AnA20S01PermissionsEnhancements
TWiki>
LibrePlan Web>AnA20S01PermissionsEnhancements (21 Jun 2012, ManuelRego)EditAttach
| Story summary | Permissions Enhancements |
| Iteration | AnA20Permissions |
| FEA | AnA20S01PermissionsEnhancements |
| Story Lead | |
| Next Story | |
| Passed acceptance test | No |
Currently in LibrePlan there two problems related to permissions:
- There few permissions created.
- There are a lot of pages and operations not protected by any permission
The two points above makes that LibrePlan is not very well suited to be deployed in a company with role segmentation where operations are distributed and access to information wants to be limited depending of the user.
This is going what is going to be fixed with the set of tasks of this analysis story.
Web service writer and reader allows to read and write ALL the communications through the web services.
Proposal:
- Create a specific permission for all the subcontracting operations.
- Keep web service reader and writer the capacity to reader or write all the services except the subcontracting operations.
| Role name | UserRole value | Description | New | Action |
|---|---|---|---|---|
| Administration | ROLE_ADMINISTRATION |
Current permission for administrative operations | NOT | Remove this permission |
| Read all projects | ROLE_READ_ALL_ORDERS |
Permission to access all the projects in read only | NOT | Keep |
| Edit all projects | ROLE_EDIT_ALL_ORDERS |
Permission to access all the project in write mode | NOT | Keep |
| Create projects | ROLE_CREATE_ORDER |
Permission to create new project | NOT | Keep |
| Web service reader | ROLE_WS_READER |
Permission to read all web services | NOT | Modify to exclude subcontractors communications |
| Web service writer | ROLE_WS_WRITER |
Permission to write all web services | NOT | Modify to exclude subcontractors communications |
| Web service subcontractor operations | ROLE_WS_SUBCONTRACTING |
Permission to send subcontractor operations (to the customer or to the subcontractor) | YES | Implement |
| Bound users | ROLE_BOUND_USER |
It will be included to the bound users and it will not be possible to administrate through the users permissions pages. It will allow to save expenses for the resource bound to the user. It will allow to access the my account page. | YES | Implement |
| Superuser | ROLE_SUPERUSER |
It grants the access to all the pages of the application | YES | Implement |
| Planning | ROLE_PLANNING |
It will allow to access to the company view perspectives (all of them) | YES | Implement |
| Templates | ROLE_TEMPLATES |
It allows the access to the templates page | YES | Implement |
| Workers | ROLE_WORKERS |
Access to the worker page | YES | Implement. To go to the users page of a bounded user to a resource you need additionally the User page permission |
| Machines | ROLE_MACHINES |
Access to the machines page | YES | Implement |
| Virtual workers | ROLE_VIRTUAL_WORKERS |
Access to the virtual worker page | YES | Implement |
| Calendars | ROLE_CALENDARS |
Access to the calendars page | YES | Implement |
| Calendars exception days | ROLE_CALENDAR_EXCEPTION_DAYS |
Access to the exception days page | YES | Implement |
| Criteria | ROLE_CRITERIA |
Access to the criteria page | YES | Implement |
| Progress Types | ROLE_PROGRESS_TYPES |
Access to the progress page | YES | Implement |
| Labels | ROLE_LABELS |
Access to the labels page | YES | Implement |
| Materials | ROLE_MATERIALS |
Access to the materials page | YES | Implement |
| Material Units | ROLE_MATERIAL_UNITS |
Access to the unit measures page | YES | Implement |
| Quality forms | ROLE_QUALITY_FORMS |
Access to the quality forms page | YES | Implement |
| Timesheets | ROLE_TIMESHEETS |
Permission to access to time tracking | YES | Implement.  It allows to access to monthly timesheets too |
| Timesheets templates | ROLE_TIMESHEETS_TEMPLATES |
Access to the work report models page | YES | Implement |
| Expenses | ROLE_EXPENSES |
Permission to save expenses | NOT | Keep |
| Cost categories | ROLE_COST_CATEGORIES |
Access to the cost categories page | YES | Implement |
| Hours types | ROLE_HOURS_TYPES |
Access to the work hours page | YES | Implement |
| Main settings | ROLE_MAIN_SETTINGS |
Access to the LibrePlan configuration page | YES | Implement |
| User accounts | ROLE_USER_ACCOUNTS |
Access to the user accounts page | YES | Implement. To go to the worker page of a bounded worker you need additionally the Workers page permission |
| Profiles | ROLE_PROFILES |
Access to the user profiles page | YES | Implement |
| Companies | ROLE_COMPANIES |
Access to the companies page | YES | Implement |
| Send to subcontractors | ROLE_SEND_TO_SUBCONTRACTORS |
Access Send to subcontractors page | YES | Implement. |
| Received from subcontractors | ROLE_RECEIVED_FROM_SUBCONTRACTORS |
Access to the progress report page | YES | Implement. |
| Send to customers | ROLE_SEND_TO_CUSTOMERS |
Access to the send to customers page | YES | Implement. |
| Received from customers | ROLE_RECEIVED_FROM_CUSTOMERS |
Access to the received from customers page | YES | Implement |
| Timesheet lines list report | ROLE_TIMESHEET_LINES_LIST_REPORT |
Access to timesheet lines list report page | YES | Implement |
