Roles and Permissions

Default Roles

By default, every project in CommcareHQ begins with six default roles with varying degrees of access. This section briefly summarizes these roles. For a detailed description of what each role can and cannot do, please look at the permission descriptions below.

  • Admin: Admins have complete access to your project space on CommCareHQ. They can add, edit and delete data, along with creating and editing applications.

  • App Editor: App editors have partially restricted access to CommCareHQ. They cannot access users, groups or locations but can access App Builder and Form Builder. Additionally, they can access reports and exports.

  • Billing Admin: Billing admins can largely only access subscription information.

  • Field Implementer: Field implementers can edit data that relates to mobile workers, including locations and groups

  • Read Only: Users with the Read Only role will be able to access reports and exports, but little else.

  • Mobile Worker Default: This is the default role for all mobile workers who do not have a role assigned.

Configure User Roles

This feature (Advanced Role-Based Access to CommCareHQ) will only be available to CommCare users with a Standard Plan or higher. The default roles, however, will be available to everyone. For more details, see the CommCare Software Plan page.

You can create custom project roles and give these roles the desired permissions for accessing parts of your project space. To do this, select the Users tab, then Roles and Permissions. Once on this page, you can choose to add a new role, or to edit any existing role, other than Admin. Either action will trigger the modal seen below:

Most Area Access permissions come with multiple layers of access:

Can Edit: With Edit access enabled for a permission, users can create, edit and delete corresponding data. For example, if a role had Can Edit enabled for mobile workers, users assigned to that role could create, edit and delete mobile workers.

Can View: If Can Edit is disabled, the Can View checkbox becomes editable. Enabling Can View allows users with this permission to see all corresponding data, but not edit it. For example, if a role had only Can View enabled for Web Users, they could see all Web Users but not invite new users nor edit or remove existing users.

No Access: (both Edit and View deselected): If both Can Edit and Can View are disabled for a permission, users will have no access to the corresponding data. This setup removes references to that data from the top and sidebar navigations in CommCareHQ for all associated users. For example, if a role had Can Edit and Can View disabled for Groups, a user with that role would see no links to Groups under the Users tab. If that user navigated directly to groups, say by typing in the URL line, they would receive a 403 error.

 

Descriptions of these roles can be found here:

Area Access Permissions

Web Users

Invite new web users, manage account settings, remove membership.

This permission will be hidden if Full Organization Access is disabled.

Mobile Workers

Create new accounts, manage account settings, deactivate or delete mobile workers

Groups

Manage groups of mobile workers

This permission will be hidden if Full Organization Access is disabled.

Groups
(Sub-permission)

Allow changing group membership

This permission allows you to assign mobile workers to a group. This is typically controlled by the "Edit Mobile Workers" permission, but this option may be useful if you need users who can edit group membership, but not otherwise edit mobile worker data.

Locations

Manage locations in the Organization's Hierarchy

Locations
(Sub-permission)

Allow changing workers at a location

This permission allows you to assign mobile workers to a location. This is typically controlled by the "Edit Mobile Workers" permission, but this option may be useful if you need users who can edit location membership, but not otherwise edit mobile worker data.

Data

View, download and edit form and case data, reassign cases.

This also controls access to lookup tables.

Web Apps

Allow users to enter data using Web Apps.

Messaging

Configure and send conditional alerts via SMS or email messaging.

Access APIs

General access to CommCare HQ APIs. Individual APIs require additional specific permissions - for example, the bulk upload users API requires permission to edit mobile workers. Unchecking this permission allows you to completely revoke access to all APIs.

Important Security Consideration

This permission grants access to ALL data through the API, even if the web user is Location restricted, thus not having the ability to access all data from CommCareHQ's data tools.

Applications

Modify or view the structure and configuration of all applications.

This permission will be hidden if Full Organization Access is disabled.

Roles & Permissions

View web user and mobile worker roles & permissions (only Admins can edit roles)

This permission is ‘View Only’ for all roles except Admins. View access can be deselected to prevent users from viewing Roles & Permissions entirely. This permission will be hidden if Full organization Access is disabled.

Manage Shared Exports

Allows users to edit exports whose sharing setting is configured to Edit and Export
This permission (Manage Shared exports) will only be available to CommCare users with a Pro Plan or higher. For more details, see the CommCare Software Plan page.

Reports Permissions

Create and Edit Reports

Allow role to create, edit and delete reports using the Report Builder.

This permission will be hidden if Full Organization Access is disabled.

Access All Reports

Allow role to access all reports.

If this permission is disabled, you have the option to grant access to individual reports.

Access Specific Reports

If Access All Reports is disabled, a list of specific reports will appear. You can grant or deny the role access to each report individually.

Other Report Permissions Not Handled Here

Note that there is a separate permission handled elsewhere that provides access to scheduled reports created by other people. That feature is independent of these permission checkboxes, and instead requires for the user be assigned to the Admin role within the domain.

Also, see Download and Email Reports below under Other Settings Permissions. 

Other Settings Permissions

Manage Subscription Info

Allow role to manage subscription information.

Subscription info can be found under your project settings. This permission will be hidden if Full Organization Access is disabled.

Full Organization Access

Allow role to access data from all locations.

If disabled, your users must be assigned locations in order to access CommCareHQ. Disabling this permission renders obsolete Web Users, Groups, Applications, Roles & Permissions, Create and Edit Reports and the Manage Subscription Info permissions and hides them from view. For further information, please see the Full Organization Access sub-section.

Mobile App Access

Allow mobile users access to offline mobile applications.

Mobile App Access enables permissions to access CommCare's Mobile Endpoint API and is essential for enabling offline work from a mobile device.

Default Landing Page

Upon login, the permission decides where the user begins; on the Dashboard, Web Apps or Reports. If Use Default is selected, mobile workers will be directed to Web Apps and Web Users will go to the dashboard.

Allow Reporting Issues

Allow this role to report issues. This permission is enabled by default.

Non-Admin Editable

Allow non-admins to assign this role to other users. Users can assign roles on the Web Users page

Download and Email Reports

Allow role to download and email report data.

If this permission is disabled, the user will not be able to access the My Scheduled Reports tab, export the data to Excel or email it.


Full Organization Access

The Full Organization Access permission is very powerful and if disabled, can severely limit what a user can see on CommCareHQ.We highly recommend that you test the implications of disabling this permission before rolling it out to your project.

Creating a locations-restricted user by disabling Full Organization Access may be helpful to your workflow if you have a role similar to a ‘District Manager,’ for example. A District Manager may need to access reports and exports, but may only need data restricted to specific locations. This role would not be able to edit apps but could view all data in reports/exports from their assigned location and those locations under it.

Deleting Roles

The Delete Role button is only accessible when no users are assigned to a role. In the below screenshot, users are assigned to the Field Implementer role and therefore, we cannot delete it.