Difference between revisions of "Setup new role"
(→Give Access to A) (Tag: visualeditor) |
(→Folder structure) (Tag: visualeditor) |
||
| Line 56: | Line 56: | ||
**Send GDPR data download | **Send GDPR data download | ||
**Anonymize user | **Anonymize user | ||
| − | ** | + | **Access expiration |
Under a Company there is the following structure: | Under a Company there is the following structure: | ||
| Line 82: | Line 82: | ||
*** Reset user [Impersonated] | *** Reset user [Impersonated] | ||
*** Give Access to A [Impersonated] | *** Give Access to A [Impersonated] | ||
| + | *** A Status [Impersonated] | ||
=== Script documentation === | === Script documentation === | ||
| Line 95: | Line 96: | ||
* PermissionRequired: 2 | * PermissionRequired: 2 | ||
* Parameters | * Parameters | ||
| − | |||
** Name: string, Required: true | ** Name: string, Required: true | ||
** Admin User first name: string, Required: false | ** Admin User first name: string, Required: false | ||
| Line 115: | Line 115: | ||
===== Reset Password ===== | ===== Reset Password ===== | ||
RoleExtensionUserDocumentation | RoleExtensionUserDocumentation | ||
| − | |||
* InformsUsers: true | * InformsUsers: true | ||
* PermissionRequired: 6 | * PermissionRequired: 6 | ||
| Line 122: | Line 121: | ||
===== Send GDPR data download ===== | ===== Send GDPR data download ===== | ||
RoleExtensionUserDocumentation | RoleExtensionUserDocumentation | ||
| − | |||
* InformsUsers: true | * InformsUsers: true | ||
* PermissionRequired: 2 | * PermissionRequired: 2 | ||
| Line 129: | Line 127: | ||
===== Anonymize user ===== | ===== Anonymize user ===== | ||
RoleExtensionUserDocumentation | RoleExtensionUserDocumentation | ||
| − | |||
| − | |||
| − | |||
* LimitToPath: empty | * LimitToPath: empty | ||
| − | ===== | + | ===== Access expiration ===== |
RoleExtensionUserDocumentation | RoleExtensionUserDocumentation | ||
| − | * | + | * ShowResultInGrid: true |
| − | + | * Result | |
| − | * | + | ** When: date. Required: false. Writeable: true |
| − | |||
| − | ** When: date. Required: false | ||
===== Reset user ===== | ===== Reset user ===== | ||
RoleExtensionUserDocumentation | RoleExtensionUserDocumentation | ||
| − | |||
* InformsUsers: false | * InformsUsers: false | ||
* PermissionRequired: 4 | * PermissionRequired: 4 | ||
| Line 151: | Line 143: | ||
* PathIsRelevative: true | * PathIsRelevative: true | ||
| − | ===== | + | ===== Access to A ===== |
RoleExtensionRoleDocumentation | RoleExtensionRoleDocumentation | ||
* OnParent: true | * OnParent: true | ||
| Line 157: | Line 149: | ||
* IncludeChildrenInPath: true | * IncludeChildrenInPath: true | ||
* PathIsRelative: false | * PathIsRelative: false | ||
| − | |||
* RoleRequired: true | * RoleRequired: true | ||
* PermissionRequired: 2 | * PermissionRequired: 2 | ||
| + | * ShowResultInGrid: true | ||
| + | * Result | ||
| + | ** HasAccess: bool, Writeable: true, Required: true | ||
| + | ===== A Status ===== | ||
| + | RoleExtensionUserDocumentation | ||
| + | * InformsUsers: false | ||
| + | * PermissionRequired: 2 | ||
| + | * LimitToPath: "Participants" | ||
| + | * IncludeChildrenInPath: false | ||
| + | * PathIsRelevative: true | ||
| + | * ShowQueryInGrid: true | ||
| + | * Result | ||
| + | ** Progress: int, Writeable: false | ||
| + | ** ... | ||
[[Category:Roles]] | [[Category:Roles]] | ||
Revision as of 10:16, 18 December 2019
A role is very simply a Group with the sub-type Role.
This allows you to use all of the CGScript functions on groups, imports, export, and the many other system features there are on groups.
Minimum requirements
In order for a role to function, it must defined a minimum of two Role extensions.
- "Added" - is called AFTER a user has been added to the role
- "Removed" - is called AFTER a user has been removed from the role.
Suggested folder structure
The roles does not have a required folder structure beyond defining where the role extensions themselves are located. How the access to the resources that membership of the role itself is not actually part of the role structure, but in order to facilitate an easy way to get an overview of any role, here is a suggestion for how to setup a new product that utilizes roles to ensure the proper access to all resources.
