Tags:
create new tag
view all tags

AnA20S01PermissionsEnhancements

Story summary Permissions Enhancements
Iteration AnA20Permissions
FEA AnA20S01PermissionsEnhancements
Story Lead  
Next Story  
Passed acceptance test No

Tasks

Currently in LibrePlan there two problems related to permissions:

  • There few permissions created.
  • There are a lot of pages and operations not protected by any permission

The two points above makes that LibrePlan is not very well suited to be deployed in a company with role segmentation where operations are distributed and access to information wants to be limited depending of the user.

This is going what is going to be fixed with the set of tasks of this analysis story.

Fix issues in web services permissions

Web service writer and reader allows to read and write ALL the communications through the web services.

Proposal:

  • Create a specific permission for all the subcontracting operations.
  • Keep web service reader and writer the capacity to reader or write all the services except the subcontracting operations.

Create new architecture of permissions

Role name UserRole value Description New Action
Administration ROLE_ADMINISTRATION Current permission for administrative operations NOT Remove this permission
Read all projects ROLE_READ_ALL_ORDERS Permission to access all the projects in read only NOT Keep
Edit all projects ROLE_EDIT_ALL_ORDERS Permission to access all the project in write mode NOT Keep
Create projects ROLE_CREATE_ORDER Permission to create new project NOT Keep
Web service reader ROLE_WS_READER Permission to read all web services NOT Modify to exclude subcontractors communications
Web service writer ROLE_WS_WRITER Permission to write all web services NOT Modify to exclude subcontractors communications
Web service subcontractor operations ROLE_WS_SUBCONTRACTING Permission to send subcontractor operations (to the customer or to the subcontractor) YES Implement
Bound users ROLE_BOUND_USER It will be included to the bound users and it will not be possible to administrate through the users permissions pages. It will allow to save expenses for the resource bound to the user. It will allow to access the my account page. YES Implement
Superuser ROLE_SUPERUSER It grants the access to all the pages of the application YES Implement
Planning ROLE_PLANNING It will allow to access to the company view perspectives (all of them) YES Implement
Templates ROLE_TEMPLATES It allows the access to the templates page YES Implement
Workers ROLE_WORKERS Access to the worker page YES Implement. To go to the users page of a bounded user to a resource you need additionally the User page permission
Machines ROLE_MACHINES Access to the machines page YES Implement
Virtual workers ROLE_VIRTUAL_WORKERS Access to the virtual worker page YES Implement
Calendars ROLE_CALENDARS Access to the calendars page YES Implement
Calendars exception days ROLE_CALENDAR_EXCEPTION_DAYS Access to the exception days page YES Implement
Criteria ROLE_CRITERIA Access to the criteria page YES Implement
Progress Types ROLE_PROGRESS_TYPES Access to the progress page YES Implement
Labels ROLE_LABELS Access to the labels page YES Implement
Materials ROLE_MATERIALS Access to the materials page YES Implement
Material Units ROLE_MATERIAL_UNITS Access to the unit measures page YES Implement
Quality forms ROLE_QUALITY_FORMS Access to the quality forms page YES Implement
Timesheets ROLE_TIMESHEETS Permission to access to time tracking YES Implement. Warning, important It allows to access to monthly timesheets too
Timesheets templates ROLE_TIMESHEETS_TEMPLATES Access to the work report models page YES Implement
Expenses ROLE_EXPENSES Permission to save expenses NOT Keep
Cost categories ROLE_COST_CATEGORIES Access to the cost categories page YES Implement
Hours types ROLE_HOURS_TYPES Access to the work hours page YES Implement
Main settings ROLE_MAIN_SETTINGS Access to the LibrePlan configuration page YES Implement
User accounts ROLE_USER_ACCOUNTS Access to the user accounts page YES Implement. To go to the worker page of a bounded worker you need additionally the Workers page permission
Profiles ROLE_PROFILES Access to the user profiles page YES Implement
Companies ROLE_COMPANIES Access to the companies page YES Implement
Send to subcontractors ROLE_SEND_TO_SUBCONTRACTORS Access Send to subcontractors page YES Implement.
Received from subcontractors ROLE_RECEIVED_FROM_SUBCONTRACTORS Access to the progress report page YES Implement.
Send to customers ROLE_SEND_TO_CUSTOMERS Access to the send to customers page YES Implement.
Received from customers ROLE_RECEIVED_FROM_CUSTOMERS Access to the received from customers page YES Implement
Timesheet lines list report ROLE_TIMESHEET_LINES_LIST_REPORT Access to timesheet lines list report page YES Implement
Hours worked per resource report page ROLE_HOURS_WORKED_PER_RESOURCE_REPORT Access to hours worked by resource report page YES Implement
Total worked hours by resource in a month report page ROLE_TOTAL_WORKED_HOURS_BY_RESOURCE_IN_A_MONTH_REPORT Access to total worked hours by resource in a month report page YES Implement
Work and progress per project report page ROLE_WORK_AND_PROGRESS_PER_PROJECT_REPORT Access to work and progress per project report page YES Implement
Work and progress per task report page ROLE_WORK_AND_PROGRESS_PER_TASK_REPORT Access to work and progress per task report page YES Implement
Estimated/planned hours per task report page ROLE_ESTIMATED_PLANNED_HOURS_PER_TASK_REPORT Access to estimated/planned hours per task report page YES Implement
Project cost report page ROLE_PROJECT_COST_REPORT Access to project cost report page YES Implement
Task scheduling status in project report page ROLE_TASK_SCHEDULING_STATUS_IN_PROJECT_REPORT Access to task scheduling status report page YES Implement
Materials need at date report page ROLE_MATERIALS_NEED_AT_DATE_REPORT Access to materials need at date report page YES Implement