| Hours worked per resource report page | ROLE_HOURS_WORKED_PER_RESOURCE_REPORT |
Access to hours worked by resource report page | YES | Implement |
| Total worked hours by resource in a month report page | ROLE_TOTAL_WORKED_HOURS_BY_RESOURCE_IN_A_MONTH_REPORT |
Access to total worked hours by resource in a month report page | YES | Implement |
| Work and progress per project report page | ROLE_WORK_AND_PROGRESS_PER_PROJECT_REPORT |
Access to work and progress per project report page | YES | Implement |
| Work and progress per task report page | ROLE_WORK_AND_PROGRESS_PER_TASK_REPORT |
Access to work and progress per task report page | YES | Implement |
| Estimated/planned hours per task report page | ROLE_ESTIMATED_PLANNED_HOURS_PER_TASK_REPORT |
Access to estimated/planned hours per task report page | YES | Implement |
| Project cost report page | ROLE_PROJECT_COST_REPORT |
Access to project cost report page | YES | Implement |
| Task scheduling status in project report page | ROLE_TASK_SCHEDULING_STATUS_IN_PROJECT_REPORT |
Access to task scheduling status report page | YES | Implement |
| Materials need at date report page | ROLE_MATERIALS_NEED_AT_DATE_REPORT |
Access to materials need at date report page | YES | Implement |
In LibrePlan there will be created a set of predefined profiles that represents typical roles that can be present in the companies. A typical role is defined as a set of areas of liability that can be grouped in a single person.
- There are feasible scenarios where a single user could gather several profiles responsibilities. This would not be a problem. The solution is to assign all the roles performed to the user.
- There are other organizations where a user matches in one and only one profile. There is not any problem here.
The set of profiles to create with the roles assigned to each one is specified in the next table:
| Profile Name | Roles associated | Implementation notes |
|---|---|---|
| System administrator | Configuration page, User accounts page, Profiles page | --- |
| Project manager | All projects read allowed, All projects edition allowed, Project creation allowed, Project planning, Project templates page, Worker page , Machine page, Virtual workers page, Received from subcontractors page, Received from customers page, Calendars page, Materials page, Quality forms page, Progress page, Criteria page, Exception days page, Labels page, Unit measures page, Work and Progress per project report page, Work and progress per task report page, Estimated/planned hours per task report page, Task scheduling status in project report page, Materials need at date report page | --- |
| Human resource & Accounting manager | Worker page, Machine page, Virtual work groups page, Companies page, Cost categories page, Work hours page, Exception days page, Calendars page, Expenses tracking page, Project cost report page | --- |
| Time tracking and expenses responsible | Time tracking, Expenses tracking, Work hours, Work report models, Total hours worked by resource report page, Hours worked by resource report page, Work report lines report page | --- |
| Outsourcing manager | Companies page , Send to subcontractors page, Received from subcontractors page, Send to customers, Received from customers page | --- |
| Reports responsible | All projects read allowed, Work report lines report page, Hours worked by resource report page, Total hours worked by resource report page, Total worked hours by resource in a month report page, Work and progress per project report page, Work and progress per task report page, Estimated/planned hours per task report page, Project cost report page, Materials need at date report page | --- |
In LibrePlan there will a set of predefined users. There were already a set of users created by default. The changes to do are specified in the next table:
| Username | Permissions | Profiles | New | Implementation |
|---|---|---|---|---|
| user | NOT |
Remove this user |
||
| admin | Superuser, Read all projects, Edit all projects, Create projects | NOT | Modify this user to have this configuration and it must be forbidden both to remove this user and to remove the All pages permission because it is dangerous. The application can be put in useless state. | |
| wsreader | Web service reader | NOT | It is needed to check that with this permission you cannot read subcontracting information | |
| wswriter | Web services writer | NOT | It is needed to check that with this permission you cannot write any information relating with subcontracting | |
| wssubcontracting | Web subcontractor operations | NOT | It is needed to check that with this permission you cannot read or write any information related with other web services | |
| manager | Project manager | YES | It has to be created | |
| hresources | Human resource & Accounting manager | YES | It has to be created | |
| outsourcing | Outsourcing manager | YES | It has to be created | |
| reports | Reports manager | YES | It has to be created |
In this task it is proposed to refactor the top menu to group the menu options according to the relation they have regarding to the module or area of functionality to which they are linked or they belong to.