In our example, that we will call RRR, we have the following requirements:
Requirements
- RRR is fundamentally a product that consist of a series of sub-products A, B and C where each consists of a number of resources:
- A series of questionnaires.
- A reporting portal for individuals.
- A reporting portal for department leaders.
- Sales to RRR is through multiple channels
- The owners, which we shall call SuperAdmins, may sell either to individuals, companies or resellers.
- Companies may "sell" to their departments.
- Resellers can sell to other companies.
- Companies and individuals may buy access online.
- The seller may restrict access to a limited set of sub-products.
- Administration of user (HR admins) in a reseller, company or department should be possible without having to pay for the account to do so.
- Payment is based on price per user that has access to a sub-product, so access to A may cost 10 per user and B may cost 20.
Access
Since the questionnaires in RRR ask sensitive information, access to each users answers is restricted:
- A user only has access to view their own data.
- A HR admin has access to the user, not the collected data of the user.
- A department leader has same access to the user as the HR admin, but also has access to aggregated data for the departments members.
- Sellers should have same access as HR admins to the companies they sell to.
- The seller may restrict access to a limited set of sub-products. I.e. it should be possible for a department to only be able to give their members access to A. Similarly, an individual buying access to A should only have access to A.
Folder structure
Name in parentheses means a role, otherwise it is a folder or questionnaire or other resource.
In brackets are access, if not specified default is [Inherit: true;], System access is not shown.
- Products
- RRR [Inherit: false]
- (SuperAdmins) [SuperAdmins: Write]
- Companies [SuperAdmins: Full]
- Company X
- Role Exts [Inherit: false; SuperAdmins: Read; HR Admins (All Companies): Read]
- Create Company [Impersonated]
- Delete Company
- Products
- A
- B
- C
- RRR [Inherit: false]
- Role Exts [SuperAdmins: Read; HR Admins (All Companies): Read]
- Reset Password
- Send GDPR data download
- Anonymize user
- Access expiration
Under a Company there is the following structure:
- Company X [HR Admins (This company): Full]
- (HR Admins)
- (Leaders)
- (Members)
- Data [Inherit: false; Leaders: Read]
- ...dcs...
- Users
- ...user...
- Dept X ← which itself is a Company folder
Individuals are stored under a "not-so-special" company named "Individuals" in their own private Company folder.
Resellers are "not-so-special" companies that simply create new companies like others would create new departments.
Under the Products, the organization is as follows:
- A
- (Participants) [HR Admins (For those companies that have access): Write; SuperAdmins: Write]
- Qnaire A1
- Qnaire A2
- Reporting Individual [Participants: Read]
- Reporting Leader [Leaders (For those companies that have access): Read]
- Role Exts [HR Admins (For those companies that have access): Read; SuperAdmins: Read]
- Reset user [Impersonated]
- Give Access to A [Impersonated]
- A Status [Impersonated]
Script documentation
In this section we discuss what each script should return as documentation to function correctly
Create Company
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Companies"
- IncludeChildrenInPath: true
- PathIsRelative: true
- RoleRequired: false
- PermissionRequired: 2
- Parameters
- Name: string, Required: true
- Admin User first name: string, Required: false
- Admin User last name: string, Required: false
- Admin User email: string, Required: false
- Inform Admin user: bool, Required: true
Delete Company
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Companies"
- IncludeChildrenInPath: true
- PathIsRelative: true
- RoleRequired: true
- PermissionRequired: 6
- Parameters
- Are you sure: bool, Required: true
Reset Password
RoleExtensionUserDocumentation
- InformsUsers: true
- PermissionRequired: 6
- LimitToPath: empty
Send GDPR data download
RoleExtensionUserDocumentation
- InformsUsers: true
- PermissionRequired: 2
- LimitToPath: empty
Anonymize user
RoleExtensionUserDocumentation
- LimitToPath: empty
Access expiration
RoleExtensionUserDocumentation
- ShowResultInGrid: true
- Result
- When: date. Required: false. Writeable: true
Reset user
RoleExtensionUserDocumentation
- InformsUsers: false
- PermissionRequired: 4
- LimitToPath: "Participants"
- IncludeChildrenInPath: false
- PathIsRelevative: true
Access to A
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Products\RRR\Companies"
- IncludeChildrenInPath: true
- PathIsRelative: false
- RoleRequired: true
- PermissionRequired: 2
- ShowResultInGrid: true
- Result
- HasAccess: bool, Writeable: true, Required: true
A Status
RoleExtensionUserDocumentation
- InformsUsers: false
- PermissionRequired: 2
- LimitToPath: "Participants"
- IncludeChildrenInPath: false
- PathIsRelevative: true
- ShowQueryInGrid: true
- Result
- Progress: int, Writeable: false
- ...
