| Deletions are marked like this. | Additions are marked like this. |
| Line 6: | Line 6: |
|
This page describes how user roles and transaction authorization is implemented. |
|
| Line 20: | Line 22: |
| Note that the former '''Management Roles''' (PM, LE, Assistants, Deputies, etc.) will be deleted. They attempted to define a project organization, which is unrelated to user roles. | Note that the former '''Management Roles''' (PM, LE, Assistants, Deputies, etc.) will be deleted. They attempted to define a project organization, which is unrelated to user roles and transaction authorization. |
| Line 60: | Line 62: |
|
* System Configuration * New/Update - Allows users to create/update/delete reference data records |
|
| Line 71: | Line 77: |
| The ability to run transactions is controlled by ''UserRole'' records. Two steps of authorization are performed: | The ability to run transactions is controlled by ''User``Role'' records. Two steps of authorization are performed: |
| Line 73: | Line 79: |
| 1. The ability to start a FSM or BT transaction is checked when it is instantiated by the finite state machine (in newBT and newFSM?). Given the following inputs: | 1. The ability to start a FSM or BT transaction is checked when it is instantiated by the finite state machine (in newBT and newFSM?). Given the following inputs: '''This is probably incomplete/incorrect''' |
| Line 86: | Line 92: |
| Line 88: | Line 95: |
| Defined in app/config/TransactionMap.php | The transaction map is defined in '''app/config/TransactionMap.php''' |
| Line 92: | Line 99: |
| * Keys: '''Transaction Class''' names, defined in sub-directories in the app/tran directory | * Keys: '''Transaction Class''' names, the classes defined in php files in sub-directories in the '''app/tran''' directory |
| Line 101: | Line 108: |
| Line 105: | Line 111: |
| ... | |
| Line 109: | Line 115: |
| Line 111: | Line 116: |
|
'RevisionWorkflowREST', => array( 'RevisionReceive', 'RevisionDesign', 'RevisionCheck', ... ), ... |
|
| Line 116: | Line 122: |
| Line 118: | Line 123: |
| Line 122: | Line 126: |
| 'CommentAskUploadBT' => 'CommentNew', | |
| Line 124: | Line 127: |
|
'CommentNoteUpdFSM' => 'CommentNew', 'CommentNoteUpdFormBT' => 'CommentNew', 'CommentNoteUpdConfBT' => 'CommentNew', 'CommentAttachmentNewFSM' => 'CommentNew', 'CommentAttachmentNewFormBT' => 'CommentNew', 'CommentAttachmentNewConfBT' => 'CommentNew', |
'CommentNoteUpdFSM' => array( 'CommentView', 'CommentViewRestricted' ), 'CommentNoteUpdFormBT' => array( 'CommentView', 'CommentViewRestricted' ), 'CommentNoteUpdConfBT' => array( 'CommentView', 'CommentViewRestricted' ), |
| Line 133: | Line 131: |
| Line 135: | Line 132: |
| Line 140: | Line 136: |
|
The transaction profiles are defined in '''app/config/Profiles.php''' The transaction profiles is a 2-dimensional matrix, defined as an associative array. * Vertical axis: '''Transaction Names''' - as defined in the Transaction Map (sescribed above) * Horizontal axis: '''Roles''' - As defined in the database tables ''Roles''. The offset in the array is determined by the roleId. * Values: at each transaction name and roleId intersection there is a flag that defines if it is possible to run the transaction given the role. Note that, for some transaction names, there is a simply a '''0''' or '''1''' instead on an array, that indicates the transaction is allowed or disabled for '''all''' roles. Example showing how the definition of view ''normal'' and ''restricted'' are defined: || ||<-4> '''Roles''' || || || .. || View Normal || View Restricted || .. || || '''Transaction Names''' || || || || || || .. || || || || || || DocumentViewNormal || .. || 1 || 0 || || || DocumentViewRestricted || .. || 1 || 1 || || || .. || || || || || |
|
| Line 142: | Line 158: |
|
