Introduction to access control and asset permissions
This page is OBSOLETE. New version can be found here.
Access control - keys and keyrings
Access control in NorfelloCMMS is based on keys and keyrings. For each function in NorfelloCMMS there is a key associated to it. Keyrings are collections of keys, which can be handed to users. A user has all keys, which belong to keyrings the user ownes. NorfelloCMMS's access control policy is restrictive by default. This means that access to a function is denied unless user has the key associated to the function.
You can configure access control by selecting first Configuration and Access control from the top menu and then from the submenus Keyrings or Key.
Note that you have to use a user account which has administrative rights to configure NorfelloCMMS. In a just installed NorfelloCMMS you can login as "admin", with password "admin".
Keys
Keys for all functions in NorfelloCMMS are saved to the database when you install NorfelloCMMS. Therefore you don't have to (and you shouldn't) create or edit keys. You only have to edit keys if you add new functionality to NorfelloCMMS.
List of keys (page 3, asset tree hidden):
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/key_list.png?format=raw
As you can see the name of each key contains two parts controller and action. The first part specifies the controller and the second specifies an action inside the controller. For example, in order to view asset information user has to have the key "asset/view" and in order to create a report user has to have the key "report/create".
Keyrings
Keyrings have two functions, they group keys together and they are used to grant keys to users. A key can belong to any number of keyrings. Keys are given to users by adding keys to a keyring and by adding users to owners of the keyring (i.e. by giving the keyring to users).
You can view and edit keyrings in the Keyrings sub-menu. When you install NorfelloCMMS there are two keyrings defined, one that contains all keys and one that contains keys that are needed in daily use (these are keys for all actions found in the Application side). List of keyrings:
You can view and edit keyrings properties by clicking actions found from the Actions column of the keyring list.
- From http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/keys.png?format=raw Keys you can view and edit which keys belong to the keyring.
- From http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/owners.png?format=raw Owners you can view and edit which users own the keyring.
- From http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/edit.png?format=raw Edit you can edit keyrings information.
Usage example
Suppose you have situation where you have a user or users to whom you want to grant permission to manage asset types, but you don't want to grant them access to other parts of the Configuration section. To achieve this you need to create a keyring, say "Asset type managers", which contains keys that are needed to create and edit asset types and their icons.
Creating the keyring:
- Login as "admin".
- If you want you can hide the asset tree by clicking http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/close.png?format=raw to simplify the view. Asset tree is hidden in the following screenshots.
- Select Configuration and Access control from the top menu. Select Keyrings from the sub-menu,
- Click http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/cb.png?format=raw Create in the Keyrings sub-menu.
- Fill in keyrings name and information.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/create.png?format=raw
- Click Create.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/created.png?format=raw
- Click http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/keys.png?format=raw Keys for "Asset type managers".
- Add all keys with controllers "asset_type" and "asset_type_icon" to the keyring by selecting them from the dropdown menu add and by clickin Add button.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/adding.png?format=raw http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/added.png?format=raw
See from Creating and administering user accounts how to manage user accounts, if you haven't already done so. Below we are going to use the user account created in Creating and administering user accounts
Giving the keyring(s) to a user:
- Select http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/list.png?format=raw List in the Keyrings sub-menu and click action http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/owners.png?format=raw Owners for the "Asset type managers" keyring.
- Select from dropdown menu the user you want to give the keyring to and click Add button.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/add_user.png?format=raw
- Also give the keyring "Users" to the same user by repeating the two previous steps for the keyring "Users". This gives the user permission to operate in the Application section.
You can see which keyrings a user has by going to the User accounts sub-menu and clicking http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/edit.png?format=raw Edit for the user. At the bottom of the page you can view and remove, which keyrings the user has.
Asset permissions - user groups and their permissions
Asset permissions provide access control for asset data saved in the NorfelloCMMS database. Asset permissions define which assets users can view and edit, and what kind of data users can create to assets.
User groups
User group can be understood as a group of users who have identical asset permissions. Users get all their asset permissions from their user groups.
In a freshly installed NorfelloCMMS there are two user groups "Administrators" who has all permissions in the asset "CMMS (NorfelloCMMS)" and "Users" who has a bit more limited permissions in the asset "CMMS (NorfelloCMMS)". As you might guess user "admin" belongs to "Administrators" and user "user" belongs to "Users".
Usage example
Suppose we have an asset "HEADOFF (Head office)" and we want to give to the user "jsmith (John Smith)" (created in Creating and administering user accounts) permission to maintain the asset. To achieve this we create a user group and add the user "jsmith" to it and then we grant the user group permission to manage the asset "HEADOFF".
Creating a user group
User groups can be created and managed in the User groups sub-menu under the Access control menu. To create a user group you have to:
- Select the User groups sub-menu.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/user_groups.png?format=raw
- Click http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/cb.png?format=raw Create.
