Hey everybody,
we're new to the Lime Survey CE and are currently evalutiong if this could be our future solution for internal Survey or elections.

I just want to know if it is possible to implement something like RBA(C) so we're able to prevent "normal" Users from creating Surveys with Features like "Log IP-Address" enabled?!

We're using LimeSurvey just for internal purposes but we do not want People to be able to deanonymize Survey participants by having IP-adresses, which can be easily run against the Domain DNS to get the ComputerName.

Is there something possible like this (or maybe something planned?) Or are we (IT Staff Members) forced to create the Surveys for all the People so we can Control that there are no such Features enabled?

(Little Background: We're a german governmental Organization so Data Protection Commissioner and work council want These Things not to be logged..)

If there's already a thread or Feature request for stuff like that, just let me know! But I wasn't able to find something related here or in the Bug/Feature Tracker section..

Thanks for your answers.

Kind Regards
Florian

Hi, Florian,
well, first thing.
Your "normal" users all are created by admins.
So all of them should be aware of your data protection rules.
If they do not keep to it, "Abmahnung", "Personalakte",...

Second:
There is an access control, I think you saw it already.


But what you desire is not available in LS, but as IT staff, you could create a trigger in the database to do something like that.

In the table "[prefix]_surveys" you find all interesting fields:
"anonymized"
"ipaddr"
and so on.

And the "owner_id", which shows, who created the survey.

IMO a trigger "before insert" could set all fields to your desired value.

Joffm

florianmoos wrote: I just want to know if it is possible to implement something like RBA(C)

What is RBA? RBA(C)?

You might open a feature request about missing settings. To me it looks like a more granular permission system (e.g. block settings which would allow saving IP-adresses) would be the most important improvement. There are some signals that a overhaul of the permission system is on the watchlist of the developers.

There a some feature requests around improving permission system and further limits for users.
Currently you have more or less a admin-focused LimeSurvey. In a bigger organization you will end up with more than one LimeSurvey-installation. LimeSurvey.org is offering hosting to customers and they have a dedicated installation for each customer. So no multi-tenancy capability implemented at the moment.

bugs.limesurvey.org/view.php?id=12651
bugs.limesurvey.org/view.php?id=8751
bugs.limesurvey.org/view.php?id=7397

RBAC = Role Based Access Control see en.wikipedia.org/wiki/Role-based_access_control .

It is implemented in Yii2 yii2-cookbook.readthedocs.io/security-rbac/ and a heavy meal

Thanks. LimeSurvey is currently based on Yii1. Moving to Yii2 is on the roadmap. www.limesurvey.org/manual/LimeSurvey_roadmap#Planned_features

Hey,

first of all: Thanks for all the quick responses! Didn't actually expected that


Second:
@joffm Where do I find the Access Control? Unfortunately I did not found the view you have..
The Hint with the Database Monitoring and the trigger if some fields are set is good. Thanks.
So I think we will implement something between technical Monitoring and Rules how to set up a correct internal Survey.

Regards
Florian

Hi,
very quick:

[hr]

[hr]

[hr]
Best regards
Joffm

for now the homemade LS permission system is based on users.
We planed to integrate a real RBAC permission system for ls4.