 |
 |
 |
|
 |
|
 |
|
|
|
|
|
| |
 |
 |
| |
Managing Privileges & Roles
The most secure way to manage privileges for users and roles is to confine use of privilege to commands in a rights profile. The rights profile is then included in a role. The role is assigned to a user. When the user assumes the assigned role, the privileged commands are available to be run in a profile shell. The following procedures show how to assign privileges, remove privileges, and debug privilege use.
This Application has built-in permission system which was based on ACL architecture, so you can set permission for role (group) or given user to separated modules.
In Eicra's Application, there are three privilege levels, as well as an extra 'Administrator' privilege. The three privileges take effect per user per table, i.e. a user can have certain privileges on one table and different ones on another. By default software has three rolls such as Developer, Administrator and registered members. Roll is an encapsulated mode of permissions of various modules.
The levels are
- VIEW: ability to read data only
- EDIT: ability to read and edit data
- MANAGE: ability to modify the database structure, i.e. create/delete tables, fields, reports etc., basically to build up and tear down databases. MANAGE also allows a user to unlock an individual record for editing if it has been locked.
For people with less privilege, the user interface is simplified.
Super Admin Privileges:
In our application model, Super admin retains un-restricted access to the application. Super admin act a "root" positioning itself top of privileges hierarchy. Unlike other applications, "Administrator" privilege remain just under "Super Admin" which allows admin to performs all administrative task with a bit of limited access.
The core idea is "Super Admin" is preserved for high tech technical staffs of web developer to configure the system/website accordingly to client's requirements. Site owner or head of team can perform his/her daily administrative jobs using "Administrator" access but admin can't garb the system due to limited privilege.
Assigning Privileges
As an super administrator or, to assign privileges, use the Administrator module at the bottom of pane
The administrator privilege doesn't apply to a particular table but is a global option that allows setting up of users, roles, assigning privileges and creating modules. If the number of users you manage starts to become large, you may want to assign them roles, which allows privileges to be managed on a mass basis. If a user has a certain role, he/she has all the privileges assigned to that role. Users can have more than one role.
To assign privileges, click on the 'Administration' module then 'users' or 'roles'. This will allow you to select a user/role and assign table privileges. When setting user privileges, Eicra's Application will show any privileges that the user already has due to being a member of a role. In this example, the user has been given MANAGE privileges specifically on timesheets and performance criteria and is a member of a role that has MANAGE privileges on price list and roles.
After having groups, you can create new user for each group. In order to create new user, you go to manage users (User/User in back-end), here you can create, edit, delete or active for any user. User will have default permission according the group that it belong to (thus one user can't belong to many groups). However you can still set special permission for individual user in a group from our User Management Modules.
Global Roles
(could be created via acl_users):
Member
has his/her own space under Members/membername where he/she can create/modify/submit his/her own documents. Members can't create new keywords - they are forced to use existing ones. In addition manager could promote Member to Owner or Reviewer for specified folders (or the whole site).
Manager
Mr "Manager"; can do anything: add/modify users, add keywords, publish/revoke/modify content. Assigns local roles for users (promotes them to specific levels). Also manager is the one responsible and able to change page templates. Nobody else has this ability.
Local roles
(never try to create them in acl_users):
MANAGER'S NOTE: don't create users with local roles in acl_users--things can go crazy. Assign roles for folders using local_role mechanism:
Owner
This role is defined on a per-folder basis (acquisition works here just fine - make somebody the owner of a page , image or modules and he'll automatically own /a/b/c unless you specify manually /a/b/c to be owned by somebody else). An owner can also create a co-owner via local_roles and remove a reviewer (but can't assign one). This means: one folder can have more than one owner and they all will have the same rights in that folder. Owners can't assign roles beyond "Authenticated" and "Owner"
Reviewer
This role is defined on a per-folder basis (aquisition works here just fine - make somebody reviewer of a page , image or modules and he automaticaly becomes a reviewer for plone/a/b unless you specify manually plone/a/b to be reviewed by somebody else). A reviewer can edit/publish content/metadata but cannot _create_ new content and play with local roles.
Workflow
From the all mentioned above current workflow for publishing looks like:
Admin -» Member (Owner) -» (submit) -» Reviewer --(approve / publish) -» everybody view access
Other options like retract, reject, visible and private are still available.
|
|
|
 |
|
| |
|
|
 |
|
 |
|
 |
|
 |
|
![Eicra CMS Script [Content Management System Application]](images/logo.gif){kind=logo}
