In BB2 users gain access to the various software modules and particular functions within those modules by becoming a member of one or more user groups (e.g. 'Sales' or 'Admin'). Permissions are first added and applied to user groups before users can inherit these permissions indirectly through their association with these groups. Thus, a well organised system will include a user group for each particular level or type of access required by the users that access it. This allows users to very quickly be granted the precise scope of access they require simply by being added to the relevant user groups that together define the breadth and depth of that access.
Permission Sets: Class & Method
Permissions are made up of two component parts, namely 'class' and 'method'. The permission class defines the boundaries of the permission set. These boundaries often coincide with a specific system module (e.g. Publishing or Inventory ) but can also demarcate an area that applies to more than one module. Each permission class is made up of a 'bundle' of permission methods. Each permission method defines a particular action, view or function that may be performed within the demarcated area of the permission class (e.g. list, add or edit). Methods are generally universal in the system and so the same bundle of methods that make up one class are generally replicated and bundled together with every other class.
For example, the 'bb_sales_debtors_invoices' class refers to the debtors invoices section within the sales module, and the 'bb_procurement_creditors_invoices' class refers to the creditors invoices section within the procurement module. Both of these classes have a permission method called 'viewlist' which allows users, in the case of the first class, to view a list of debtor invoices, and, in the case of the second, to view a list of creditor invoices. The method works in exactly the same way in each instance but relates specifically to the area of the system defined by the class to which it belongs.
There are of course exceptions to this general logic. Some permission classes have custom methods that are only relevant to that particular class. The 'bb_inventory' class associated with the Inventory module contains a method called 'inventory_dash'. This method relates specifically to the inventory dashboard view and is therefore unique to this class.
Setting up and Managing Permissions
The BB2 Permissions Dashboard section is accessed via the 'Admin' module on the left-hand main menu. From here it is possible to manage the scope of access granted to each user group on the system by adding or removing permission sets that together define the kind of access bestowed upon each group's members.
First select the user group you would like to manage permissions for from the 'Choose User Group' field. If the user group you intend to define permissions for has not yet been added then you will need to create the user group first. This can be done via the 'User Groups' sub-menu item, under 'Admin' on the left-hand system menu. For more help with adding user groups consult the Bluebox knowledge base: http://www.bluebox.co.za/?km.
Next, use the 'Filter' field to return a list of the permission classes you would like to work with. For instance, typing in the word 'sales' would return all permission classes with the word 'sales' in the class title. Click the 'Go' button to return a list of permission classes that match the string of characters you provided in the filter field. Leaving the filter field blank will simply return all permission classes, allowing you to add or remove permission methods for the selected user group from any one of the permission classes.
Now locate the permission class you wish to add or remove permission methods for from the class list. Click the green '[View]' link (View Method List) to the right of the permission class name to expand the list of permission methods for that class. Remember that permission sets are made up of class and method. For the chosen class you must now select which of its specific methods to grant or deny for the current user group. For every permission method already granted to the selected user group there can be seen a positive selection mark to the left of the method name, under the 'Grant' column. To grant a specific permission method for this permission class, locate the method in the method list for that class and then click the selection option to its left, under the 'Grant' column. In this way permission sets, containing the permission class and the method within that class, are assigned to the chosen user group.
To grant all permission methods and thereby allow members of this user group to make use of any method in this permission class, click the selection under the 'Grant' column, to the left of the 'all' method. To remove a specific permission method for this permission class, locate the method in the method list and then click the selection option to its left, under the 'Remove' column, to remove it from the current user group.
Follow this same process for each and every permission class whose methods you would like to assign to the user group. Once you have completed adding and/or removing permission sets for the selected user group, scroll right to the bottom of the permission class list, and click the 'Set Permissions' button to apply these changes. All that is now required is for members of this group currently logged into the system to refresh their session data.
Linking Users to User Groups
Once you have set-up permissions for user groups all that is required is for users to be linked to the appropriate combination of groups. The right combination of groups will depend entirely on what the user's duties on the system include and on the available user groups and their permission settings. Ultimately, a user should be linked to the minimum amount of groups that afford just enough access to perform those duties. For instance, if a new employee has joined the Sales team and is required to have access to both the 'Sales' and 'Marketing' modules then they would be linked to the 'Sales' and 'Marketing' user groups, provided these groups allowed access only to those particular modules.
Users can be linked to user groups either via the 'User Groups', or 'Users' sections found under the 'Admin' module on the system menu. When viewing the user groups tree click the '+' icon ('Add New Link') to the right of the user group you wish to add a new member to. This will allow you to select a new user to link to that user group, resulting in the user being listed under the user group in the users tree.
Alternatively, go to the 'Users' section and, once loaded, click the 'Data Functions' top-level menu link. Then click the 'List' option in the menu that appears to list all user records. Locate the user you would like to link to a user group and then click the eye icon ('View') to the left of the user record, under the 'Action' column. Once the user view page has loaded scroll down to the section titled 'User Groups Link'. Click the '+' icon in the top right hand corner of this section to add a new user group link for this user. Remember, users can be linked to multiple groups, so create as many links as required.
Access Denied: Resolving Permission Failures
Whenever a user tries to access an area of the system that they do not have explicit permission to view, or whenever they attempt to perform a particular action (e.g. add, edit, delete) they have not explicitly been authorised to execute, the system returns a permission failure message. These messages outline the specific permission set (class and method) that the current user has not yet been granted, and which is required in order to access the relevant system area. To illustrate this, let us consider the following permission failure message:
“Permission failure for Class: sales and Method: show”.
From this message we are able to determine that the action or section the current user is trying to access requires the 'show' method for the the 'bb_sales' class. Together this class and method form the required permission set that must first be granted to the user before satisfying the permission requirements for that action. The permission failure can be bypassed either by granting this permission set to a user group the user is already a member of, or by adding the user to a user group that already includes this permission set. In each case the user must inherit the permission set indirectly by means of his/her membership to a user group. Once this is done the user need only refresh their user session data. This is achieved by clicking the eye icon in the login details section, above the left-hand system menu and to the right of the 'Edit' link. Once the user's session has been refreshed all permission changes will be applied to the user's current session.
It should be noted that often multiple permission sets are required before gaining access to an area of the system. So, referring back to the above example, even though the user has since been granted the 'show' method for the 'bb_sales' class and refreshed his/her user session data, the system may then display a second permission failure message such as:
“Permission failure for Class: sales and Method: viewlist”.
From this we can determine that the section the user is trying to access requires more than one permission set. Although they have been granted the first permission set, the system now prompts them on the second permission requirement, namely the 'viewlist' method in the 'bb_sales' class. In each case the user must be granted the permission set defined in the permission failure message and then refresh their user session data before reattempting to perform the desired action, or to access the desired section in the system.
Granting users access only to those permission sets necessary to carrying out their specific tasks on the system is a recommended security practise. However, when a user group needs access to an entire section or where security is of little concern, the 'all' method can be granted for any permission class, allowing members of that group to inherit all permission methods within that class in one easy step.
No comments:
Post a Comment