Restrict forms visible to user

Hi, we would like to add a restriction so that only forms uploaded or created by a given user in Aggregate are visible to that user in ODK Collect? How can one achieve that? Everyway I've tried it, it seems that all forms are visible to everyone. We are going to have hundreds of forms created by multiple users in Aggregate and definitely don't want everyone to see everyone's forms.

Thanks,

Guillaume

Constraints on user access to specific forms is not implemented in ODK
Aggregate.

If segmented user groups are required, we expect organizations to set up a
different ODK Aggregate for each user group. That also ensures full data
isolation for administrators and analysts; if you want data isolation, you
probably also want to restrict which servers specific data analysts and
administrators can access.

Note that for the 1.x tools, filled-in forms are not shared back out to the
devices. The filled-in forms are like filled-in paper forms. They go to the
server and are viewed by data analysts. The 1.x tools expect all users to
use the same set of blank forms to collect a uniform set of reports
about the same thing (e.g., wildlife, health status, etc.). Having each
data collector have their own unique form simply does not fit with this
design.

Note also that the system is not designed for 100's of forms. It holds all
form definitions in memory for performance and cost reasons. This will
generally require increasing the Tomcat JVM size, or the AppEngine
"Frontend Instance" class. While the system can handle 100's of forms, it
won't do that as efficiently as would a system designed for that type of
usage.

··· On Tue, Apr 21, 2015 at 7:06 AM, wrote:

Hi, we would like to add a restriction so that only forms uploaded or
created by a given user in Aggregate are visible to that user in ODK
Collect? How can one achieve that? Everyway I've tried it, it seems that
all forms are visible to everyone. We are going to have hundreds of forms
created by multiple users in Aggregate and definitely don't want everyone
to see everyone's forms.

Thanks,

Guillaume

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Ok, thanks for the clarifications. Unfortunately, we work in a context where we want to provide free form design and data hosting to our members. Each member or group of members would only have access to their own forms and ultimately to their own data since they are working on entirely different projects. Different Aggregate installs for different users is out of the question.

This sentence in the OpenRosa API docs made me think this was possible:

"If a server will filter the set of forms based upon the user's identity, then the server should require that the user be authenticated through either the AuthenticationAPI or through an alternative authentication mechanism. The server can then make use of the user's authenticated identity through those mechanisms to filter the set of forms to be returned." https://bitbucket.org/javarosa/javarosa/wiki/OpenRosaAPI

But I assume this hasn't been implemented in Aggregate.

Thanks again,

Guillaume

··· On Tuesday, April 21, 2015 at 2:11:14 PM UTC-4, Mitch Sundt wrote: > Constraints on user access to specific forms is not implemented in ODK Aggregate. > > If segmented user groups are required, we expect organizations to set up a different ODK Aggregate for each user group. That also ensures full data isolation for administrators and analysts; if you want data isolation, you probably also want to restrict which servers specific data analysts and administrators can access. > > > Note that for the 1.x tools, filled-in forms are not shared back out to the devices. The filled-in forms are like filled-in paper forms. They go to the server and are viewed by data analysts. The 1.x tools expect all users to use the same set of blank forms to collect a uniform set of reports about the same thing (e.g., wildlife, health status, etc.). Having each data collector have their own unique form simply does not fit with this design. > > > Note also that the system is not designed for 100's of forms. It holds all form definitions in memory for performance and cost reasons. This will generally require increasing the Tomcat JVM size, or the AppEngine "Frontend Instance" class. While the system can handle 100's of forms, it won't do that as efficiently as would a system designed for that type of usage. > > > > > > On Tue, Apr 21, 2015 at 7:06 AM, wrote: > Hi, we would like to add a restriction so that only forms uploaded or created by a given user in Aggregate are visible to that user in ODK Collect? How can one achieve that? Everyway I've tried it, it seems that all forms are visible to everyone. We are going to have hundreds of forms created by multiple users in Aggregate and definitely don't want everyone to see everyone's forms. > > > > Thanks, > > > > Guillaume > > > > -- > > -- > > Post: opend...@googlegroups.com > > Unsubscribe: opendatakit...@googlegroups.com > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > --- > > You received this message because you are subscribed to the Google Groups "ODK Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > -- > > Mitch Sundt > Software Engineer > University of Washington > mitche...@gmail.com

Correct. Possible for a compliant server, but not implemented in ODK
Aggregate.

··· On Tue, Apr 21, 2015 at 12:27 PM, wrote:

Ok, thanks for the clarifications. Unfortunately, we work in a context
where we want to provide free form design and data hosting to our members.
Each member or group of members would only have access to their own forms
and ultimately to their own data since they are working on entirely
different projects. Different Aggregate installs for different users is out
of the question.

This sentence in the OpenRosa API docs made me think this was possible:

"If a server will filter the set of forms based upon the user's identity,
then the server should require that the user be authenticated through
either the AuthenticationAPI or through an alternative authentication
mechanism. The server can then make use of the user's authenticated
identity through those mechanisms to filter the set of forms to be
returned." https://bitbucket.org/javarosa/javarosa/wiki/OpenRosaAPI

But I assume this hasn't been implemented in Aggregate.

Thanks again,

Guillaume

On Tuesday, April 21, 2015 at 2:11:14 PM UTC-4, Mitch Sundt wrote:

Constraints on user access to specific forms is not implemented in ODK
Aggregate.

If segmented user groups are required, we expect organizations to set up
a different ODK Aggregate for each user group. That also ensures full data
isolation for administrators and analysts; if you want data isolation, you
probably also want to restrict which servers specific data analysts and
administrators can access.

Note that for the 1.x tools, filled-in forms are not shared back out to
the devices. The filled-in forms are like filled-in paper forms. They go to
the server and are viewed by data analysts. The 1.x tools expect all users
to use the same set of blank forms to collect a uniform set of reports
about the same thing (e.g., wildlife, health status, etc.). Having each
data collector have their own unique form simply does not fit with this
design.

Note also that the system is not designed for 100's of forms. It holds
all form definitions in memory for performance and cost reasons. This will
generally require increasing the Tomcat JVM size, or the AppEngine
"Frontend Instance" class. While the system can handle 100's of forms, it
won't do that as efficiently as would a system designed for that type of
usage.

On Tue, Apr 21, 2015 at 7:06 AM, gla...@gmail.com wrote:
Hi, we would like to add a restriction so that only forms uploaded or
created by a given user in Aggregate are visible to that user in ODK
Collect? How can one achieve that? Everyway I've tried it, it seems that
all forms are visible to everyone. We are going to have hundreds of forms
created by multiple users in Aggregate and definitely don't want everyone
to see everyone's forms.

Thanks,

Guillaume

--

--

Post: opend...@googlegroups.com

Unsubscribe: opendatakit...@googlegroups.com

Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google
Groups "ODK Community" group.

To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en


You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com