= Example Authorization = Scenario: A user wants to add a task note. They have the '''task view restricted''' role for the task in question. 1. '''Dispatcher.php''' tries to instantiate the class '''CommentViewBT''' with a statement like the following: {{{ $bt->FiniteStateMachineBase::newBT( "CommentViewBT" ); }}} 1. '''Finite``State``Machine``Base::newBT''' calls '''Business``Transaction``Base::newBT''', which contains the following code: {{{ .. $authorizer = Authorizer::get( .. ); if ( ! $authorizer->isAuthorized( $className ) ) { .. transaction no authorized } .. transaction authorized }}} 1. '''Authorizer::isAuthorized''' performs the following check (note that ''$tranName'' can be an array): {{{ ... $tranMap = new TransactionMap(); $tranName = $tranMap->getTransactionName( $cmd ); return $this->isTransactionAuthorized( $tranName, $userId, $contractId, $groupId ); }}} |
|
| Line 146: | Line 192: |
| * Who is allowed to see '''history'''? Suggest: | * Who is allowed to see '''history''' pages? Suggest: |
| Line 153: | Line 199: |
|
= Transaction Authorization = Transaction Authorization is based on the existance of User``Roles records defined in the database. User``Roles fields associated with authorization: * contract``Id - * group``Id - If zero/null then the User``Role applier to all groups in the contract. * user``Id * role``Id * is``Allowed Authorization is used for two functions: 1. '''Transaction Authorization''' - Allowing access to Busines Transactions and FSMs - Handled by '''Business``Transaction``Base->new``BT''', which is called by the '''Dispatcher''' and '''Finite``State``Machine'''. 1. '''Detail Screen and Download and Authorization''' - Allowing access to viewing of detail screens and downloading document files - Handled by '''User``Roles::has``Role'''. Classes involved: * '''Transaction``Guard''' - A plan * '''Authorizer''' - Stored in the Session * '''User``Roles''' Main entry point from the application * '''User``Roles::has``Role''' - Called by application code. == Transaction Authorization == == Detail Screen and Download and Authorization == Authorization of file downloads - Handled by '''Revisions->is``Download``Allowed''', which ultimately calls User``Roles->has``Role. Drawings``Revisions``Join``Set calls Revisions->is``Download``Allowed. |
Roles and Authorization
Contents
Introduction
This page describes how user roles and transaction authorization is implemented.
Roles
The types of roles are defined in the database in the Roles table.
Role Types
The following types of roles are defined:
Administrative Roles - for managing users, user roles and the system configuration
Workflow Roles - for performing workflow steps on revisions and tasks
Submittal Recipient Roles - define who receives copies of submittals
Task Subscriber Roles - define who receives emails when tasks are created and updated. A long term goal is to improve the management
Note that the former Management Roles (PM, LE, Assistants, Deputies, etc.) will be deleted. They attempted to define a project organization, which is unrelated to user roles and transaction authorization.
Detailed List of Roles
- Documents and Revisions
- New/Update - Allows creation and update of Documents and Revisons
Workflow - Allows user to perform a workflow step. Determines which users appear in the who dropdown menu.
- Receive
- Design/Create
- Check
- Approve - Up to four approval steps
- Release
- Submit - Filled in by the submittal transaction
- View
- Normal
Restricted - User not allowed to see revisions where the workflow is not complete, and (depending on the site settings) superseded revisions. Also called the contractor role.
- Tasks
- New/Update - Allows creation and update of Tasks
Workflow - Allows user to perform a workflow step. Determines which users appear in the who dropdown menu. Note that this will not be implemented immediately. The workflow steps will probably be limited to an approve step, which allows setting status and complete date.
- Receive
- Design/Create
- Check
- Approve - Up to four approval steps
- Release
- View
- Normal - Allows view and creation of all types of comment notes
- Restricted - Restricts the display and creation of comment notes. The configuration (or site settings) have lists of what types of contents can be created and displayed
- Submittals
- New/Update - Allows creation of submittals and transmissions
- Transmit - Allows transmission of submittals and transmissions
- View
- Users and User Roles
- New/Update - Allows creation and updating of users and user roles.
