Tasks and Roles: Difference between revisions

From IHRIS Wiki
No edit summary
Line 1: Line 1:
iHRIS utiliza un mecanismo de seguridad basado en Roles y Tareas para limitar el acceso a las diversas partes del sistema. A un usuario se le asigna un rol y un rol es un conjunto de tareas que ese rol puede realizar.
iHRIS uses a Role and Task based security mechanism to limit access to various parts of the system. A user is assigned a role, and a role is a collection of tasks that the role can perform.


Este artículo describe como se definen los roles y tareas en Datos Magic y utilizados por el sistema iHRIS.  
This article describes how roles and tasks are defined in Magic Data and used by the iHRIS system.  


=Roles=
=Roles=
Un rol es una colección de [[#Tasks|tareas]] que pueden asignarse a la cuenta de un usuario.
A role is a collection of [[#Tasks|tasks]] that can be assigned to a user's account.
*los nombres de los roles se definen como los secundarios de [[Configuration (Magic) Data|ruta de magic data]] /I2CE/roles/names
*role names are defined as the children of the [[Configuration (Magic) Data|magic data path]] /I2CE/roles/names
*un rol $role tiene un display definido en /I2CE/roles/names/$role/display_name
*a role $role has a display name defined at /I2CE/roles/names/$role/display_name
*los roles pueden heredar tareas de otro al agregarlo como el valor de un nodo secundario de /I2CE/roles/names/$role/trickle_up <br/>Por ejemplo, en iHRIS Manage en el /I2CE/roles/names/hr_staff tenemos:
*roles can inherit tasks from one another by adding it as a value of a child node of /I2CE/roles/names/$role/trickle_up <br/>For example, in iHRIS Manage at the /I2CE/roles/names/hr_staff we have:
** display_name => HR Staff  
** display_name => HR Staff  
** trickle_up => Array  
** trickle_up => Array  
*** 0 => admin  
*** 0 => admin  
*** 1 => hr_manager  
*** 1 => hr_manager  
dice que el rol de hr_staff aparece como 'HR Staff' y que un hr_manager o admin tiene todas las tareas que tiene un hr_staff.
says that the role hr_staff is displayed as 'HR Staff' and that an hr_manager or admin has all the tasks that a hr_staff has.


=Tareas=
=Tasks=
Una tarea puede ser tanto una colección de sub-tareas que tiene esta tarea y la descripción de alguna acción cuyo permiso se puede verificar. La información de las tareas se guarda en datos magic bajo /I2CE/tasks/.  Para crear una tarea se crea un nodo secundario de tipo escalar de /I2CE/tasks/task_description.  El nombre del nodo es el nombre utilizado para referenciar la tareaEl valor del nodo es la descripción de la tarea que se muestra en la página de Manejo de Tareas y RolesPor ejemplo, el nodo de magic data /I2CE/tasks/task_description puede verse así:
A task can be both a collection of sub-tasks that this task has and description of some action that can be checked for permission. Task information is stored in magic data under /I2CE/tasks/.  To create a task you create a scalar type child node of /I2CE/tasks/task_description.  That name node of the node is the name used to reference the taskThe value of the node is the description of the task displayed in the Task and Role Management pageFor example, the magic data node /I2CE/tasks/task_description may look something like:
* custom_report_admin => Permite la administración del Sistema de Informes Personalizados
* custom_report_admin => Allows administration of the Custom Reporting System
* custom_reports_can_access => Permite acceso mínimo al Sistema de Informes Personalizados
* custom_reports_can_access => Allows minimal access to the Custom Reporting System
* custom_reports_delete => Permite eliminación de datos acerca de los informes personalizados
* custom_reports_delete => Allows deletion of data about custom reports
* custom_reports_can_access_relationships => Permite acceso a las Relaciones de Informes Personalizados
* custom_reports_can_access_relationships => Allows access to the Custom Report Relationships
Puede definir la sub-tarea de una tarea $task al especificar /I2CE/tasks/task_trickle_down_task.  Por ejemplo, el nodo de datos magic /I2CE/tasks/task_trickle_down/custom_reports_admin puede verse así:
You can define the sub tasks of a task $task by specifying /I2CE/tasks/task_trickle_down_task.  For example, the magic data node /I2CE/tasks/task_trickle_down/custom_reports_admin may look like:
* 0 => custom_reports_can_access   
* 0 => custom_reports_can_access   
* 1 => custom_reports_delete_reports  
* 1 => custom_reports_delete_reports  
lo que dice que la tarea de 'custom_report_admin' tiene todas las tareas y derechos definidos por  'custom_reports_can_access' y 'custom_reports_delete_reports.'
which says that the 'custom_report_admin' task has all the tasks and rights defined by 'custom_reports_can_access' and 'custom_reports_delete_reports.'


Las tareas que se asignan a un rol $role son los valores de los secundarios bajo /I2CE/tasks/role_trickle_down/$role
The tasks that are assigned to a role $role are the values of the children under /I2CE/tasks/role_trickle_down/$role


Un usuario con el rol 'admin' tiene todas las tareas.
A user with the role 'admin' has all tasks.


=Usos de las Tareas y Roles=
=Uses of Tasks and Roles=
Las tareas y roles se utilizan en varios lugares:
The tasks and roles are used in several places:
*La clase principal [[Pages and Templates#Page Logic|I2CE_Page]] revisa los permisos básicos de la página.   
*The main [[Pages and Templates#Page Logic|I2CE_Page]] class checks for basic permission for the page.   
*Varias páginas revisan los roles específicos y las tareas en su método action().
*Several pages perform checks for specific roles and tasks in their action() method.
*Antes de mostrar el HTML la clase I2CE_Template, verifica que todas las tareas, roles y permisos esten satisfechos en cada nodo.
*Just before displaying the HTML the I2CE_Template, class verifies that all tasks, roles and permissions are satisfied on each node.


=Administración de Tarea y Rol=
=Task and Role Administration=
Para implementación en varias computadoras, las tareas y los roles deben establecerse en un [[Module Structure#Module Configuration File|archivo de configuración]] de módulo adecuado.
For deployment across many computers, tasks and roles should be set up in an appropriate module [[Module Structure#Module Configuration File|configuration file]].


Para establecer tareas y roles de manera dinámica, el módulo 'tasks-roles' proporciona la página llamada 'roles' y la página llamada 'tasks' que permite la creación de nuevos roles y tareas; así como la definición de la herencia de permisos.
For setting tasks and roles dynamically, the module 'tasks-roles' provides the page named 'roles' and the page named 'tasks' that allows creating new roles and tasks as well as defining the permission inheritance.


=Permisos y Analizador de Permisos=
El analizador de permisos permite expresiones lógicas para combinar varios tipos de persmisos, tales como ''tarea'', ''roles'', en una ''cadena de permisos''.


Podemos asignar tareas, roles y permisos a los nodos DOM al:
=Permissions and the Permission Parser=
*Establecer el atributo ''rol''.  <br/>Si el valor es X, esto resulta en la cadena de permiso ''rol(X)'' que se pasa al analizador de permisos
The permission parser allows logical expressions to combine severals types permissions, such as ''task'', ''roles'', into a ''permission string''.
*Establecer el atributo ''task''. <br/>Si el valor es X, esto resulta en la cadena de permiso  ''task(X)'' que se pasa al analizador de permisos
*Establecer el atributo ''permiso.''
Si el nodo falla cualquiera de las revisiones rol, tarea o permiso, eliminará el nodo


==Tipos de Permiso: tarea y rol==
We can assign tasks, roles and permissions to DOM nodes by:
Los tipos de permisos de tarea y roles se forman rodeando el nombre de un rol con role() o el nombre de una tarea con task().  Por ejemplo, se puede crear la siguiente ''cadena de permiso'':
*Setting the attribute ''role''.  <br/>If the values is X, this results in the permission string ''role(X)'' which is passed to the permission parser
*Setting the attribute ''task''. <br/>If the values is X, this results in the permission string ''task(X)'' which is passed to the permission parser
*Setting the attribute ''permission.''
If the node fails any of the role, task or permission checks it will remove the node
 
==Permission Types: task and role==
The task and role type permissions are formed by surrounding a role name with role() or a task name with task().  For example, you can create the following ''permission string'':
  (task(can_edit_database_list_facility_type) & task(can_edit_database_list_fav_color) || role(admin)
  (task(can_edit_database_list_facility_type) & task(can_edit_database_list_fav_color) || role(admin)
Por defecto, las tareas y roles son 'OR'ed juntos así que los siguientes son todos iguales:
By default, tasks and roles are 'OR'ed together so the following are all the same:
*task(can_edit_database_list_facility_type) or task(can_edit_database_list_fav_color)
*task(can_edit_database_list_facility_type) or task(can_edit_database_list_fav_color)
*task(can_edit_database_list_facility_type) | task(can_edit_database_list_fav_color)
*task(can_edit_database_list_facility_type) | task(can_edit_database_list_fav_color)
Line 60: Line 61:
*task(can_edit_database_list_facility_type|can_edit_database_list_fav_color)
*task(can_edit_database_list_facility_type|can_edit_database_list_fav_color)