Profiles

In LibrePlan there will be created a set of predefined profiles that represents typical roles that can be present in the companies. A typical role is defined as a set of areas of liability that can be grouped in a single person.

  • There are feasible scenarios where a single user could gather several profiles responsibilities. This would not be a problem. The solution is to assign all the roles performed to the user.
  • There are other organizations where a user matches in one and only one profile. There is not any problem here.

The set of profiles to create with the roles assigned to each one is specified in the next table:

Profile Name Roles associated Implementation notes
System administrator Configuration page, User accounts page, Profiles page ---
Project manager All projects read allowed, All projects edition allowed, Project creation allowed, Project planning, Project templates page, Worker page , Machine page, Virtual workers page, Received from subcontractors page, Received from customers page, Calendars page, Materials page, Quality forms page, Progress page, Criteria page, Exception days page, Labels page, Unit measures page, Work and Progress per project report page, Work and progress per task report page, Estimated/planned hours per task report page, Task scheduling status in project report page, Materials need at date report page ---
Human resource & Accounting manager Worker page, Machine page, Virtual work groups page, Companies page, Cost categories page, Work hours page, Exception days page, Calendars page, Expenses tracking page, Project cost report page ---
Time tracking and expenses responsible Time tracking, Expenses tracking, Work hours, Work report models, Total hours worked by resource report page, Hours worked by resource report page, Work report lines report page ---
Outsourcing manager Companies page , Send to subcontractors page, Received from subcontractors page, Send to customers, Received from customers page ---
Reports responsible All projects read allowed, Work report lines report page, Hours worked by resource report page, Total hours worked by resource report page, Total worked hours by resource in a month report page, Work and progress per project report page, Work and progress per task report page, Estimated/planned hours per task report page, Project cost report page, Materials need at date report page ---

Default users

In LibrePlan there will a set of predefined users. There were already a set of users created by default. The changes to do are specified in the next table:

Username Permissions Profiles New Implementation
user     NOT Warning, important Remove this user
admin Superuser, Read all projects, Edit all projects, Create projects   NOT Modify this user to have this configuration and it must be forbidden both to remove this user and to remove the All pages permission because it is dangerous. The application can be put in useless state.
wsreader Web service reader   NOT It is needed to check that with this permission you cannot read subcontracting information
wswriter Web services writer   NOT It is needed to check that with this permission you cannot write any information relating with subcontracting
wssubcontracting Web subcontractor operations   NOT It is needed to check that with this permission you cannot read or write any information related with other web services
manager   Project manager YES It has to be created
hresources   Human resource & Accounting manager YES It has to be created
outsourcing   Outsourcing manager YES It has to be created
reports   Reports manager YES It has to be created

Menu refactoring

In this task it is proposed to refactor the top menu to group the menu options according to the relation they have regarding to the module or area of functionality to which they are linked or they belong to.