- Fill in name and additional information.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/create_ug.png?format=raw
- Click Create button
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/created_ug.png?format=raw
- Click http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/owners.png?format=raw Users action for the created user group.
- Select the user "jsmith (John Smith)" from the dropdown menu and click Add button.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/users_ug.png?format=raw
To follow further create the asset "HEADOFF (Head office)" as shown in Creating assets.
Managing asset permissions
To edit assets permissions you have to:
- Select Assets from the top menu.
- Select the asset "HEADOFF (Head office)" from the asset tree.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/asset.png?format=raw
- Click http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/pb.png?format=raw Permissions.
- New asset created to NorfelloCMMS is by default using same permissions as its parent asset. This is often very convinient, but now we want to define permissions just for this asset. Uncheck the "Use parent asset's permissions" add click Save button.
- Select the user group "Head office maintainers" from the dropdown menu under "Add user group" and click Add button.
- Check all permissions except the "Remove asset" permission and click Save button.
- Under the asset permissions you find three tables where default permissions for reports, work orders and attachments created by the user group "Head office maintainers" are defined.
- Add user groups "Administrators" and "Users" to the all three tables by selecting user groups from the dropdown menus and by clicking Add button. Check all permissions for the user group "Head office maintainers" and "View" and "Change state" permissions for the user groups "Administrators and "Users" in each of the default permission table and click Save button. Result should look like this:
Taking look at results
Now we are done and it is time to take brief look at what we have accomplished.
- Create an another asset under the asset "CMMS (NorfelloCMMS)", say "TEST (Testing)", which will be using same permissions as its parent (consult Creating assets for help).
- Logout
- Login as the user "jsmith" (created in Creating and administering user accounts).
- Notice that the asset "CMMS (NorfelloCMMS)" cannot be selected from the asset tree and that the asset "TEST (Testing)" doesn't exist in the asset tree at all. This is because the "jsmith"'s only user group "Head office maintainers" only has permission to view the asset "HEADOFF (Head office)".
- Select Configuration from the top menu. Notice that the top menu only has Asset type menu in it. This because "jsmith"'s keyrings, the keyring "Asset type managers" only contains keys for asset type managing and the keyring "Users" doesn't contain keys for configuration functions.
http://cmms.norfello.com/cmms/attachment/wiki/AccessControlAndPermissions/jsmith_conf.png?format=raw
Additional information
Attachments
- key_list.png (74.4 kB) - added by markku on 09/14/06 18:56:14.
- keyring_list.png (79.6 kB) - added by markku on 09/14/06 18:56:29.
- keys.png (0.6 kB) - added by markku on 09/14/06 19:15:41.
- users_keys.png (79.8 kB) - added by markku on 09/14/06 19:15:54.
- owners.png (0.8 kB) - added by markku on 09/14/06 19:30:45.
- edit.png (0.6 kB) - added by markku on 09/14/06 19:30:57.
- cb.png (305 bytes) - added by markku on 09/14/06 19:45:43.
- create.png (65.9 kB) - added by markku on 09/14/06 19:57:59.
- created.png (82.2 kB) - added by markku on 09/14/06 19:58:13.
- adding.png (77.1 kB) - added by markku on 09/14/06 20:10:15.
- added.png (77.0 kB) - added by markku on 09/14/06 20:10:30.
- list.png (0.8 kB) - added by markku on 09/14/06 20:24:01.
- add_user.png (78.4 kB) - added by markku on 09/14/06 20:29:10.
- users_keyrings.png (51.1 kB) - added by markku on 09/15/06 11:31:18.
- close.png (1.0 kB) - added by markku on 09/15/06 11:41:19.
- user_groups.png (75.7 kB) - added by markku on 09/15/06 13:41:13.
- create_ug.png (71.4 kB) - added by markku on 09/15/06 13:47:27.
- created_ug.png (83.1 kB) - added by markku on 09/15/06 13:47:40.
- users_ug.png (83.5 kB) - added by markku on 09/15/06 14:10:22.
- asset.png (70.5 kB) - added by markku on 09/15/06 14:31:42.
- pb.png (0.9 kB) - added by markku on 09/15/06 14:32:39.
- permissions1.png (76.1 kB) - added by markku on 09/15/06 14:44:28.
- permissions2.png (88.5 kB) - added by markku on 09/15/06 14:44:46.
- permissions3.png (86.5 kB) - added by markku on 09/15/06 14:45:20.
- permissions4.png (85.5 kB) - added by markku on 09/15/06 14:48:34.
- permissions5.png (60.2 kB) - added by markku on 09/15/06 14:51:34.
- permissions6.png (62.4 kB) - added by markku on 09/15/06 15:14:36.
- jsmith_login.png (70.8 kB) - added by markku on 09/15/06 15:28:54.
- jsmith_conf.png (65.1 kB) - added by markku on 09/15/06 15:29:04.
