User roles and rights redesign

Discussion forum about Anuko Time Tracker
Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Thu Feb 22, 2018 10:13 pm

bonnedav wrote:You need to make sure that if a perm is removed from a sub-group manager they can't add it to another role.
Looks like "manage_roles" needs to be split in 2: "manage_roles" and "assign_roles", then one could remove the "manage_roles" from them to prohibit adjusting of roles.
bonnedav wrote:Also, this system works to let the top level manager edit sub group perms, but how would a level 2 manager remove a perm from the manager of one of there level 3 groups?
Same way? Of they created a subgroup they had a right to do so. Or using the top org account.
bonnedav wrote:Also, i think you should re-split "manage_settings" into "manage_basic_settings" and "manage_advanced_settings" as well as "manage_features". basic settings would be things like "date format", "time format" ext... Advanced settings would be things like "name", "bcc" ext...
I'll see if I can roll back the "manage_basic_settings" and "manage_advanced_settings" insted of one "manage_settings" although these names don't explain what they manage.

bonnedav
Posts: 23
Joined: Thu Jul 20, 2017 5:17 am

Re: User roles and rights redesign

Post by bonnedav » Fri Feb 23, 2018 8:24 am

Maybe "org manager" needs to be renamed to "parent manager" and made an intrinsic role on any sub group that is given to the manager of its parent group. So that any group's manager will be a "parent manager" on their own sub groups and always have all perms including the ability to edit the "manager " role. This can also let them edit roles on sub groups even if they can't do so on their own group.

"Assign_roles" should be a part of "manage_users", to let anyone with it assign lower roles. So for instance a "Co manager" can make an account a "user" "client" or "supervisor" but not a "Co manager".
A manager can do all those and "Co manager". This should be based on rank.

OK, say a group's manager creates a sub group, he does not want the manager to be able to change the group's name so he removes "manage_advanced_settings" form it's manager role, he does however want them to be able to edit roles on the group so he keeps "manage_roles", the problem is that the sub group's manager could create a new role with the "manage_advanced_settings" perm create an account with it and change the name. What needs to be done is that you need to make sure that the role editor does not allow a manager to set perms they don't have themselves.

The split between "manage_basic_settings" and "manage _advanced_settings" should exist to provide extra flexibility, the problem comes in determining witch settings are "basic" and witch are "advanced". I think more input is needed on this.

bonnedav
Posts: 23
Joined: Thu Jul 20, 2017 5:17 am

Re: User roles and rights redesign

Post by bonnedav » Sat Feb 24, 2018 1:06 am

Anyone with "manage_users" should be able to create, manage, and delete, anyone who's role has a lower rank then their own. In doing so they should also be able to assign and reassign any role that has a lower rank then their own, during user creation or editing, but only for users they can edit.

Anyone with "manage_roles" should be able to create, manage, and delete roles with lower ranks then their own. They should only be able to add permissions that they have themselves.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Sat Feb 24, 2018 3:56 pm

I added "swap_roles" to SUPERVISOR. Changed CO-MANAGER and MANAGER as so:

CO-MANAGER - a person with an extended set of management functions, who is helping a group manager with most of the work. Has all of SUPERVISOR permissions plus the following.

"manage_users" - can add, modify, delete, and assign roles to users with role's rank less than self.
"manage_projects" - full access to project management.
"manage_tasks" - full access to task management.
"manage_custom_fields" - full access to custom field management.
"manage_clients" - full access to client management.
"manage_invoices" - full access to invoice management.


MANAGER - a person with a full set of permissions to a group and the entire tree of its subgroups. Has all of CO-MANAGER permissions plus the following.

"manage_features" - enable or disable plugins (features) for a group.
"manage_basic_settings" - manage basic group settings such as language, currency, date and time formats.
"manage_avanced_settings" - manage advanced group settings such as team name, bcc, plugin options, etc.
"manage_roles" - create, modify, and delete roles (including custom roles) with rank less than self. Able to add permissions that they have themselves.
"export_data" - export group and all subgroups data to an XML file.
"manage_subgroups" - add, modify, and delete subgroups. Essentially, it gives a capability to create subgroups and assume group manager role in there and all subgroups below.

TOP_MANAGER - intrinsic, non-editable role for a general manager in an organization (root manager) with all possible rights in all groups. Is assigned to a person who creates the organization.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Mon Mar 12, 2018 5:28 pm

I had to add this to client role as part of ongoing roles revamp.

"view_own_invoices" - view invoices issued for client.

Also split "view_data" into 2 separate rights "view_reports" and "view_charts" to provide flexibility just in case. Other issues may arise as coding is progressing.

I hope it makes sense.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Tue Mar 13, 2018 8:39 pm

Another change:

I am splitting "data_entry" into these two:

"track_own_time" - can track own time in Time Tracker.
"track_own_expenses" - can track own expenses in Time Tracker.

Also, "on_behalf_data_entry" into these two:

"track_time" - can track time for lower roles.
"track_expenses" - can track expenses for lower roles.

