admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95c2abe4490d4d173fc6e730a028e720bc4cea1e
raven/devdocs/specs/core-roles.txt
John Cardinal 95b2ddf51c
2020-12-07 20:34:45 +00:00

326 lines
13 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Roles specifications
From case https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/1809
RAVEN will replace security rights system of v7 with a role based system instead
I'm using an int flags enum which means a maximum of 32 possible roles unless I bump it up to a long but don't really want to as this number will be thrown around the api a lot
ROLES set general accessibility to change or delete or read objects, however Business rules may further restrict on top of that.
**DELETE RIGHTS***
If you can modify an object you can delete an object unless business rules say otherwise
**SEE NAME / PICKLISTS ***
- Not sure if correct but for now assuming anyone can read the name of any object and that the UI will exclude them by biz rule if they aren't supposed to see something
- this does mean a subcontractor could use the api to fetch a list of customers outside of the client though...hmmm..
**LIMITED ROLES / BUSINESS RULES LIMITATIONS **
(formerly self owned)
In some cases business rules may further restrict what a user can do.
For example a SubContractorLimited has the change right to a workorder, but in fact the workorder itself has business rules that limit that drastically down to almost nothing but a single area entry in labor
=-=-=-=- HOW TO HANDLE EDIT OWN PLANNING =-=-=-=-=-
- EditOwn IS DEPRECATED FROM ORIGINAL PLAN is really not about editown it's about supporting a user who is not supposed to see any data other than the bare minimum in order to fill out workorders
- Make it a business rule(s) instead in the areas of workorders and anything specific
- Get rid of edit own rights code entirely
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
** LIMITED ROLES ACCESS RIGHTS PLANNING **
As of jan 2020 just trying to determine what the limited roles do as they are the least clear, here is some thinking on that:
- Do I need all the limited roles or are some redundant
- My thinking currently is it could be too complex for people to understand unless it's very clear what the dividing line is and in many cases people probably won't care about the limited roles / overthinking it
- some people want to set every last little thing but are we selling to those people or to people who just want to get shit done
- Many people just want the ability to not show private info and I have pretty good handle on that like hiding costs, client lists etc
- How many of oru customers will have a junior dispatcher or junior inventory person?
- Even if this isn't perfect I need to start with something and can build on it later, so keep in mind TTM and simpler is better up to a point
- No need to figure everythign otu at this point, it's easier to work with actual features down the road and restrict more then
- Issues is mainly to do with what the limited roles are all about and where the dividing line for features will be
- MAYBE the way to think of this is that the limited roles are all basically READ ONLY versions of the full roles
- This satisfies the need for office people to be able to look shit up but not break it by changing it
- CURRENT RESOLUTION TO THIS: just go ahead and code it now
- I have a pretty clear understanding of the full roles
- Work out the Limited roles later when I have actual features to limit and can see it in action
- Code it so that this is kept in mind so it's not a bitch to go back in limit later
==================================================
LISTS UNDER LIMITED ROLES
If a user *can* potentially view or edit an object type then that object's list will display, if certain fields should be restricted then they will be via business rules when the record is opened.
So in theory lists should not show stuff that a user has no rights to see, so some columns need to be restricted for those users when the list is delivered by the server
Case by case issue.
**********
Theoretical company entitities concerned with AyaNova:
Upper Management
- KPI
- View schedule
- View read only workorders full view though
Service manager
- Create users set roles
- Access everything except OPS (and possibly some accounting functionality restriction?)
I.T.
- OPS, setup, backup etc
- No access to biz data at all
Accounting
- Invoicing
- Clients
- View any biz related data
- No ability to modify workorders unless accounting related like invoice number or something
HR
- Create users
- Disable users
Sales
- Quotes
- View clients / ho
- Create clients?
Service
- Workorders
- view quotes
- Turn wo into quotes
- CSR
- Create modify clients headoffices
Shipping receiving
- Receive PO
- Outside service receiving
Inventory
- Create parts
- Create warehouses
- all inventory related like make po's, receive them
Customers
- View their shit
************************************************************************************************************************************************************
## ROLES
### None
No rights, not settable, just for internal usage in code
### BizAdminLimited
Intended for a business administrator / supervisor who wants to monitor the business, kpi, reporting etc, but doesn't actually get to change anything.
Suitable for the "big boss" who isn't trusted to make actual day to day decisions but can review anything.
NOT FULLY FLESHED OUT THIS CAN ALL CHANGE
**RIGHTS**
- Read only access to everything (except OPS stuff)
- Full access to management reporting, KPI etc, but can't change them substantially, just sort, filter etc.
### BizAdminFull
Basically the v7 manager account stuff with full rights to everything other than OpsAdmin stuff.
