Difference between revisions of "Setup new role"
(Created page with "A role is very simply a Group with the sub-type Role. This allows you to use all of the CGScript functions on groups, imports, export, and the many other system features ther...") (Tag: visualeditor) |
(Tag: visualeditor) |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
This allows you to use all of the CGScript functions on groups, imports, export, and the many other system features there are on groups. | This allows you to use all of the CGScript functions on groups, imports, export, and the many other system features there are on groups. | ||
| − | + | [[Role Overview|Read more about Roles]] | |
| − | |||
| − | |||
| − | |||
| − | == | + | == Example folder structure == |
| − | + | The roles does not have a required folder structure beyond defining where the role extensions themselves are located. How the access to the resources that membership of the role itself is not actually part of the role structure, but in order to facilitate an easy way to get an overview of any role, here is a suggestion for how to setup a new product that utilizes roles to ensure the proper access to all resources. | |
| − | + | ||
| − | + | In our example, that we will call RRR, we have the following requirements: | |
| − | + | ||
| − | + | === Requirements === | |
| − | + | * RRR is fundamentally a product that consist of a series of sub-products A, B and C where each consists of a number of resources: | |
| − | + | ** A series of questionnaires. | |
| − | + | ** A reporting portal for individuals. | |
| − | + | ** A reporting portal for department leaders. | |
| − | + | * Sales to RRR is through multiple channels | |
| − | + | ** The owners, which we shall call SuperAdmins, may sell either to individuals, companies or resellers. | |
| − | + | ** Companies may "sell" to their departments. | |
| − | + | ** Resellers can sell to other companies. | |
| − | + | ** Companies and individuals may buy access online. | |
| + | ** The seller may restrict access to a limited set of sub-products. | ||
| + | * Administration of user (HR admins) in a reseller, company or department should be possible without having to pay for the account to do so. | ||
| + | * Payment is based on price per user that has access to a sub-product, so access to A may cost 10 per user and B may cost 20. | ||
| + | |||
| + | === Access === | ||
| + | Since the questionnaires in RRR ask sensitive information, access to each users answers is restricted: | ||
| + | * A user only has access to view their own data. | ||
| + | * A HR admin has access to the user, not the collected data of the user. | ||
| + | |||
| + | * A department leader has same access to the user as the HR admin, but also has access to aggregated data for the departments members. | ||
| + | * Sellers should have same access as HR admins to the companies they sell to. | ||
| + | * The seller may restrict access to a limited set of sub-products. I.e. it should be possible for a department to only be able to give their members access to A. Similarly, an individual buying access to A should only have access to A. | ||
| + | |||
| + | === Folder structure === | ||
| + | Name in parentheses means a role, otherwise it is a folder or questionnaire or other resource. | ||
| + | |||
| + | In brackets are access, if not specified default is [Inherit: true;], System access is not shown. | ||
| + | * Products | ||
| + | ** RRR [Inherit: false] | ||
| + | *** (SuperAdmins) [SuperAdmins: Write] | ||
| + | *** Companies [SuperAdmins: Full] | ||
| + | **** Company X | ||
| + | *** Role Exts [Inherit: false; SuperAdmins: Read; HR Admins (All Companies): Read] | ||
| + | **** Create Company [Impersonated] | ||
| + | **** Delete Company | ||
| + | *** Products | ||
| + | **** A | ||
| + | **** B | ||
| + | **** C | ||
| + | * Role Exts [SuperAdmins: Read; HR Admins (All Companies): Read] | ||
| + | **Reset Password | ||
| + | **Send GDPR data download | ||
| + | **Anonymize user | ||
| + | **Access expiration | ||
| + | |||
| + | Under a Company there is the following structure: | ||
| + | * Company X [HR Admins (This company): Full] | ||
| + | ** (HR Admins) | ||
| + | ** (Leaders) | ||
| + | ** (Members) | ||
| + | ** Data [Inherit: false; Leaders: Read] | ||
| + | *** ...dcs... | ||
| + | ** Users | ||
| + | *** ...user... | ||
| + | ** Dept X ← which itself is a Company folder | ||
| + | Individuals are stored under a "not-so-special" company named "Individuals" in their own private Company folder. | ||
| + | |||
| + | Resellers are "not-so-special" companies that simply create new companies like others would create new departments. | ||
| + | |||
| + | Under the Products, the organization is as follows: | ||
| + | * A | ||
| + | ** (Participants) [HR Admins (For those companies that have access): Write; SuperAdmins: Write] | ||
| + | ** Qnaire A1 | ||
| + | ** Qnaire A2 | ||
| + | ** Reporting Individual [Participants: Read] | ||
| + | ** Reporting Leader [Leaders (For those companies that have access): Read] | ||
| + | ** Role Exts [HR Admins (For those companies that have access): Read; SuperAdmins: Read] | ||
| + | *** Reset user [Impersonated] | ||
| + | *** Give Access to A [Impersonated] | ||
| + | *** A Status [Impersonated] | ||
| + | *** Participants OnAdded [Impersonated] | ||
| + | |||
| + | === Script documentation === | ||
| + | In this section we discuss what each script should return as documentation to function correctly | ||
| + | |||
| + | ===== Create Company ===== | ||
| + | [[RoleExtensionRoleDocumentation class|RoleExtensionRoleDocumentation]] | ||
| + | * OnParent: true | ||
| + | * LimitToPath: "Companies" | ||
| + | * IncludeChildrenInPath: true | ||
| + | * PathIsRelative: true | ||
| + | * RoleRequired: false | ||
| + | * PermissionRequired: 2 | ||
| + | * Parameters | ||
| + | ** Name: string, Required: true | ||
| + | ** Admin User first name: string, Required: false | ||
| + | ** Admin User last name: string, Required: false | ||
| + | ** Admin User email: string, Required: false | ||
| + | ** Inform Admin user: bool, Required: true | ||
| + | |||
| + | ===== Delete Company ===== | ||
| + | [[RoleExtensionRoleDocumentation class|RoleExtensionRoleDocumentation]] | ||
| + | * OnParent: true | ||
| + | * LimitToPath: "Companies" | ||
| + | * IncludeChildrenInPath: true | ||
| + | * PathIsRelative: true | ||
| + | * RoleRequired: true | ||
| + | * PermissionRequired: 6 | ||
| + | * Parameters | ||
| + | ** Are you sure: bool, Required: true | ||
| + | |||
| + | ===== Reset Password ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * InformsUsers: true | ||
| + | * PermissionRequired: 6 | ||
| + | * LimitToPath: empty | ||
| + | |||
| + | ===== Send GDPR data download ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * InformsUsers: true | ||
| + | * PermissionRequired: 2 | ||
| + | * LimitToPath: empty | ||
| + | |||
| + | ===== Anonymize user ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * LimitToPath: empty | ||
| + | |||
| + | ===== Access expiration ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * ShowResultInGrid: true | ||
| + | * Result | ||
| + | ** When: date. Required: false. Writeable: true | ||
| + | |||
| + | ===== Reset user ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * InformsUsers: false | ||
| + | * PermissionRequired: 4 | ||
| + | * LimitToPath: "Participants" | ||
| + | * IncludeChildrenInPath: false | ||
| + | * PathIsRelevative: true | ||
| + | |||
| + | ===== Access to A ===== | ||
| + | [[RoleExtensionRoleDocumentation class|RoleExtensionRoleDocumentation]] | ||
| + | * OnParent: true | ||
| + | * LimitToPath: "Products\RRR\Companies" | ||
| + | * IncludeChildrenInPath: true | ||
| + | * PathIsRelative: false | ||
| + | * RoleRequired: true | ||
| + | * PermissionRequired: 2 | ||
| + | * ShowResultInGrid: true | ||
| + | * Result | ||
| + | ** HasAccess: bool, Writeable: true, Required: true | ||
| + | ===== Participants OnAdded ===== | ||
| + | [[RoleExtensionEventDocumentation class|RoleExtensionEventDocumentation]] - This is an event | ||
| + | ===== A Status ===== | ||
| + | [[RoleExtensionUserDocumentation class|RoleExtensionUserDocumentation]] | ||
| + | * InformsUsers: false | ||
| + | * PermissionRequired: 2 | ||
| + | * LimitToPath: "Participants" | ||
| + | * IncludeChildrenInPath: false | ||
| + | * PathIsRelevative: true | ||
| + | * ShowQueryInGrid: true | ||
| + | * Result | ||
| + | ** Started: bool, Writeable: false | ||
| + | ** Progress: int, Writeable: false | ||
| + | ** ... | ||
[[Category:Roles]] | [[Category:Roles]] | ||
Latest revision as of 08:44, 19 December 2019
A role is very simply a Group with the sub-type Role.
This allows you to use all of the CGScript functions on groups, imports, export, and the many other system features there are on groups.
Contents
Example folder structure
The roles does not have a required folder structure beyond defining where the role extensions themselves are located. How the access to the resources that membership of the role itself is not actually part of the role structure, but in order to facilitate an easy way to get an overview of any role, here is a suggestion for how to setup a new product that utilizes roles to ensure the proper access to all resources.
In our example, that we will call RRR, we have the following requirements:
Requirements
- RRR is fundamentally a product that consist of a series of sub-products A, B and C where each consists of a number of resources:
- A series of questionnaires.
- A reporting portal for individuals.
- A reporting portal for department leaders.