This gets us a nice verb-based rights, so that in code we can use something like below and it is clear what it means.

Code: Select all

if ($user->can('track_expenses')) {
  // do something
}

wrc
Posts: 259
Joined: Tue May 25, 2010 8:30 pm

Re: User roles and rights redesign

Post by wrc » Wed Mar 14, 2018 3:59 pm

I suggest including "override_date_lock" to Supervisor role. This will allow them to override date locking (as configured by the Locking plugin) for themselves and lower roles.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Wed Mar 14, 2018 6:15 pm

wrc wrote:I suggest including "override_date_lock" to Supervisor role. This will allow them to override date locking (as configured by the Locking plugin) for themselves and lower roles.
Thanks for this, I adjusted the Supervisor rights accordingly.

bonnedav
Posts: 23
Joined: Thu Jul 20, 2017 5:17 am

Re: User roles and rights redesign

Post by bonnedav » Fri Mar 16, 2018 4:54 am

I think there should be a way to disallow someone form editing there own times once imputed. This along with punch mode would allow a manager to use this as a pure "punch clock" system, where employs use it only to clock it/out of work, if they want. Editing you own times and someone else's should be separate rights. (So a supervisor can edit times for subordinates but not themselves for example.)

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Fri Mar 16, 2018 2:20 pm

bonnedav wrote:I think there should be a way to disallow someone form editing there own times once imputed. This along with punch mode would allow a manager to use this as a pure "punch clock" system, where employs use it only to clock it/out of work, if they want. Editing you own times and someone else's should be separate rights. (So a supervisor can edit times for subordinates but not themselves for example.)
What if we change the "override_punch_mode" right to apply to lower roles only, similar to "track_time"? I think it may accomplish this.

wrc
Posts: 259
Joined: Tue May 25, 2010 8:30 pm

Re: User roles and rights redesign

Post by wrc » Fri Mar 16, 2018 2:32 pm

How about "set_rates" right for Manager (or Top Manager) only? As a way to edit rates by whoever has the "manage_users" right looks a bit weird.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Fri Mar 16, 2018 4:18 pm

Nik wrote:
bonnedav wrote:I think there should be a way to disallow someone form editing there own times once imputed. This along with punch mode would allow a manager to use this as a pure "punch clock" system, where employs use it only to clock it/out of work, if they want. Editing you own times and someone else's should be separate rights. (So a supervisor can edit times for subordinates but not themselves for example.)
What if we change the "override_punch_mode" right to apply to lower roles only, similar to "track_time"? I think it may accomplish this.
I changed the meaning of "override_punch_mode" right to apply to lower roles only.

bonnedav
Posts: 23
Joined: Thu Jul 20, 2017 5:17 am

Re: User roles and rights redesign

Post by bonnedav » Sat Mar 17, 2018 6:07 am

When logged in as a user with punch mode enabled, I can still delete my own entries and change past entry's using the current time and add entries for past dates. This is not how a pure "time clock" system would work and might not be desirable to some managers. I understand that the date lock plugin is a thing i don't know if it can fix this completely. This deserves more thought. As part of it I think 2 things, first that a way to completely disable past entries should be implemented slimier to what there is for Future entries (and an override perm for both?), second that override_date_lock should be modified in the same way as override_punch_mode". Sorry if this is confusing and/or contradictory but i am tired and I hope that it still gets my point across. thank you for reading and considering my ramblings.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Sat Mar 17, 2018 2:36 pm

bonnedav wrote:When logged in as a user with punch mode enabled, I can still delete my own entries and change past entry's using the current time and add entries for past dates. This is not how a pure "time clock" system would work and might not be desirable to some managers. I understand that the date lock plugin is a thing i don't know if it can fix this completely.
Indeed, the Locking feature can help. You can disable editing past entries, and it currently operates with 1 day accuracy.

Code: Select all

$lockdate = new DateAndTime(DB_DATEFORMAT, strftime('%Y-%m-%d', $last));
if ($date->before($lockdate)) {
  return true;
}
One way of potential improvement is to improve the isDateLocked accuracy to the minute as locks are cron specifications and allow for this. However, there is a complication of users and server possibly being in different time zones (GMT vs local time), so one has to figure out a clean way out of this.

I created a separate thread to discuss punch mode here.
bonnedav wrote:... override_date_lock should be modified in the same way as override_punch_mode.
This makes sense. I am going to introduce "override_own_date_lock" in addition to "override_date_lock", which will apply to lower roles only.

Nik
Posts: 447
Joined: Wed May 26, 2010 5:55 pm

Re: User roles and rights redesign

Post by Nik » Sun Mar 18, 2018 1:45 pm

Instead of punch mode entirely, how about an additional Puncher role (lower rank than User).

PUNCHER - a user with minimal set of rights to punch in or out.

"punch_own_time" - can punch in or out of Time Tracker.
"view_own_reports" - view own reports.
"view_own_charts" - view own charts.


To add to SUPERVISOR:

"punch_time" - can punch in or out for lower roles.

Post Reply