**RIGHTS**
- Full access to all AyaNova objects with the sole exception of OPS related stuff
- ONLY role that can make a user or change a user's roles
- Grants roles to other users
- Licensing
- Business related configuration settings
- Form customization
- Localized text customization
- All management and KPI stuff
- NO Operations rights at all so no setup, or troubleshooting logs or technical details
### DispatchLimited
see roles.odt for more info
NOT FULLY FLESHED OUT THIS CAN ALL CHANGE
- Intended as the junior dispatcher account, where they can help with day to day but not change anything big or see any private data
- Can create workorder
- Can add users to workorder / schedule
- view other dispatch full objects as readonly like clients, vendors, headoffices etc
- No areas of workorder that are not directly related to scheduling
### DispatchFull
see roles.odt for more info
- Intended as the role for the person managing a group of techs and scheduling, pre-filling in workorders etc
- Create workorder
- Create clients
- Create vendors
- Can see anything related to scheduling and conveying service
- Not necessarily the service manager who would have multiple roles like InventoryFull and DispatchFull
- Schedule anyone
- View and edit any area of any workorder with possible exception of profit and loss stuff or any strictly BIZ functionality
- Does not have inventory rights to make inventory changes like creating parts
### InventoryLimited
see roles.odt for more info
NOT FULLY FLESHED OUT THIS CAN ALL CHANGE
NO PO functionality except maybe able to receive?? To be determined
View inventory, adjust inventory
creat parts, assign vendors etc (dispatcher comes to them for new parts to be created)
NO dangerous or biz affecting rights
REad only rights to all other objects that InventoryFull can edit
### InventoryFull
see roles.odt for more info
Same as inventory limited but with all the PO related stuff
Also can fully change and create warehouses
Create vendors
### Accounting
see roles.odt for more info
- Create vendors
- Create / edit clients (ho)
- Integrate with QB external accounting software etc
- No access to inventory, if that's needed they can give the user inventory role as well
### TechFull
see roles.odt for more info
- consumes a license
- Can create their own workorders and schedule themselves on them but can't schedule others, that's dispatch job
- Some areas of workorder are still not availble if they are related to other roles such as accounting etc
- Not able to see part costs or % markup or any data not absolutely essential to doing their job
- Can create unit
- Can create client
### TechLimited
see roles.odt for more info
- CONSUMES A LICENSE
NOT FULLY FLESHED OUT THIS CAN ALL CHANGE
- Isnt this basically a subcontractor though?
- More rights than a subcontrator but less than a full tech, cannot see sensitive data
- Can't schedule themselves only add labor
- Can make entries into existing workorders, add rows to existing areas in the workorder but can't add a new area or create a new workorder
- Can only see their own workorders, no one elses
- No access to any costs or business data of any kind
- Can't make clients or vendors or units
### SubContractorLimited
NOTE 2020-04-14 13:19:17: There is a case for this that I haven't read to update this block of text yet
https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/1465
For filling out labor on workorders but not seeing any details of the workorder
Like a tech limited but more limited.
NOT FULLY FLESHED OUT THIS CAN ALL CHANGE
** Essentially the only purpose of this is to allow them to enter labor on a pre-existing workorder but really see almost nothing on the workorder except the bare minimum to enter labor
They can see only where they are scheduled in the schedule form, no client name, nothing of any detail at all, just work and enter it.
see roles.odt for more info
can only add themselves as a labor entry, not much else unless it proves necessary.
For a tech/subcontractor that is not trusted with company information including even client name i.e. just given the work to perform and enter details about that work, but doesn't need access to anything else
Can't select new parts only uses existing ones
ONLY ACCESS TO DASHBOARD TO SEE *THEIR* SHIT, SERVICE NAV ITEMS NOT VISIBLE
### SubContractorFull
See case 1465 mentioned above
Same as limited except can also see the client name and address and can select parts and other things to add to workorder but not see any details about those things outside the wo view
see roles.odt for more info
### ClientLimited
### ClientFull
### OpsAdminLimited
Like ops full but for read only and simle maintenance or watching / observing when issues
A role you'd give an office person with no tech background but who is tasked with backup or looking at logs when things go wrong
backup but can't restore
view logs, call ops full (I.T.) when issue arises
### OpsAdminFull
Any major db change like restore, importing etc.
backup, troubleshoot, dashboard of throughput, db administration, all the stuff needed to keep RAVEN up and running and monitor any issues in operations of it,
nothing to do with business stuff or actual business data
### SALESFULL
Makes QUOTES
View and create clients?
Turn quote into workorder? (that implies scheduling rights, sb dispatcher job)
Maybe they approve the quote for service then a service manager does the actual booking!
### SALESLIMITED
(basically a read only sales full)
Views quotes, can't change them?
View customers can't change them
************************************************************************************************************************************************************
BizAdminLimited | BizAdminFull | DispatchLimited | DispatchFull | InventoryLimited |
InventoryFull | AccountingFull | TechLimited | TechFull | SubContractorLimited |
SubContractorFull | ClientLimited | ClientFull | OpsAdminLimited | OpsAdminFull | SalesFull | SalesLimited
# CLIENT UI AREAS AND ROLES THAT CAN SEE THEM
(there are other restrictions individually but this is just that they are visible to those users in the main UI)
## HOME
- [ALL ROLES EXCEPT CLIENT ONES, RESTRICTIONS BY BIZ RULES AND EXCEPTIONS ONLY]
- Dashboard
- Search
- Schedule
- Memos
- Reminders
- Translation settings for User
- Set login and password
- Notification subscriptions
## CUSTOMERS
[FULL - BAF, DF, ACC, TF ]
[READ ONLY - BAL, DL, TL ]
- Customers
- Head offices
## SERVICE
- Schedule (all)
- [FULL - BAF, DF, DL ]
- [READ ONLY - BAL ]
- Workorders
- [FULL - ACC, DF, DL ]
- [READ ONLY - TF, BAL ]
- [SPECIAL - TF can see all and create their own wo and put themselves on it but no other techs can be selected by them]
- Quotes
- [FULL - SF, SL]
- Preventive Maintenance
- Customer Units
- Unit Models
- Loan Items
- Contracts
- Customer Service Requests
## INVENTORY
- Parts
- Part inventory
- Part Requests
- Purchase orders
- Purchase Order Receipts
- Adjustments
## VENDORS
## ACCOUNTING
- Accounting
## ADMINISTRATION
- Global settings
- license
- Users
- Localized Text Design
- Report Templates
- Attached Files
- History (change log for all objects)
- Statistics (KPI SHIT)
## SERVER OPERATIONS
- Backup
- Job Queue
- Server log
- Server metrics
- Notifciation Settings
## TEST WIDGETS
Reference in New Issue View Git Blame Copy Permalink