[DEA] Restriction on save based on sync strategies

[mahalakshme]

As is:

So far only in mobile app users can see data based on the sync strategies. In web app, logged in user will be able to see/edit/register all the data, independent of sync strategies, except for some permissions configured for the user groups to which the user belongs to.

Need:

• Currently, as Avni is getting scaled across different states(for an org), supervisor allotted to a state, monitors via DEA the activities happening in their state. In such cases, the org doesn't want the supervisors of a particular state to be able to edit data belonging to other states.
• Users have iOS app and hence wish to use web app, since Avni not supported in iOS

AC:

On save, check if the saved info of the entity is inline with the sync strategy configured for the logged in user.

1. Should be able to register(newly save), only data that is inline with the sync strategy(address, attributes and assignment) of the logged in user. If a user does so, show a red toast message at bottom, stating 'You do not have permission to save this entity. Please contact administrator to update your settings if you want to proceed.'
2. Should be able to update(edit and save), only data that is inline with the sync strategy(address, attributes and assignment) of the logged in user. If a user does so, show a red toast message at bottom, stating 'You do not have permission to register this subject. Please contact administrator to update your settings if you want to proceed.'
3. The above error message should appear by default in the language configured by the user, if it is one of the Avni's default supported platform languages(English, Gujarati, Hindi, Kannada, Marathi, Tamil)
4. The sync strategy should be determined based on the configuration of the subject type to which the subject belongs to.
5. When saving enrolment, general encounter or program encounter as well, the above error message need to show if the entity's subject data is not inline with the user's sync configuration.
6. When a user doesn't have the sync settings(catchment or attributes or assignment) configured, do not restrict the save(This is to avoid integration services from getting affected for now). Also the sync attributes of the org in focus would be lengthy if this restriction is enforced.

Technical details:

• The 2nd point in the AC, can be done by checking the old existing data of the subject.
• Handle at a lower level so that CSV, API updates, case of update of sync attributes on updating an encounter need not be handled separately or will involve less effort.

Out of scope

• Looks like the name 'Sync settings' is becoming irrelevant since it is becoming applicable to DEA as well. Modifying this is not within the scope of this card.
• Showing Edit button and viewing details based on sync strategy
• Search results rendering inline with sync strategies of the user.
• Restricting the user from saving when a user doesn't have sync settings(catchment or sync settings) configured.

Analyst notes:

To communicate: update the sync strategy of API users

Old: Ignore:

Option 1: On search results itself, show results only based on sync strategy(address, attributes, assignment). Also restrict on Save
Option 2: Restrict on Edit and Save
Option 3: On search results itself, show results only based on sync strategy(address, attributes, assignment). Show only relevant locations and support sync attributes on DEA.

Technical details:

When implemented the restriction on Search(/web/searchAPI/v2), it should automatically work for search of subjects from subject concept type since the same API is used, with additional payload of what is typed in Search. So option 1 or 3 seems to be better unless it impacts performance.

Analysis notes:

The above was tried to be achieved via rules, but for the below reasons decided to make it a product feature:

• To make it more scalable so that applies to all orgs by default, and by reducing implementation overload
• Execution of rules on DEA has issues when need to execute associated entities
• Reduced complexity

[petmongrels]

AC related notes

1. Also check in void.
2. If direct assignment is configured then subject creation cannot be access controlled. Enrolment, Encounter creation can be access controlled.
3. Not implemented for individual relationships
4. Added translations

Technical Notes

1. Changes are applied to web endpoints. External API and Mobile app endpoints will not perform this check.
2. We require location to be mandatory sync strategy. Observation based sync can be added to on top of it.

[AchalaBelokar]

• I am login with AchalaB@rwbniti which is having the catchment @ but it is showing the all location while saving app is crashing

Screen.Recording.2024-08-13.at.2.27.56.PM.mov

• search is working fine there.