- View
- Normal - Sees all users and user roles
- Restricted - Can see user records, but not user roles
- System Configuration
- New/Update - Allows users to create/update/delete reference data records
User Roles
A UserRole defines the authorization to perform operations, based on:
userId - the Users ID
contractId - the contract/area of the data being operated upon. If zero/null then the UserRole applies to all contracts.
groupId - the group of the data being operated upon. If zero/null then the UserRole applier to all groups in the contract.
roleId - the role involved
Transaction Authorization
The ability to run transactions is controlled by UserRole records. Two steps of authorization are performed:
The ability to start a FSM or BT transaction is checked when it is instantiated by the finite state machine (in newBT and newFSM?). Given the following inputs: This is probably incomplete/incorrect
a Transaction Name (as defined in app/config/TransactionMap.php) or Transaction Class (a BT or FMS class name)
the userId from the global session
the current contractId and groupId from the global session
- In the transaction class, an additional test is made. The test varies depending on whether a new object is being created or updated/displayed:
For a new transaction the contractId (from the session) and groupId of the object (?) is used
For a update and view transaction the contractId and groupId of the object is used For view transactions, additional checks based on the type of view may be performed that alter what is displayed. In this case
Transaction Map
The transaction map is defined in app/config/TransactionMap.php
The transaction map is an associative array:
Keys: Transaction Class names, the classes defined in php files in sub-directories in the app/tran directory
Values: Transaction Names or arrays of transaction names. These names are used to make lookups in the Profiles (see next section).
Example extract from the transaction map:
$this->map = array( ... 'DocumentUpdFSM' => 'DrawingUpd', 'DocumentUpdFormBT' => 'DrawingUpd', 'DocumentUpdConfBT' => 'DrawingUpd', ... 'RevisionNewFSM' => 'RevisionNew', 'RevisionNewFormBT' => 'RevisionNew', 'RevisionNewConfBT' => 'RevisionNew', ... 'RevisionWorkflowREST', => array( 'RevisionReceive', 'RevisionDesign', 'RevisionCheck', ... ), ... 'DrawingListFSM' => array( 'DrawingView', 'DrawingViewRestricted' ), 'DrawingListBT' => array( 'DrawingView', 'DrawingViewRestricted' ), 'DrawingDetailFSM' => array( 'DrawingView', 'DrawingViewRestricted' ), 'DrawingDetailBT' => array( 'DrawingView', 'DrawingViewRestricted' ), ... 'CommentNoteNewFSM' => 'CommentNew', 'CommentNoteNewFormBT' => 'CommentNew', 'CommentNoteNewConfBT' => 'CommentNew', 'CommentNoteUpdFSM' => array( 'CommentView', 'CommentViewRestricted' ), 'CommentNoteUpdFormBT' => array( 'CommentView', 'CommentViewRestricted' ), 'CommentNoteUpdConfBT' => array( 'CommentView', 'CommentViewRestricted' ), ...
Profiles
The transaction profiles are defined in app/config/Profiles.php
The transaction profiles is a 2-dimensional matrix, defined as an associative array.
Vertical axis: Transaction Names - as defined in the Transaction Map (sescribed above)
Horizontal axis: Roles - As defined in the database tables Roles. The offset in the array is determined by the roleId.
- Values: at each transaction name and roleId intersection there is a flag that defines if it is possible to run the transaction given the role.
Note that, for some transaction names, there is a simply a 0 or 1 instead on an array, that indicates the transaction is allowed or disabled for all roles.
Example showing how the definition of view normal and restricted are defined:
Roles
..
View Normal
View Restricted
..
Transaction Names
..
..
1
0
..
1
1
..
Example Authorization
Scenario: A user wants to add a task note. They have the task view restricted role for the task in question.
Dispatcher.php tries to instantiate the class CommentViewBT with a statement like the following:
$bt->FiniteStateMachineBase::newBT( "CommentViewBT" );
FiniteStateMachineBase::newBT calls BusinessTransactionBase::newBT, which contains the following code:
.. $authorizer = Authorizer::get( .. ); if ( ! $authorizer->isAuthorized( $className ) ) { .. transaction no authorized } .. transaction authorized
Authorizer::isAuthorized performs the following check (note that $tranName can be an array):
... $tranMap = new TransactionMap(); $tranName = $tranMap->getTransactionName( $cmd ); return $this->isTransactionAuthorized( $tranName, $userId, $contractId, $groupId );
Open Points
Who is allowed to see history pages? Suggest:
- Normal view - Yes
- Restricted view - No
- Marking items obsolete and restoring them?
- Changing comment notes created by other users?