How to set users to have access to only de-identified data?

You can assign access to limit access only to de-identified data. The default "Technician" role does not have PHI access. You can create additional custom roles and assign them only "Participant (de-id)" access. See the below image, for example. Users with such a role will only see de-identified data in the query interface and other screens (I.e., ## instead of a name, MRN, etc.)