the //Permission tabs// section, select which tabs you want to copy the permissions **//from//** by checking their checkboxes. 
 +  In the table, select the stores you want to paste the permissions of the current store **//to//** by checking them in the //Selected// column. 
 +  - Click the **OK** button to copy the selected permissions tabs of the current store to the selected stores. Click the **Cancel** button to close the window without doing anything.
  
 +=== Permissions ===
  
 Most of the permissions are self explanatory. Those that need more explanation are given below: Most of the permissions are self explanatory. Those that need more explanation are given below:
Line 141: Line 156:
 | Access server administration | If this is checked the user will be able to access the server administration windows, as described on the [[admin:server_administration#when_running_the_server_as_a_service|25.13. mSupply server administration]] page. Only assign this permission to users who really know what they are doing! | | Access server administration | If this is checked the user will be able to access the server administration windows, as described on the [[admin:server_administration#when_running_the_server_as_a_service|25.13. mSupply server administration]] page. Only assign this permission to users who really know what they are doing! |
 | Add/edit sync sites | If checked the user is able to edit site settings in a synchronisation system (see the [[synchronisation:sync_sites]] page for details). This includes being able to use the sync site wizard ([[synchronisation:site_wizard|]]). | | Add/edit sync sites | If checked the user is able to edit site settings in a synchronisation system (see the [[synchronisation:sync_sites]] page for details). This includes being able to use the sync site wizard ([[synchronisation:site_wizard|]]). |
-| Disallow adding an unordered item to a Goods Received note | If checked the user is **not** able to add items to a goods received note that are not included on a purchase order (see the [[receiving_goods:goods_receipts|]] page for details)|+| Disallow adding an unordered item to a Goods Received note | If checked the user is **not** able to add items to a goods received note that are not included on a purchase order (see the [[receiving_goods:goods_receipts|]] page for details) |
 | **Permissions (2) Tab** || | **Permissions (2) Tab** ||
 +| Add patients | If checked, the user can add new patients into the system |
 +| Edit patient details | If checked, the user can edit the details of patients already entered into the system. Of course, this means they can also view the details of patients in the system |
 +| View patients | If checked, the user can view patients' details in the system. If not checked then the user will not be able to see any patient details. |
 | Change transportation dates on finalised invoice | If checked, the user can edit the **Order written date**, **Order received date**, **Expected arrival date**, **Actual arrival date** and **Ship date** fields on the //Transport details// tab of finalised customer invoices | | Change transportation dates on finalised invoice | If checked, the user can edit the **Order written date**, **Order received date**, **Expected arrival date**, **Actual arrival date** and **Ship date** fields on the //Transport details// tab of finalised customer invoices |
 | Edit user fields on finalised invoices | The user fields are the 4 custom transaction fields that can be enabled in the preferences - see [[preferences:invoices#show_custom_transaction_fields|Invoices Preferences]] for details. If this is enabled the user can edit the contents of these fields on transactions that have already been finalised | | Edit user fields on finalised invoices | The user fields are the 4 custom transaction fields that can be enabled in the preferences - see [[preferences:invoices#show_custom_transaction_fields|Invoices Preferences]] for details. If this is enabled the user can edit the contents of these fields on transactions that have already been finalised |
Line 172: Line 190:
 {{ :admin:screenshot_2021-10-11_at_15.24.49.png?600 |}} {{ :admin:screenshot_2021-10-11_at_15.24.49.png?600 |}}
  
-To enable a partuclar alert type for a user simply check the checkbox in the //Is enabled// column. Any alert type that has its //Is enabled// checkbox unchecked will not be displayed for a user. +To enable a particular alert type for a user simply check the checkbox in the //Is enabled// column. Any alert type that has its //Is enabled// checkbox unchecked will not be displayed for a user.
- +
-**Show notifications window on login**: If this is checked, as soon as a user logs in, the notifications window (displaying all the notifications they have selected in the table above), will be displayed for them. If this is unchecked, the notifications window will only be shown when the user click on the notifications icon on the Navigator:+
  
 +**Show notifications window on login**: If this is checked, as soon as a user logs in, the notifications window (displaying all the notifications they have selected in the table above), will be displayed for them. If this is unchecked, the notifications window will only be shown when the user clicks on the notifications icon on the Navigator:
 {{ :admin:screenshot_2021-10-11_at_15.36.59.png?400 |}} {{ :admin:screenshot_2021-10-11_at_15.36.59.png?400 |}}
-<WRAP center round important 60%> 
  