The new menú structure is the next one:

Planning

  • Company view
  • Projects
  • Resource load
  • Limiting resources
  • Templates

Resources

  • Workers
  • Machines
  • Virtual Workers
  • Calendars
  • Calendar exception days
  • Criteria
  • Progress Types
  • Labels
  • Materials
  • Material Units
  • Quality forms

Cost

  • Timesheets
  • Timesheets templates
  • Expenses
  • Cost categories
  • Hours types

Configuration

  • Main settings
  • User accounts
  • Profiles

Communications

  • Companies
  • Send to subcontractors
  • Received from subcontractors
  • Send to customers
  • Received from customers

Personal area

  • Home
  • Preferences
  • Change password

Fix reports

Currently the reports have the next general problem: Many of them receive as input parameter the project or projects from which the report can be got. And all the users can get the data from all the reports. What is more coherent is to allow to extract data from the projects the user has permission over.

The specific modifications are the next ones:

Work and progress per project

  • If filtering is not specified in the report will be extracted the information for all the projects the user has permissions (read or write permissions)
  • In the filtering it is only possible to choose the projects the user has permissions (read or write permissions)

Work and progress per task

In this report it is needed to specify a project as input data. Now, the user can select every project to get the report. Now, the new situationn will be:

  • To access the report page the user has to have the page permission granted.
  • It is needed to modify the project filter to allow to select only the projects over which the user has read or write permission over.

Estimated/Planned hours per task

In the estimated/planned hours per task report it is needed to specify a project. Now, the user can select any of the projects of LibrePlan. Changes:

  • To access this report it is needed to to have the page permission permission granted to the user.
  • In the project combo, it is needed to allow to select a project among the ones the user has read or write permission over.

Project Costs Per Resource

In this report it is optional to specify the project or projects about which the cost by resource wants to be got. The modifications needed are the next ones:

  • To access this page the user has to have permission over the specific permission for this page.
  • If the user does not fill any project, the report is got for all the projects the user has permissions over.
  • In the project selection combo there will be showed only the the projects over which the user has permission

Task scheduling status in project

In this resport it is needed to specify a project in a combo. So, modifications are:

  • To allow to access to this page to the users with the specific page permission
  • It is needed to specify a project to get the report. The combo has to be modified to allow to select only the project the user has permission over

Materials needs at date

In this report it is optional to select one or more projects to get the materials need. Modifications to accomplish are the next ones:

  • The access to this report is granted to the users with this specific report permission
  • If no project is included in the filtering the report is extracted for all the projects the user has permission over
  • In the filtering combo there will be included only the projects to which the user can access according to his permissions.

Review entry points

Review and fix the entry points in the following places:

Link from the report Work report Lines => Work report.

  • If the line belongs to a BOUND_USER, you are that user and the work report is a monthly timesheet => You can edit the monthly timesheet.
  • If the line does not belong to a BOUND_USER, the link with the work report only works if the user has the permission "Page work report"

Link from the Assignment log tab of the templates to the projects

It has to be put in disabled mode the button to go from the assignment log template to the project where the template has been applied when the user has not permission over the project. A user has permission over a project when:

  • It has permission to read all the projects
  • It has permission to write all the project
  • It has direct permission using the authorization system in the projects.

User edition and bound resources

It has to be taken into account two pages:

  • To create bound resources or edit bound user of a resource the user accessing to the worker administration window, the user has to have permission "User Page"
  • To go to worker edition window from user administration page:
    • If permission over Worker Page => Button Go to worker edition enabled.
    • If NOT permission over Worker Page => Button Go to worker edition disabled .

Access from resource load to the pop-up allocation of a task

In this case the entry point is already protected, but has to be reviewed to make sure everything is fine

User stories

Tasks in this story

Edit | Attach | Watch | Print version | History: r14 < r13 < r12 < r11 < r10 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r14 - 21 Jun 2012 - mrego
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback