Document Advanced Role Customization options
Capture discussion from https://github.com/farmOS/farmOS/issues/267 along with the main farmOS documentation about roles
This commit is contained in:
parent
8a13080c2f
commit
7d6c5538ec
|
@ -36,3 +36,64 @@ For example, if you are applying for Organic certification in the United States,
|
|||
you can create a user with the Farm Viewer role for your certifying agent, so
|
||||
they can log into your farmOS and see your records.
|
||||
|
||||
## Advanced Role Customization
|
||||
|
||||
Permissions for the provided roles cannot be modified through the admin UI since
|
||||
they are controlled by the Farm Access Roles module. This is not generally an
|
||||
issue since the provided roles have been carefully tailored to work for most
|
||||
applications. However if required, there are three options for customizing user
|
||||
permissions:
|
||||
|
||||
### Additional Roles
|
||||
|
||||
The simplest way to create custom user permissions is to use a few additional
|
||||
roles along with the provided ones. With this strategy, users are given the
|
||||
minimum required permissions using the provided roles then granted any further
|
||||
permissions via custom additional roles that are manually configured.
|
||||
|
||||
For example, suppose some users who have the Farm Worker role but not the Farm
|
||||
Manager role need to be able to Configure farm reports - which they cannot do
|
||||
with their current Farm Worker role. One option would be to make them all Farm
|
||||
Managers. However, this could be confusing or risky if it doesn't match their
|
||||
real-world role or trust level. Instead a new role called "Farm Report Manager"
|
||||
(the name is arbitrary) can be created and given permission to Configure farm
|
||||
reports. This new role can then be selectively given to just those users who
|
||||
need the additional set of permissions.
|
||||
|
||||
### Alternate Roles
|
||||
|
||||
In some cases where significantly different permissions are required than
|
||||
default provided roles, it may be preferable to disable the Farm Access Roles
|
||||
module and create alternate roles manually - or through a custom module.
|
||||
|
||||
For example, suppose some users are responsible only for animals and other users
|
||||
are responsible only for plantings. One option would be to make them all Farm
|
||||
Workers or use the above strategy of additional roles to give those users only
|
||||
the required permissions on top of the Farm Viewer role. However, in some
|
||||
scenarios it may be desirable to make alternate roles which completely supercede
|
||||
the provided ones.
|
||||
|
||||
This carries some advantages;
|
||||
|
||||
* Allows role naming and structure to more directly match an organizations'
|
||||
* May allow closer adherance to the [Principle of Least Privilege][1] where the
|
||||
existing roles are overly permissive for most users
|
||||
|
||||
But also some disadvantages;
|
||||
|
||||
* The alternate roles have to be manually maintained over time - including
|
||||
across farmOS version upgrades which may imply permission changes for all
|
||||
features to work or continue working
|
||||
* All the permissions for the alternate roles have to be manually configured
|
||||
which increases the likelihood of human error in that configuration granting
|
||||
potentially dangerous permissions to some users
|
||||
|
||||
### Farm Access Permission Hook
|
||||
|
||||
Another strategy involves using the provided roles, but leveraging the
|
||||
`hook_farm_access_perms` hook from another module to modify the permissions of
|
||||
those roles. The documentation for that is included in the farm_access module -
|
||||
see [farm_access/farm_access.api.php][2].
|
||||
|
||||
[1]: https://en.wikipedia.org/wiki/Principle_of_least_privilege
|
||||
[2]: https://github.com/farmOS/farmOS/blob/7.x-1.x/modules/farm/farm_access/farm_access.api.php
|
||||
|
|
Loading…
Reference in New Issue