-The notifications displayed in the desktop interface will only be for the store that the user has logged in to. +Please note that the notifications displayed realte only to the store that the user is logged in to.
-</WRAP>+
  
 +**Show cold chain breach alerts**: If this is checked the user will see temperature breach alerts (in the store in the **Store** drop down list above the table - this is a per store permission) passed to mSupply by the cold chain app (see [[https://docs.msupply.foundation/coldchain/introduction/]] for details). If this is not checked then a user will not see temperature breach alerts that occur in this store. Please note that a user must have login rights to a store to be able to see breach alerts, whether this permission is turned on or not.
  
  
-==== omSupply permissions tab ==== +==== Open mSupply permissions tab ==== 
-{{ :admin:pasted:20230509-120914.png?600 |}}+{{ :admin:pasted:20240903-112614.png?600 |}}
  
 This tab contains permissions that only affect Open mSupply users. Currently Open mSupply must connect to an existing mSupply server, which takes care of the authentication and synchronisation. Soon, when we've re-written the central synchronisation server in Open mSupply, there will be no need for this tab. Until then, permissions that only apply to users of Open mSupply will appear on this tab. This tab contains permissions that only affect Open mSupply users. Currently Open mSupply must connect to an existing mSupply server, which takes care of the authentication and synchronisation. Soon, when we've re-written the central synchronisation server in Open mSupply, there will be no need for this tab. Until then, permissions that only apply to users of Open mSupply will appear on this tab.
Line 193: Line 209:
 ^ Permission ^ Details ^ ^ Permission ^ Details ^
 | Can confirm internal order as sent | If checked then the user can //Finalise// an internal order in mSupply terms or //Send// it in Open mSupply terminology. | | Can confirm internal order as sent | If checked then the user can //Finalise// an internal order in mSupply terms or //Send// it in Open mSupply terminology. |
 +| Cold chain API access | If checked then the username and password of this user can be used to access the cold chain REST API built into Open mSupply. |
 +| Can modify central data | If checked then the user can edit settings that are counted as central data in Open mSupply e.g. demographics indicators. |
 +| Program permissions | This section is used to define which programs this user is allowed to view or edit data for. The table will contain a list of all the Open mSupply programs that have been setup in the datafile and there will be checkboxes for each in the //View// and //Edit// columns.\\ \\ Click on the appropriate checkboxes to check them and give the user the appropriate permissions.\\ The **Toggle view** and **Toggle edit** buttons check or uncheck all the checkboxes in the //View// and //Edit// columns respectively.\\ \\ If the list of programs is long you can type something in the //Search programs// box to make the list display programs that contain what you typed only. |
 ==== Login rights tab ==== ==== Login rights tab ====
 On this tab you set which stores the user can login to: On this tab you set which stores the user can login to:
Line 216: Line 235:
   * The "Hospital Info System" is another special store used for mSupply's built-in Hospital Information system. See [[his:introduction|here]] for more details. Checking this box will allow the user to login to the HIS module.   * The "Hospital Info System" is another special store used for mSupply's built-in Hospital Information system. See [[his:introduction|here]] for more details. Checking this box will allow the user to login to the HIS module.
   * "Supervisor - All stores" stores is a special mode to allow users to view information in and run reports over multiple stores. See [[other_stuff:misc_topics#supervisor_mode_-_all_stores|here]] for more information.   * "Supervisor - All stores" stores is a special mode to allow users to view information in and run reports over multiple stores. See [[other_stuff:misc_topics#supervisor_mode_-_all_stores|here]] for more information.
 +
 +=== Sync user across all login stores ===
 +
 +The **Sync user across all login stores** checkbox is only displayed if the currently logged in user is designated as a '**special user**' and they are logged into the primary server in a synchronisation system.  If this checkbox is checked, when the **OK** button is clicked the user's details are synchronised to all the stores that the user is allowed to login to, whichever sites those stores are Active on.  In this way, an administrator in a synchronisation system is able to edit user permissions and settings and have them automatically synchronised to all relevant sites, rather than having to log in remotely to those sites and configure permissions locally.  <WRAP center round tip 60%>
 +As you can imagine, **Sync user across all login stores** is a powerful feature, and can have unintended consequences.  Therefore as of 2025-11-04, there are restrictions on who can be configured as a '**special user**' Contact [[support@msupply.foundation]] for assistance.
 +</WRAP>
 +
 +
 +<WRAP center round important 60%>
 +**Sync user across all login stores** will propagate:
 +  * Group permissions
 +  * User group membership (which group the user is a member of) 
 +  * User permissions, if the user is not a member of a group
 +  * User store login permissions
 +
 +**Sync user across all login stores** will <wrap em>NOT</wrap> propagate:
 +  * User deletion
 +  * Group deletion
 +
 +Deleting the user or group on remote sites must be carried out by either of:
 +  * Manually logging in to those sites and editing users, or
 +  * Development and execution of custom 'footrunner' code on the Central server that will propagate these changes.  Contact [[support@msupply.foundation]] for assistance. 
 +</WRAP>
  
