diff --git a/care/emr/api/viewsets/questionnaire.py b/care/emr/api/viewsets/questionnaire.py
index c9aa52fabe..b256d338fc 100644
--- a/care/emr/api/viewsets/questionnaire.py
+++ b/care/emr/api/viewsets/questionnaire.py
@@ -3,7 +3,7 @@
 from django_filters import rest_framework as filters
 from pydantic import UUID4, BaseModel
 from rest_framework.decorators import action
-from rest_framework.exceptions import PermissionDenied
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.response import Response
 
 from care.emr.api.viewsets.base import EMRModelViewSet
@@ -13,6 +13,7 @@
     Patient,
     Questionnaire,
     QuestionnaireOrganization,
+    QuestionnaireResponse,
 )
 from care.emr.resources.organization.spec import OrganizationReadSpec
 from care.emr.resources.questionnaire.spec import (
@@ -59,6 +60,15 @@ def perform_create(self, instance):
                     questionnaire=instance, organization=organization_obj
                 )
 
+    def validate_data(self, instance, model_obj=None):
+        if (
+            model_obj
+            and not QuestionnaireResponse.objects.filter(
+                questionnaire=model_obj
+            ).exists()
+        ):
+            raise ValidationError("Cannot edit an active questionnaire")
+
     def authorize_create(self, instance):
         for org in instance.organizations:
             # Validate if the user has write permission in the organization
diff --git a/care/emr/resources/user/spec.py b/care/emr/resources/user/spec.py
index b3c2cdb1df..0a54152f13 100644
--- a/care/emr/resources/user/spec.py
+++ b/care/emr/resources/user/spec.py
@@ -3,7 +3,7 @@
 from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
 from django.core.validators import validate_email
-from pydantic import UUID4, field_validator
+from pydantic import UUID4, Field, field_validator
 from rest_framework.generics import get_object_or_404
 
 from care.emr.models import Organization
@@ -35,7 +35,7 @@ class UserBaseSpec(EMRResource):
 
     first_name: str
     last_name: str
-    phone_number: str
+    phone_number: str = Field(max_length=14)
 
 
 class UserUpdateSpec(UserBaseSpec):
diff --git a/care/users/tests/test_user_create.py b/care/users/tests/test_user_create.py
index ccdb73df06..033d8e9b71 100644
--- a/care/users/tests/test_user_create.py
+++ b/care/users/tests/test_user_create.py
@@ -1,8 +1,11 @@
+import logging
+
 from django.urls import reverse
 from polyfactory.factories.pydantic_factory import ModelFactory
 from rest_framework import status
 
-from care.emr.resources.user.spec import UserCreateSpec
+from care.emr.resources.user.spec import UserCreateSpec, UserTypeRoleMapping
+from care.security.permissions.user import UserPermissions
 from care.utils.tests.base import CareAPITestBase
 
 
@@ -34,9 +37,20 @@ def test_create_empty_user_validation(self):
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
 
     def test_create_user_authorization(self):
+        # Create user and assign to organization with user create role
         user = self.create_user()
         organization = self.create_organization(org_type="govt")
+        role = self.create_role_with_permissions(
+            permissions=[UserPermissions.can_create_user.name]
+        )
+        self.attach_role_organization_user(organization, user, role)
         new_user = self.generate_user_data(geo_organization=organization.external_id)
+        # Create or
+        self.create_role(
+            name=UserTypeRoleMapping[new_user.user_type.value].value.name,
+            is_system=True,
+        )
+        logging.info(UserTypeRoleMapping[new_user.user_type.value].value.name)
         self.client.force_authenticate(user=user)
         response = self.client.post(self.base_url, new_user.dict(), format="json")
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
diff --git a/care/utils/tests/base.py b/care/utils/tests/base.py
index 3b573ecd7c..4ea8667a8b 100644
--- a/care/utils/tests/base.py
+++ b/care/utils/tests/base.py
@@ -2,6 +2,8 @@
 from model_bakery import baker
 from rest_framework.test import APITestCase
 
+from care.emr.models.organization import OrganizationUser
+
 
 class CareAPITestBase(APITestCase):
     fake = Faker()
@@ -19,11 +21,26 @@ def create_organization(self, **kwargs):
 
         return baker.make(Organization, **kwargs)
 
+    def create_role(self, **kwargs):
+        from care.security.models import RoleModel
+
+        if RoleModel.objects.filter(**kwargs).exists():
+            return RoleModel.objects.get(**kwargs)
+        return baker.make(RoleModel, **kwargs)
+
     def create_role_with_permissions(self, permissions):
-        pass
+        from care.security.models import PermissionModel, RoleModel, RolePermission
 
-    def attach_role_organization_user(self):
-        pass
+        role = baker.make(RoleModel)
+
+        for permission in permissions:
+            RolePermission.objects.create(
+                role=role, permission=baker.make(PermissionModel, slug=permission)
+            )
+        return role
+
+    def attach_role_organization_user(self, organization, user, role):
+        OrganizationUser.objects.create(organization=organization, user=user, role=role)
 
     def attach_role_facility_organization_user(self):
         pass
diff --git a/config/settings/base.py b/config/settings/base.py
index 581a451704..7da541c30f 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -3,6 +3,7 @@
 """
 
 import logging
+import warnings
 from datetime import datetime, timedelta
 from pathlib import Path
 
@@ -17,6 +18,8 @@
 from care.utils.csp import config as csp_config
 from plug_config import manager
 
+warnings.filterwarnings("ignore", category=UserWarning)
+
 logger = logging.getLogger(__name__)
 
 BASE_DIR = Path(__file__).resolve(strict=True).parent.parent.parent