wiki:DeveloperGuidelines/Organisations

Version 2 (modified by Fran Boon, 11 years ago) ( diff )

--

Organisation Developer Guidelines

Site Super Entity

The following are instances of the site super entity: 

  • org_office 
  • cr_shelter 
  • hms_hospital 

The Site Super Entity allows the following components to be shared between these resources through the use of a single foreign key (site_id): 

  • org_staff 
  • inv_inv_item 
  • inv_recv 
  • inv_send 
  • req_req 
  • req_commit 

Staff Permissions

Staff (org_staff) can be added as components of site instances (offices, hospitals and shelters) and organisations. There are a number of Use Cases where you may want to apply permissions based on the staff of a resource: 

  • Only staff of an organisation have permissions (READ, CREATE, UPDATE and/or DELETE) for their organisation resource. 
  • Only staff stationed at a certain site have permissions (READ, CREATE, UPDATE and/or DELETE) for their site resource. 

For further flexibility, there are 2 boolean fields for staff: 

  • no_access - If this is true, this staff member has no additional privileges (labelled as 'Read-only') 
  • supervisor - This gives the options for more permissive permissions for some staff. 

If a user creates a resource (Site or Organisation) then they are automatically given the Supervisor role for that resource. 

The roles are created by the shn_create_record_roles function in models/05_org.py, which can be called from an org or site create_onaccept by configuring the model as following: 

# Create roles for each organisation / site instance 
s3xrc.model.configure(table,  
                       create_onaccept = shn_staff_join_onaccept_func(tablename))   

(This code should be called after the resource table is defined in the model) 

Enabling Staff Permissions

  1. Set: 
    deployment_settings.security.policy = 3 # Controller-ACLs. 4 & 5 will also work 
    deployment_settings.aaa.has_staff_permissions = True 
    deployment_settings.aaa.staff_acl = Permissions for staff role: Create, Read, Update & or Delete 
    deployment_settings.aaa.supervisor_acl = Permissions for supervisor role: Create, Read, Update & or Delete 
    ("org", Storage( 
        .... 
        restricted = True, 
    
  2. When a new organisation or site instance is created:  
    1. New roles (staff & supervisor) are automatically created for that record (tablename_recordid Staff of recordname & tablename_recordid Supervisors of recordname). 
    2. The current user is added as a member of both of those roles. 
  1. Add staff to organisations and sites to grant them the appropriate permissions 

Inheriting Permissions

To allow other components inherit the same permissions as the primary resource, the following function can be called, to add a onaccept function which will copy the "owned_by_role" from the primary resource. This onaccept should be added to the onaccept for the component resource.  

# Update owned_by_role to the site's owned_by_role     
s3xrc.model.configure( 
    table,  
    onaccept = shn_component_copy_role_func(component_name = tablename,  
                                            resource_name = "org_site",  
                                            fk = "site_id", 
                                            pk = "site_id") 
)     

The staff component resource itself currently inherit permissions from sites not organisations, because this is LESS permissive. This may need to become a deployment setting. 

Inventory Management

Inventories can be added to any site instance, by adding shn_show_inv_tabs(r) to the rheader tabs for that site instance.  


BluePrintOrganisationRegistry

DeveloperGuidelines

Note: See TracWiki for help on using the wiki.