admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
968d38f2a0cd5ad62265414e079557d0a6c47949
raven/devdocs/specs/core-roles.txt
John Cardinal 968d38f2a0
2019-06-05 00:02:45 +00:00

145 lines
6.7 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Roles specifications
From case https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/1809
RAVEN will replace security rights system of v7 with a role based system instead
I'm using an int flags enum which means a maximum of 32 possible roles unless I bump it up to a long but don't really want to as this number will be thrown around the api a lot
ROLES set general accessibility to change or delete or read objects, however Business rules may further restrict on top of that.
**DELETE RIGHTS***
If you can modify an object you can delete an object unless business rules say otherwise
**LIMITED ROLES / BUSINESS RULES LIMITATIONS **
(formerly self owned)
In some cases business rules may further restrict what a user can do.
For example a SubContractorLimited has the change right to a workorder, but in fact the workorder itself has business rules that limit that drastically down to almost nothing but a single area entry in labor
LISTS UNDER LIMITED ROLES
If a user *can* potentially view or edit an object type then that object's list will display, if certain fields should be restricted then they will be via business rules when the record is opened.
So in theory lists should not show stuff that a user has no rights to see, so some columns need to be restricted for those users when the list is delivered by the server
Case by case issue.
## ROLES
### None
No rights, not settable, just for internal usage in code
### BizAdminLimited
Intended for a business administrator / supervisor who wants to monitor the business, kpi, reporting etc, but doesn't actually get to change anything.
Suitable for the "big boss" who isn't trusted to make actual day to day decisions but can review anything.
**RIGHTS**
- Read only access to everything (except OPS stuff)
- Full access to management reporting, KPI etc, but can't change them substantially, just sort, filter etc.
### BizAdminFull
Basically the v7 manager account stuff with full rights to everything other than OpsAdmin stuff.
**RIGHTS**
- Full access to all AyaNova objects with the sole exception of OPS related stuff
- ONLY role that can make a user or change a user's roles
- Grants roles to other users
- Licensing
- Business related configuration settings
- Form customization
- Localized text customization
- All management and KPI stuff
- NO Operations rights at all so no setup, or troubleshooting logs or technical details
### DispatchLimited
see roles.odt for more info
- Intended as the junior dispatcher account, where they can help with day to day but not change anything big or see any private data
- Can create workorder
- Can add users to workorder / schedule
- NO create clients
- No areas of workorder that are not directly related to scheduling
### DispatchFull
see roles.odt for more info
- Intended as the role for the person managing a group of techs and scheduling, pre-filling in workorders etc
- Create workorder
- Create clients
- Create vendors
- Can see anything related to scheduling and conveying service
- Not necessarily the service manager who would have multiple roles like InventoryFull and DispatchFull
- Schedule anyone
- View and edit any area of any workorder with possible exception of profit and loss stuff or any strictly BIZ functionality
- Does not have inventory rights to make inventory changes like creating parts
### InventoryLimited
see roles.odt for more info
NO PO functionality except maybe able to receive?? To be determined
View inventory, adjust inventory
creat parts, assign vendors etc (dispatcher comes to them for new parts to be created)
NO dangerous or biz affecting rights
### InventoryFull
see roles.odt for more info
Same as inventory limited but with all the PO related stuff
Also can fully change and create warehouses
Create vendors
### Accounting
see roles.odt for more info
- Create vendors
### TechFull
see roles.odt for more info
- consumes a license
- Can create their own workorders and schedule themselves on them but can't schedule others, that's dispatch job
- Some areas of workorder are still not availble if they are related to other roles such as accounting etc
- Not able to see part costs or % markup or any data not absolutely essential to doing their job
- Can create unit
- Can create client
### TechLimited
see roles.odt for more info
- CONSUMES A LICENSE
- Can make entries into existing workorders, add rows to existing areas in the workorder but can't add a new area or create a new workorder
- Can only see their own workorders, no one elses
- No access to any costs or business data of any kind
### SubContractorLimited
For filling out labor on workorders but not seeing any details of the workorder
Like a tech limited but more limited.
** Essentially the only purpose of this is to allow them to enter labor on a pre-existing workorder but really see almost nothing on the workorder except the bare minimum to enter labor
They can see only where they are scheduled in the schedule form, no client name, nothing of any detail at all, just work and enter it.
see roles.odt for more info
can only add themselves as a labor entry, not much else unless it proves necessary.
For a tech/subcontractor that is not trusted with company information including even client name i.e. just given the work to perform and enter details about that work, but doesn't need access to anything else
Can't select new parts only uses existing ones
### SubContractorFull
Same as limited except can also see the client name and address and can select parts and other things to add to workorder but not see any details about those things outside the wo view
see roles.odt for more info
### ClientLimited
### ClientFull
### OpsAdminLimited
Like ops full but for read only and simle maintenance or watching / observing when issues
A role you'd give an office person with no tech background but who is tasked with backup or looking at logs when things go wrong
### OpsAdminFull
Any major db change like restore, importing etc.
backup, troubleshoot, dashboard of throughput, db administration, all the stuff needed to keep RAVEN up and running and monitor any issues in operations of it,
nothing to do with business stuff or actual business data
************************************************************************************************************************************************************
=-=-=-=- HOW TO HANDLE EDIT OWN PLANNING =-=-=-=-=-
- EditOwn is really not about editown it's about supporting a user who is not supposed to see any data other than the bare minimum in order to fill out workorders
- Make it a business rule(s) instead in the areas of workorders and anything specific
- Get rid of edit own rights code entirely
Reference in New Issue View Git Blame Copy Permalink