The new menú structure is the next one:
Planning
- Company view
- Projects
- Resource load
- Limiting resources
- Templates
Resources
- Workers
- Machines
- Virtual Workers
- Calendars
- Calendar exception days
- Criteria
- Progress Types
- Labels
- Materials
- Material Units
- Quality forms
Cost
- Timesheets
- Timesheets templates
- Expenses
- Cost categories
- Hours types
Configuration
- Main settings
- User accounts
- Profiles
Communications
- Companies
- Send to subcontractors
- Received from subcontractors
- Send to customers
- Received from customers
Personal area
- Home
- Preferences
- Change password
Currently the reports have the next general problem: Many of them receive as input parameter the project or projects from which the report can be got. And all the users can get the data from all the reports. What is more coherent is to allow to extract data from the projects the user has permission over.
The specific modifications are the next ones:
Work and progress per project
- If filtering is not specified in the report will be extracted the information for all the projects the user has permissions (read or write permissions)
- In the filtering it is only possible to choose the projects the user has permissions (read or write permissions)
Work and progress per task
In this report it is needed to specify a project as input data. Now, the user can select every project to get the report. Now, the new situationn will be:
- To access the report page the user has to have the page permission granted.
- It is needed to modify the project filter to allow to select only the projects over which the user has read or write permission over.
Estimated/Planned hours per task
In the estimated/planned hours per task report it is needed to specify a project. Now, the user can select any of the projects of LibrePlan. Changes:
- To access this report it is needed to to have the page permission permission granted to the user.
- In the project combo, it is needed to allow to select a project among the ones the user has read or write permission over.
Project Costs Per Resource
In this report it is optional to specify the project or projects about which the cost by resource wants to be got. The modifications needed are the next ones:
- To access this page the user has to have permission over the specific permission for this page.
- If the user does not fill any project, the report is got for all the projects the user has permissions over.
- In the project selection combo there will be showed only the the projects over which the user has permission
Task scheduling status in project
In this resport it is needed to specify a project in a combo. So, modifications are:
- To allow to access to this page to the users with the specific page permission
- It is needed to specify a project to get the report. The combo has to be modified to allow to select only the project the user has permission over
Materials needs at date
In this report it is optional to select one or more projects to get the materials need. Modifications to accomplish are the next ones:
- The access to this report is granted to the users with this specific report permission
- If no project is included in the filtering the report is extracted for all the projects the user has permission over
- In the filtering combo there will be included only the projects to which the user can access according to his permissions.
Review and fix the entry points in the following places:
Link from the report Work report Lines => Work report.
- If the line belongs to a BOUND_USER, you are that user and the work report is a monthly timesheet => You can edit the monthly timesheet.
- If the line does not belong to a BOUND_USER, the link with the work report only works if the user has the permission "Page work report"
Link from the Assignment log tab of the templates to the projects
It has to be put in disabled mode the button to go from the assignment log template to the project where the template has been applied when the user has not permission over the project. A user has permission over a project when:
- It has permission to read all the projects
- It has permission to write all the project
- It has direct permission using the authorization system in the projects.
User edition and bound resources
It has to be taken into account two pages:
- To create bound resources or edit bound user of a resource the user accessing to the worker administration window, the user has to have permission "User Page"
- To go to worker edition window from user administration page:
- If permission over Worker Page => Button Go to worker edition enabled.
- If NOT permission over Worker Page => Button Go to worker edition disabled .
Access from resource load to the pop-up allocation of a task
In this case the entry point is already protected, but has to be reviewed to make sure everything is fine
| Tasks | Est | Spent | To do | Risk | Reviewer | Developer | Task Name | Start Date | Est End Date | End Date |
|---|---|---|---|---|---|---|---|---|---|---|
| Task | 4 | 4 | 0 | Low | JavierMoran | ManuelRego | Fix issues in web services permissions | |||
| Task | 4 | 4 | 0 | Low | JavierMoran | ManuelRego | Create new architecture of permissions | |||
| Task | 3 | 3 | 0 | Low | JavierMoran | ManuelRego | Profiles | |||
| Task | 3 | 3 | 0 | Low | JavierMoran | ManuelRego | Default users | |||
| Task | 3 | 3 | 0 | Low | JavierMoran | ManuelRego | Menu refactoring | |||
| Task | 7 | 7 | 0 | Low | JavierMoran | ManuelRego | Fix reports | |||
| Task | 4 | 4 | 0 | Low | JavierMoran | ManuelRego | Review entry points |
Copyright (c) by the contributing authors. All material on this collaboration platform is the property of the contributing authors.