New HIFIS 4 Feature: Report Categories

One of the privacy issues in HIFIS 4 has been reporting. You could set up your user rights templates to be as limited as you wanted, but when it came to reports, it was all or nothing.

If you gave a user permission to run reports, they could run all reports, and the reports could be designed to pull data from anywhere. So reports acted as a bit of a loophole. Maybe I want to share some case management information but not other information, so I'll make a report, and now even users that don't have access to the case management module can access case management data through the report.

Confused?  You're not alone.

It was exhausting for many communities to think about what reports they wanted.  Maybe front line staff at shelters had the need for a report that gave them a list of wake-up times, or food allergies.  And maybe housing-based case managers had the need for a report that gave an output of a single client's full SPDAT assessment.  But in order to give shelter staff access to the food allergies report, they'd also gain access to the SPDAT report. And the case managers didn't need a list of wake-up times, so it was hard for them to find the few reports that were useful for them.

With HIFIS version 4.0.54, communities have a lot more control over who can access what reports.

Add Custom Report Screen 

The Add Report screen now includes two additional fields: Report Categories and Service Providers.

Service Providers

When you add a report, you can specify which Service Providers will be able to access and run this report.

This is a great starting point that already helps clarify things. You have some reports that are useful for shelters; other reports that are useful for case managers. Maybe some of your service providers are drop-in centres or eviction prevention service providers that have different needs yet again.  And perhaps some of the reports only make sense at a system level.

Report Categories

The second level of customization you can build in is through the use of the Report Categories field.  You can define your own categories through Look-Up Tables.

You can define your own Report Categories – unfortunately there isn’t a built-in list you can use. There are lots of different ways you might conceptualize your Report Categories. Here’s an example list of Report Categories:

• Operational reports (used by front-line staff on a day-to-day basis, like a list of food allergies, a sign-in sheet, or a chores list)
• Supervisory reports (should only be used by supervisors or managers and review things like caseloads and shelter occupancy)
• System reports (used by system administrators and program managers, to study things like your client inflow and outflow)
• Auditing reports (used by designated auditors, which might be supervisors or administrators, to do things like data quality checks and so on)

You can define lots of different Report Categories, and each report can even have multiple categories associated with it.

So let's say you had a report. You could assign it to the Report Category Supervisory Reports and say that it's available to the Munchkinland Shelter and Wonderland Shelter Service Providers. That means that anyone logged in at the Drop-In Centre Service Provider would be unable to view the report or run it, even if they had access to Supervisory Reports. In addition, anyone that doesn't have access to the Supervisory Reports Report Category wouldn't be able to run it either, even if they did work at Munchkinland Shelter or Wonderland Shelter.

User Rights

Okay, so now you've defined your categories and you've put every report into at least one category.  Now what? The second half of Report Categories is defining who can access that category. This is done through User Rights Templates.

Add (Rights) Template

Now, when you add a User Rights Template, you can specify which Report Categories users with this template will have access to.  This helps you define access by saying things like "front line staff only have access to the reports they need to do their jobs".

From the HIFIS Development Team:

If a User is using a Rights Template at the organization where they are logged in, when accessing the Reports module HIFIS looks a combination of the template’s Report Categories and the template’s Rights. If a User is not using a Rights Template, HIFIS looks at the Report Categories directly on the User’s profile and the Rights for the user where they are logged in.

The combination of Rights, Report Categories, and the Service Provider, is compared against the Report Categories and Report Service Providers of each Report to determine if the User should be authorized for access. 

When a report has been selected and the User is prompted to select Service Providers to run the report on, the User’s Rights and Report Categories are evaluated for every organization.

Putting it All Together

There are a few different elements that you need to configure before users can simply run reports. It's easy to miss one or two steps, so here is a simple checklist for you to follow, to make reports work for you:

1. Modify the Report Categories look-up table. Define your report categories and add those custom values to the look-up table.
2. For each report, edit it and and assign one or more Report Categories and also choose which Service Providers can run it. Note that you need to do this both for your custom reports but also the standard HIFIS reports.
3. For each rights template, choose which Report Categories users with that rights template can access.

FAQ

How do I add or change my Report Categories?

Modify the Report Categories look-up table in Administration > Look-up tables

What does the Report Categories field on the User Profile screen do?

Nothing, if the user has a rights template. If the user has a rights template assigned, they can use reports in categories defined by their rights template, and the ones on their user profile are ignored. However, if the user doesn't have a rights template, and instead has individual rights selected, the HIFIS grants them access to the report categories listed on their user profile. The rights template supercedes the user profile, they do not add together.

What does the Service Providers screen on the Report Categories look-up table values do?

This is a good example of how the subscription model for look-up values doesn't make sense. Like any other look-up table, you can customize which service providers are subscribed to each value. Which is to say, which values users at that service provider can choose from when they're selecting an option from that look-up table. That only occurs when adding or editing a report, or adding or editing rights templates (or adding or editing users, but see above). But given that in the majority of communities, both reports and rights templates are only added or edited by a central administrator, this will never come up. So, in the vast majority of communities, the answer about what this field does is "nothing."

Are Report Categories hierarchical? For example, I have a category called "Front Line" and one called "Supervisory." If I add a report to the "Front Line" category then does it automatically provide access to anyone with access to "Supervisory" reports?

Nope, there is absolutely no hierarchical relationship between the different Report Categories. However, keep in mind that Report Categories is a multiple-select field. So it is quite likely that, say, a supervisor could have the ability to run both "Front Line" and "Supervisory" reports. What you should probably do is put each report into one Report Category (i.e. either it's "Front Line" or "Supervisory") and then grant rights templates access to one or more Report Categories as befits their role.

What happens if a report is in more than one Report Category, and I grant a user access to one of those Report Categories?

The user can run the report if at least one Report Category matches. They don't need to match all of the Report Categories.