 ==== Details tab ==== ==== Details tab ====
Line 253: Line 295:
 Note that you won't be able to delete a group that has users belonging to it. If you really want to delete the group, remove all users from the group first by editing their //Is a member of// fields. Note that you won't be able to delete a group that has users belonging to it. If you really want to delete the group, remove all users from the group first by editing their //Is a member of// fields.
  
-===== Managing and using groups =====+===== User groups =====
  
 mSupply allows for a high granularity of user permission configuration.  There are literally hundreds of user permissions possible for each store in an mSupply system.  User groups assist with management of these user permissions. mSupply allows for a high granularity of user permission configuration.  There are literally hundreds of user permissions possible for each store in an mSupply system.  User groups assist with management of these user permissions.
Line 264: Line 306:
  
 <WRAP center round important 60%> <WRAP center round important 60%>
-A user can have permission to view or edit data while logged in to a particular store, either directly or through membership of a group.  If you want the user to //exercise// these permissions then they will also need to have permission to //log in// to the store ;-).+A user can have permission to view or edit data while logged in to a particular store, either directly or through membership of a group.  If you want the user to //exercise// these permissions then they will also need to have permission to //log in// to the store ;-).\\ 
 +This can be very helpful if you have a common set of permissions that you want a class of users to have, and this class of user exists in hundreds of stores.  For example, the position and duties of the Officer in Charge (OIC) will often be common to all stores.  However, you don't want the OIC of one store being able to exercise those same permissions in the 'wrong' store.  To achieve this, you can: 
 +  - Log in to one store and configure an **OIC** group with all the necessary OIC permissions 
 +  - [[admin:managing_users#copy|Copy and paste]] these permissions to //every// relevant store 
 +  - Create an OIC user for each store, make them a member of the **OIC** group 
 +  - Configure them to be able to have [[admin:managing_users#login_rights_tab|login rights]] to only the store in which you want them to exercise these permissions
 </WRAP> </WRAP>
  
Line 284: Line 331:
  
 ==== Editing a group ==== ==== Editing a group ====
-First, show the list of groups by opening the "Edit user" window and then choosing "Groups" from the "Show" Drop-down menu+First, show the list of groups by opening the "Edit user" window and then choosing "Groups" from the "Show" Drop-down menu:
  
-{{ :admin:grouplst.png |}}+{{ :admin:grouplst.png?400 |}}
  
 Then double click on a group in the list. The same window as for adding a group opens but it is populated with the group's current settings. Change these settings as described for a new group above and click on the **OK** button to save them. Then double click on a group in the list. The same window as for adding a group opens but it is populated with the group's current settings. Change these settings as described for a new group above and click on the **OK** button to save them.
 +
 +=== Active users and groups ===
 +All permissions and most checkbox settings in a user settings are controlled by the group. One exception is login rights to different stores (managed for each user individually). Another exception is whether a user is active or not (active means that they are allowed to login to mSupply). By default, the active status of a group does not set the active status of all users in the group to match. However, you can make all users in a group inactive by editing the group and clicking on the **Update status for all members** button:
 +
 +{{ :admin:screenshot_2024-09-03_at_11.59.25.png?600 |}}
 +
 +When you click on the **Active** checkbox for a group it does nothing except changee the state of the checkbox. However, when you click on the **Update status for all members** button, all members of the group have their //Active// status set to that of the checkbox in this group.
  
 ==== Using groups ==== ==== Using groups ====
  • Last modified: 2024/09/03 10:52
  • by Gary Willetts