Changes between Initial Version and Version 1 of DeveloperGuidelines/Organisations


Ignore:
Timestamp:
03/21/11 04:49:22 (10 years ago)
Author:
Michael Howden
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DeveloperGuidelines/Organisations

    v1 v1  
     1[[TOC]]
     2= Organisation Developer Guidelines =
     3
     4== Site Super Entity == 
     5The following are instances of the site super entity: 
     6 * org_office 
     7 * cr_shelter 
     8 * hms_hospital 
     9The Site Super Entity allows the following components to be shared between these resources through the use of a single foreign key ({{{site_id}}}): 
     10 * org_staff 
     11 * inv_inv_item 
     12 * inv_recv 
     13 * inv_send 
     14 * req_req 
     15 * req_commit 
     16
     17== Staff Permissions == 
     18Staff ({{{org_staff}}}) can be added as components of site instances (offices, hospitals and shelters) and organisations. There are a number of Use Cases where you may want to apply permissions based on the staff of a resource: 
     19 * Only staff of an organisation have permissions (READ, CREATE, UPDATE and/or DELETE) for their organisation resource. 
     20 * Only staff stationed at a certain site have permissions (READ, CREATE, UPDATE and/or DELETE) for their site resource. 
     21
     22For further flexibility, there are 2 boolean fields for staff: 
     23 * {{{no_access}}} - If this is true, this staff member has no additional privileges (labelled as 'Read-only') 
     24 * {{{supervisor}}} - This gives the options for more permissive permissions for some staff. 
     25
     26If a user creates a resource (Site or Organisation) then they are automatically given the Supervisor role for that resource. 
     27
     28The roles are created by the {{{shn_create_record_roles}}} function in {{{models/05_org.py}}}, which can be called from an org or site create_onaccept by configuring the model as following: 
     29{{{ 
     30# Create roles for each organisation / site instance 
     31s3xrc.model.configure(table,  
     32                       create_onaccept = shn_staff_join_onaccept_func(tablename))   
     33}}} 
     34(This code should be called after the resource table is defined in the model) 
     35
     36=== Enabling Staff Permissions === 
     37 1. Set: 
     38 {{{ 
     39deployment_settings.security.policy = 3 # Controller-ACLs. 4 & 5 will also work 
     40deployment_settings.aaa.has_staff_permissions = True 
     41deployment_settings.aaa.staff_acl = Permissions for staff role: Create, Read, Update & or Delete 
     42deployment_settings.aaa.supervisor_acl = Permissions for supervisor role: Create, Read, Update & or Delete 
     43("org", Storage( 
     44    .... 
     45    restricted = True, 
     46}}} 
     47 2. When a new organisation or site instance is created:  
     48  i. New roles (staff & supervisor) are automatically created for that record (tablename_recordid Staff of recordname & tablename_recordid Supervisors of recordname). 
     49  i. The current user is added as a member of both of those roles. 
     50
     51 3. Add staff to organisations and sites to grant them the appropriate permissions 
     52
     53=== Inheriting Permissions === 
     54To allow other components inherit the same permissions as the primary resource, the following function can be called, to add a onaccept function which will copy the "owned_by_role" from the primary resource. This onaccept should be added to the onaccept for the component resource.  
     55{{{ 
     56# Update owned_by_role to the site's owned_by_role     
     57s3xrc.model.configure( 
     58    table,  
     59    onaccept = shn_component_copy_role_func(component_name = tablename,  
     60                                            resource_name = "org_site",  
     61                                            fk = "site_id", 
     62                                            pk = "site_id") 
     63)     
     64}}} 
     65
     66The staff component resource itself currently inherit permissions from sites not organisations, because this is LESS permissive. This may need to become a deployment setting. 
     67
     68== Inventory Management == 
     69Inventories can be added to any site instance, by adding {{{shn_show_inv_tabs(r)}}} to the rheader tabs for that site instance.  
     70