| ... | @@ -2,7 +2,7 @@ |
... | @@ -2,7 +2,7 @@ |
|
|
|
|
|
|
|
# Permissons
|
|
# Permissons
|
|
|
|
|
|
|
|
To explain basic permissioning, we will use
|
|
To explain basic permissioning (ignoring worklows), we will use
|
|
|
a helpdesk example. This is the basic table structure of our example:
|
|
a helpdesk example. This is the basic table structure of our example:
|
|
|
|
|
|
|
|
|
|
|
| ... | @@ -18,18 +18,53 @@ The setup designed to make sure customers only see their own tickets, |
... | @@ -18,18 +18,53 @@ The setup designed to make sure customers only see their own tickets, |
|
|
empoyees to have private comments and the accountants to have a set of departments
|
|
empoyees to have private comments and the accountants to have a set of departments
|
|
|
(which are a tree) they are able to do actions for.
|
|
(which are a tree) they are able to do actions for.
|
|
|
|
|
|
|
|
|
In the following text, we will distinguish between "list" and "join" rights. Both
|
|
|
|
are basically "read" rights, but if a user does not have any transitions defined
|
|
|
|
on an entity, a listing of that entity will always return an empty list.
|
|
|
|
|
|
|
|
Nevertheless, it may be permitted to be joined to another table which references
|
|
|
|
it, so that an instance can always be retrieved with all it's dependencies. Here,
|
|
|
|
the permission on the main entry basically gets inherited by instances it
|
|
|
|
references.
|
|
|
|
|
|
|
|
See [Category] for an example.
|
|
|
|
|
|
|
## Tickets
|
|
## Tickets
|
|
|
|
|
|
|
|
Apart from read, write and delete actions, there is an additional "pay" action which
|
|
Apart from read, write and delete actions, there is an additional "set_department" action which
|
|
|
will change the state of a ticket. Here is a quick overview of who can do which
|
|
will set the value of the cost_bearing_department of a ticket. Here is a quick overview of who can do which
|
|
|
action:
|
|
action:
|
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
```
|
|
|
read write delete pay
|
|
list join on write delete set_department
|
|
|
------------------------------------------
|
|
------------------------------------------------------------
|
|
|
employee all all all -
|
|
employee all [private,public] all all -
|
|
|
customer own own own -
|
|
customer own [public] own own -
|
|
|
accounting all - - -
|
|
accounting all - - - only own departments
|
|
|
------------------------------------------
|
|
------------------------------------------------------------
|
|
|
``` |
|
```
|
|
\ No newline at end of file |
|
|
|
|
|
## Category
|
|
|
|
|
|
|
|
The category table has no explicit permission set at all. But, to enable
|
|
|
|
the creating of a ticket, where it is a required field, full read
|
|
|
|
access is granted to anyone who can create tickets:
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
list join on write delete
|
|
|
|
-----------------------------------
|
|
|
|
employee all [ticket] - -
|
|
|
|
customer all [ticket] - -
|
|
|
|
accounting - [ticket] - -
|
|
|
|
------------------------------------
|
|
|
|
```
|
|
|
|
|
|
|
|
Accounting has no direct read access but can still join any category which is being
|
|
|
|
referenced in the ticket table by tickets. This is restricted to those tickets
|
|
|
|
a role has list rights on.
|
|
|
|
|
|
|
|
## Public Comments
|
|
|
|
|
|
|
|
## Private Comments |
|
|
|
\ No newline at end of file |
