second user access level...

[juergen_mueller]

Hello Eugenio

This belongs to the feature request forum, perhaps. But maybe other users have similar issues.

Firstly, this is the application set up I provide for a customer:

The application is used by more than 250 schools in Switzerland, in all three official languages. It manages pupils who participate in special a programme in order to find an apprenticeship after mandatory school, companies who provide those places and other more general information.

Access is based on id_user, there is three (main) groups (id_group) for the three languages. However, there is sometimes more than one person (attached to the individual school) who uses the same login credentials (first possible point for confusion or 'miss use').

Schools can only see there own pupils (data protection) with personal data, and other information, e.g. comments about their performance in a company or at school.

At a school, there are people with different roles (mostly 3) in this programme, sometimes one person covers more than one role. Each role should have access to different data, once more comprehensive, once more limited.

So far, I use a lot of views and second or third DaDaBIK installation for the same database to manage these different access (and language) levels which gets more and more confusing as the demands for the applications become increasingly comprehensive, adding new options and tasks (evaluation, documents management etc.).

My wish, dream, request... would be to have a second user access level as follows:

- General access by id_group
- Schools are grouped by id_group access level (with an extra language field ;-))
- Individuals belong to a group (school) having different access levels for data of the group, let's say a, b, c

So, School A has three individuals granting access to three different data sets each a, b, c (views e.g.). Or, School B has two individuals where one person covers two roles and has access to a and c while the other person has access to b only.

I hope you understand my issue. Maybe I'm thinking to complicated. Any idea for putting this setup in more straight forward way, is highly appreciated.

Thanks and best wishes

Juergen

 

[eugenio]

Hello Juergen,
a two-levels group model is something I would like to implement in the future because it can be useful in many complex applications. Normally there could be the need for an additional level of groups because you want to assign the same "ownership" to all the groups belonging to a "supergroup".

Let me understand better your specific case, though. Let's forget for a moment the language issue; as far as I understand, the ideal solution would be: each school is a "supergroup" and can have several belonging groups (with different privileges, as usual); each of these groups can see not only the records belonging to the group itself but all the records belonging to the "supergroup" (the school). Am I right?

I am talking about groups and not users because in DaDaBIK as you know you assign privileges to groups (and, in case you need, you can create a group containing just one user).

 

[D]

I have a need for this as well. I am building a multi-tenant help desk with billing in it. I need to have several companies in there. Each company needs a superuser to maintain and use all the information for the company. I need a secondary level group who has the ability to approve submitted help desk tickets, and third group that just gets to add new tickets and view existing tickets. Is there a way within Dadabik that I can create a workaround that will do this? - Thanks Darin


About/Check upgrade

DaDaBIKâ„¢ is a product conceived and developed by Eugenio Tacchini
Copyright ©2001-2017 Eugenio Tacchini
dadabik.com



You are using DaDaBIK version 8.3-Lerici enterprise, installed on 05-25-2018 (installation code: 0), the latest version of DaDaBIK is released on --

You are not running the last release of DaDaBIK, the release you are running might have bugs and security holes, see the official change log for further information. You can upgrade DaDaBIK here.

PHP Version: 5.6.34

mysql version: 5.6.27

Web server: Apache

Client: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36

 

[eugenio]

I am not sure if I have understood the scenario entirely but I think in this case the problem is different: you can already create different groups having different permissions on the fields (for example the group that needs to approve the ticket will have edit permission on the "status" field, while the group that just submits the ticket won't have such permission).

I am not sure about the role of a "company" here; if your problem is to use the record level permissions (ownership) on a field (let's say id_company) which is not the username (or the group id) of the user who inserted the record, at the moment you cannot do that with a built-in DaDaBIK function.

Maybe you could create several views (one per company) and assign permissions, for each view, to the relative company (which needs to be assigned to a group), but I am not sure if this is what you want.

Best,

 

[juergen_mueller]

Hi, Eugenio

Firstly, thanks for the great DaDaBik 9 Update, great step!

However, I need to come back to the issue described above. I rather urgently need a solution for the second user access level (group level). I have users who belong to the 'supergroup' and should belong to one or several subgroups with different privileges as well. This is because of data protection.

Is there any workaround until you have implemented this feature in future?

Thanks for highly appreciated support,

Juergen

 

[wester9]

Hi, Eugenio,

I have a similar need. I have a system used by personal training studios. Clients have their own personal trainer (they do not just go to anyone at that studio), but each Personal Trainer needs to see client information for any clients for that studio but no other studio (so the trainers can back each other up). This is working fine by me setting permissions at a group level and having a trainer group for each studio with the client tables permissions set to MY.

However, now the company has created positions where there are managers over combinations of studios (regions), and those managers can also still be personal trainers at their home studio. They need a higher level access to multiple studios (but not all of them) and with more permissions than the personal trainers would have, but also be able to have their group code for their personal studio added to any client records they create so that the other trainers in that studio can see those client records. If the 1st part can be solved, I can give them edit rights to the ID_USER field to change their group code on client records they create.

Do you have any suggestions?

Thank you,

Ruth

 

[juergen_mueller]

Hi Ruth

From DaDaBIK 9.1 (enterprise/platinum) onwards, I think you can use custom_filters to achieve your needs. In combination with table views you can almost combine everything you want.

Best, Juergen