- Sales to RRR is through multiple channels
- The owners, which we shall call SuperAdmins, may sell either to individuals, companies or resellers.
- Companies may "sell" to their departments.
- Resellers can sell to other companies.
- Companies and individuals may buy access online.
- The seller may restrict access to a limited set of sub-products.
- Administration of user (HR admins) in a reseller, company or department should be possible without having to pay for the account to do so.
- Payment is based on price per user that has access to a sub-product, so access to A may cost 10 per user and B may cost 20.
Access
Since the questionnaires in RRR ask sensitive information, access to each users answers is restricted:
- A user only has access to view their own data.
- A HR admin has access to the user, not the collected data of the user.
- A department leader has same access to the user as the HR admin, but also has access to aggregated data for the departments members.
- Sellers should have same access as HR admins to the companies they sell to.
- The seller may restrict access to a limited set of sub-products. I.e. it should be possible for a department to only be able to give their members access to A. Similarly, an individual buying access to A should only have access to A.
Folder structure
Name in parentheses means a role, otherwise it is a folder or questionnaire or other resource.
In brackets are access, if not specified default is [Inherit: true;], System access is not shown.
- Products
- RRR [Inherit: false]
- (SuperAdmins) [SuperAdmins: Write]
- Companies [SuperAdmins: Full]
- Company X
- Role Exts [Inherit: false; SuperAdmins: Read; HR Admins (All Companies): Read]
- Create Company [Impersonated]
- Delete Company
- Products
- A
- B
- C
- RRR [Inherit: false]
- Role Exts [SuperAdmins: Read; HR Admins (All Companies): Read]
- Reset Password
- Send GDPR data download
- Anonymize user
- Access expiration
Under a Company there is the following structure:
- Company X [HR Admins (This company): Full]
- (HR Admins)
- (Leaders)
- (Members)
- Data [Inherit: false; Leaders: Read]
- ...dcs...
- Users
- ...user...
- Dept X ← which itself is a Company folder
Individuals are stored under a "not-so-special" company named "Individuals" in their own private Company folder.
Resellers are "not-so-special" companies that simply create new companies like others would create new departments.
Under the Products, the organization is as follows:
- A
- (Participants) [HR Admins (For those companies that have access): Write; SuperAdmins: Write]
- Qnaire A1
- Qnaire A2
- Reporting Individual [Participants: Read]
- Reporting Leader [Leaders (For those companies that have access): Read]
- Role Exts [HR Admins (For those companies that have access): Read; SuperAdmins: Read]
- Reset user [Impersonated]
- Give Access to A [Impersonated]
- A Status [Impersonated]
- Participants OnAdded [Impersonated]
Script documentation
In this section we discuss what each script should return as documentation to function correctly
Create Company
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Companies"
- IncludeChildrenInPath: true
- PathIsRelative: true
- RoleRequired: false
- PermissionRequired: 2
- Parameters
- Name: string, Required: true
- Admin User first name: string, Required: false
- Admin User last name: string, Required: false
- Admin User email: string, Required: false
- Inform Admin user: bool, Required: true
Delete Company
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Companies"
- IncludeChildrenInPath: true
- PathIsRelative: true
- RoleRequired: true
- PermissionRequired: 6
- Parameters
- Are you sure: bool, Required: true
Reset Password
RoleExtensionUserDocumentation
- InformsUsers: true
- PermissionRequired: 6
- LimitToPath: empty
Send GDPR data download
RoleExtensionUserDocumentation
- InformsUsers: true
- PermissionRequired: 2
- LimitToPath: empty
Anonymize user
RoleExtensionUserDocumentation
- LimitToPath: empty
Access expiration
RoleExtensionUserDocumentation
- ShowResultInGrid: true
- Result
- When: date. Required: false. Writeable: true
Reset user
RoleExtensionUserDocumentation
- InformsUsers: false
- PermissionRequired: 4
- LimitToPath: "Participants"
- IncludeChildrenInPath: false
- PathIsRelevative: true
Access to A
RoleExtensionRoleDocumentation
- OnParent: true
- LimitToPath: "Products\RRR\Companies"
- IncludeChildrenInPath: true
- PathIsRelative: false
- RoleRequired: true
- PermissionRequired: 2
- ShowResultInGrid: true
- Result
- HasAccess: bool, Writeable: true, Required: true
Participants OnAdded
RoleExtensionEventDocumentation - This is an event
A Status
RoleExtensionUserDocumentation
- InformsUsers: false
- PermissionRequired: 2
- LimitToPath: "Participants"
- IncludeChildrenInPath: false
- PathIsRelevative: true
- ShowQueryInGrid: true
- Result
- Started: bool, Writeable: false
- Progress: int, Writeable: false
- ...