== Tipo de Permiso: módulo==
== Permission Type: module==
Cualquier función pública de una [[Module Structure#The Module Class|clase de módulo]] puede llamarse utilizando el analizador de permisos. Por ejemplo, suponga que el modulo 'my_module' tiene un método 'my_method()' entonces podemos utilizar como la cadena de permiso con [[#Arguments|argumentos]]:
Any public function of a [[Module Structure#The Module Class|module class]] can be called by the permission parser. For example, suppose that the module 'my_module' has a method 'my_method()' then we can use as the permission string with [[#Arguments|arguments]]:
  module('my_module','my_method', [arg1], ... , [argN])
  module('my_module','my_method', [arg1], ... , [argN])
lo que resultaría en el llamado:
which would results in the call:
  $module->my_method($arg1,..,$argN)
  $module->my_method($arg1,..,$argN)
donde $module es la instancia de la clase del módulo para el módulo 'my_module.'
where $module is the instance of the module class for the module 'my_module.'


==Tipo de Permiso: formulario==
==Permission Type: form==
El módulo 'forms' incluye el tipo de formulario. La cadena de permiso con [[#Arguments|argumentos]]:
The 'forms' module adds in the form type. The permission string with [[#Arguments|arguments]]:
  form('form_name', 'form_method', [arg1] , .., [argN])
  form('form_name', 'form_method', [arg1] , .., [argN])
resulta en el llamado:
results in the call:
  $form->form_method($arg1,..,$argN)
  $form->form_method($arg1,..,$argN)
donde $form es el resultado de obtener el formulario por el nombre de 'form_name' por medio de los [[Pages and Templates#Template Data|datos de la plantilla]] para el nodo (si hubiese alguno) al que se asignó la cadena de permiso.
where $form is the result of getting the form by the name of 'form_name' via  [[Pages and Templates#Template Data|template data]] for node (if there was any) the permission string was assigned to.


==Argumentos==
==Arguments==
Un tipo de permiso (tal como rol, tarea, formulario o módulo) en una cadena de permiso, se comporta esencialmente como una función. Suponga que tenemos la forma general de una pieza de una cadena de permiso:
A permission type (such as role, task, form or module) in a permission string behaves essentially like a function. Suppose that we have the general shape for a piece of a permission string:
  type([arg1],[arg2],...,[argN])
  type([arg1],[arg2],...,[argN])
Entonces esto resulta en el método llamada:
Then this results in the method call:
  $permissionParsrer->hasPermission_$type($node,$args)
  $permissionParsrer->hasPermission_$type($node,$args)
donde $node es el DOMNode en el que se llamó la cadena de permiso y $args es el arreglo $arg1,..$argN).  El analizador de permiso convierte [argM] en $argM de acuerdo a las siguientes reglas:
where $node is the DOMNode the permission string was called on and $args is the array($arg1,..$argN).  The permission parser turns [argM] into $argM according to the following rules:
*Si [argM] empieza con un $ entonces se refiere a los datos de la plantilla y las siguientes reglas aplican:
*if [argM] starts with a $ then it refers to template data and the following rules apply:
**La cadena tiene el formulario $abcd. El valor de $argM se convierte en la plantilla para mostrar los datos con el nombre 'abcd.'
**The string has the form $abcd. The value of $argM becomes the template display data with name 'abcd.'
**La cadena tiene el formulario ${WXYZ}abcd.  El valor de $argM se convierte en los datos de la plantilla con la categoría 'WXYZ' y con el nombre 'abcd.'
**The string has the form ${WXYZ}abcd.  The value of $argM becomes the template data with category 'WXYZ' and with name 'abcd.'
*<NODE> se convierte en la instancia de DOMNode (si hay) en la que se llamó la cadena de permiso 
*<NODE> becomes the instance of DOMNode (if any) that the permission string was called on
*<TEMPLATE> se convierte en la instancia de I2CE_Template (si hay) en la que se llamó el analizador de permiso
*<TEMPLATE> becomes the instance of I2CE_Template (if any) that the permission parser was called on
*<USER> se convierte en la instancia de I2CE_User que es esta sesión
*<USER> becomes the instance of I2CE_User that is this session
*si [argM] empieza con una sola comilla ' entonces es una cadena hasta que la siguiente ' no-escapada se encuentre
*if [argM] starts with a single quote ' then it is a string until the next non-escaped ' is found
*si [argM] empieza con una doble comilla " entonces es una cadena hasta que la siguiente " no-escapada se encuentre. <br/>Además se aplican las siguientes reglas de sustitución:
*if [argM] starts with a double quote " then is is a string until the next non-escaped " is found. <br/>In addition the following substitution rules apply:
**cualquier sub-cadena que empieza con $ y que consiste de caracteres alfanuméricos , - o _ se interpreta como datos mostrados en la plantilla a ser sustituidos <br> Por ejemplo "mi nombre es $name" se convierte en "mi nombre es Joe" si los datos de la plantilla llamada 'name' y con el DISPLAY tipo "Joe"
**any substring starting with $ and consisting of alpha-numeric characters, - or _ is interpreted as template display data to be substituted<br> For example "my name is $name" becomes "my name is Joe" if the template data named 'name' and with type DISPLAY is "Joe"
**cualquier sub-cadena que empiece con {$ se lee hasta que se encuentre un } .  La cadena entre $ { y } es el nombre del dato de la plantilla de DISPLAY que es entonces sustituido .
**any substring starting with {$ is read until an enclosing } is foundThe string between the ${ and } is the name of DISPLAY template data which is then substituted.
**Para prevenir lo anterior, { y $ se pueden escapar con una \
**To prevent the above, { and $ may be escaped with a \
*cualquier otra cadena de caracteres alfanuméricos (y algunos signos de puntuación permitidos) se interpretan como una cadena
*any other string of alpha-numeric characters (and a few permitted punctuation marks) is interpreted as a string


Los argumentos se pueden separar con una coma, un espacio o un |.
Arguments may be separated by a comma a space or a |.


==Nuevos Tipos==
==New Types==
Un módulo puede agregar un [[Module Structure#Fuzzy Methods|método fuzzy]] del formulario  ''hasPermision_$type'' a la clase ''I2CE_PermissionParser'' para permitir un Nuevo tipo de permiso, Por ejemplo el módulo de 'forms' hace esto añadiendo un un nuevo 'form.' de tipo de permiso
A module can add in a [[Module Structure#Fuzzy Methods|fuzzy method]] of the form ''hasPermision_$type'' to the ''I2CE_PermissionParser'' class to enable a new permission type.  For example the 'forms' module does this by adding in a new permission type 'form.'


[[Category:Technical Overview]][[Category:Security]][[Category:Roles]][[Category:Tasks]][[Category:Review2013]][[Category:Needs Intro]]
[[Category:Technical Overview]][[Category:Security]][[Category:Roles]][[Category:Tasks]][[Category:Review2013]][[Category:Needs Intro]]

Revision as of 20:55, 30 September 2013

iHRIS uses a Role and Task based security mechanism to limit access to various parts of the system. A user is assigned a role, and a role is a collection of tasks that the role can perform.

This article describes how roles and tasks are defined in Magic Data and used by the iHRIS system.

Roles

A role is a collection of tasks that can be assigned to a user's account.

  • role names are defined as the children of the magic data path /I2CE/roles/names
  • a role $role has a display name defined at /I2CE/roles/names/$role/display_name
  • roles can inherit tasks from one another by adding it as a value of a child node of /I2CE/roles/names/$role/trickle_up
    For example, in iHRIS Manage at the /I2CE/roles/names/hr_staff we have:
    • display_name => HR Staff
    • trickle_up => Array
      • 0 => admin
      • 1 => hr_manager

says that the role hr_staff is displayed as 'HR Staff' and that an hr_manager or admin has all the tasks that a hr_staff has.

Tasks

A task can be both a collection of sub-tasks that this task has and description of some action that can be checked for permission. Task information is stored in magic data under /I2CE/tasks/. To create a task you create a scalar type child node of /I2CE/tasks/task_description. That name node of the node is the name used to reference the task. The value of the node is the description of the task displayed in the Task and Role Management page. For example, the magic data node /I2CE/tasks/task_description may look something like:

  • custom_report_admin => Allows administration of the Custom Reporting System
  • custom_reports_can_access => Allows minimal access to the Custom Reporting System
  • custom_reports_delete => Allows deletion of data about custom reports
  • custom_reports_can_access_relationships => Allows access to the Custom Report Relationships

You can define the sub tasks of a task $task by specifying /I2CE/tasks/task_trickle_down_task. For example, the magic data node /I2CE/tasks/task_trickle_down/custom_reports_admin may look like:

  • 0 => custom_reports_can_access
  • 1 => custom_reports_delete_reports

which says that the 'custom_report_admin' task has all the tasks and rights defined by 'custom_reports_can_access' and 'custom_reports_delete_reports.'

The tasks that are assigned to a role $role are the values of the children under /I2CE/tasks/role_trickle_down/$role

A user with the role 'admin' has all tasks.

Uses of Tasks and Roles

The tasks and roles are used in several places:

  • The main I2CE_Page class checks for basic permission for the page.
  • Several pages perform checks for specific roles and tasks in their action() method.
  • Just before displaying the HTML the I2CE_Template, class verifies that all tasks, roles and permissions are satisfied on each node.

Task and Role Administration

For deployment across many computers, tasks and roles should be set up in an appropriate module configuration file.

For setting tasks and roles dynamically, the module 'tasks-roles' provides the page named 'roles' and the page named 'tasks' that allows creating new roles and tasks as well as defining the permission inheritance.


Permissions and the Permission Parser

The permission parser allows logical expressions to combine severals types permissions, such as task, roles, into a permission string.

We can assign tasks, roles and permissions to DOM nodes by:

  • Setting the attribute role.
    If the values is X, this results in the permission string role(X) which is passed to the permission parser
  • Setting the attribute task.
    If the values is X, this results in the permission string task(X) which is passed to the permission parser
  • Setting the attribute permission.

If the node fails any of the role, task or permission checks it will remove the node

Permission Types: task and role

The task and role type permissions are formed by surrounding a role name with role() or a task name with task(). For example, you can create the following permission string:

(task(can_edit_database_list_facility_type) & task(can_edit_database_list_fav_color) || role(admin)

By default, tasks and roles are 'OR'ed together so the following are all the same:

  • task(can_edit_database_list_facility_type) or task(can_edit_database_list_fav_color)
  • task(can_edit_database_list_facility_type) | task(can_edit_database_list_fav_color)
  • task(can_edit_database_list_facility_type) task(can_edit_database_list_fav_color)
  • task(can_edit_database_list_facility_type,can_edit_database_list_fav_color)
  • task(can_edit_database_list_facility_type can_edit_database_list_fav_color)
  • task(can_edit_database_list_facility_type|can_edit_database_list_fav_color)

Permission Type: module

Any public function of a module class can be called by the permission parser. For example, suppose that the module 'my_module' has a method 'my_method()' then we can use as the permission string with arguments:

module('my_module','my_method', [arg1], ... , [argN])

which would results in the call:

$module->my_method($arg1,..,$argN)

where $module is the instance of the module class for the module 'my_module.'

Permission Type: form

The 'forms' module adds in the form type. The permission string with arguments:

form('form_name', 'form_method', [arg1] , .., [argN])

results in the call:

$form->form_method($arg1,..,$argN)

where $form is the result of getting the form by the name of 'form_name' via template data for node (if there was any) the permission string was assigned to.

Arguments

A permission type (such as role, task, form or module) in a permission string behaves essentially like a function. Suppose that we have the general shape for a piece of a permission string:

type([arg1],[arg2],...,[argN])

Then this results in the method call:

$permissionParsrer->hasPermission_$type($node,$args)

where $node is the DOMNode the permission string was called on and $args is the array($arg1,..$argN). The permission parser turns [argM] into $argM according to the following rules:

  • if [argM] starts with a $ then it refers to template data and the following rules apply:
    • The string has the form $abcd. The value of $argM becomes the template display data with name 'abcd.'
    • The string has the form ${WXYZ}abcd. The value of $argM becomes the template data with category 'WXYZ' and with name 'abcd.'
  • <NODE> becomes the instance of DOMNode (if any) that the permission string was called on
  • <TEMPLATE> becomes the instance of I2CE_Template (if any) that the permission parser was called on
  • <USER> becomes the instance of I2CE_User that is this session
  • if [argM] starts with a single quote ' then it is a string until the next non-escaped ' is found
  • if [argM] starts with a double quote " then is is a string until the next non-escaped " is found.
    In addition the following substitution rules apply:
    • any substring starting with $ and consisting of alpha-numeric characters, - or _ is interpreted as template display data to be substituted
      For example "my name is $name" becomes "my name is Joe" if the template data named 'name' and with type DISPLAY is "Joe"
    • any substring starting with {$ is read until an enclosing } is found. The string between the ${ and } is the name of DISPLAY template data which is then substituted.
    • To prevent the above, { and $ may be escaped with a \
  • any other string of alpha-numeric characters (and a few permitted punctuation marks) is interpreted as a string

Arguments may be separated by a comma a space or a |.

New Types

A module can add in a fuzzy method of the form hasPermision_$type to the I2CE_PermissionParser class to enable a new permission type. For example the 'forms' module does this by adding in a new permission type 'form.'