User Story: Roles and Permissions

lbridgman commented 6 years ago

As a ChurchCRM administrator, I want to assign users to user roles, so that I can have easier control over what my users can see and do.

Current State

In UserEditor.php, we assign permissions for various tasks to a single individual.

In very few cases (such as managing donations and finance), entire user interface segments and menu options are hidden unless the permission is enabled. In most other cases, users are allowed to see and interact with anything – if the permission is not enabled, the user will be redirected to /Main.php.

The problem with this current state is twofold:

User management is cumbersome for the system administrator. Each individual user has to have specific permissions enabled or disabled.
User management is inconsequential – a lot of features remain on the user interface even if the user does not have permissions to access them.

Future State

In order to scale an administrator’s ability to control user access, I want to:

Introduce the concept of the Role Editor (/RoleEditor.php)
- Individual permissions will be assigned to a user role
- Individual users will be assigned to a user role
- An Administrator role will be delivered by default
- All privileges will be assigned to the Administrator role by default
- The admin user will be assigned to the Administrator role by default
- The admin user will be able to create a new role
- The admin user will be able to name the new role
- The admin user will be able to toggle individual permissions for the new role
- One role can be designated as the “default” role when creating standard users
Streamline the use of the User Editor feature (/UserEditor.php)
- A login name will be determined for the user
- A role will be assigned to the user
- The ability to reset the password will be available to the system administrator
- All older features will be deprecated and moved to the Role Editor
Rewrite the ChurchCRM sidebar menu framework (/Include/Header-function.php) to properly show/hide UI elements and features based on permission settings
- Potentially expand function GetSecuritySettings()
- Potentially rewrite function addMenu()

Mockup: Role Editor

Mockup: User Editor

Mockup: Example View for "Standard Member" role

Mockup: Example View for "Ministry Leader" role

boluak commented 6 years ago

Great! 😁

-------- Original message -------- From: Louis Bridgman notifications@github.com Date: 25/11/2017 04:17 (GMT+06:00) To: ChurchCRM/CRM CRM@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: [ChurchCRM/CRM] User Story: Roles and Permissions (#3428)

As a ChurchCRM administrator, I want to assign users to user roles, so that I can have easier control over what my users can see and do.

Current State

In UserEditor.php, we assign permissions for various tasks to a single individual.

[image]https://user-images.githubusercontent.com/23409144/33224696-4b6114e0-d13a-11e7-9c90-ea1afb79a990.png

In very few cases (such as managing donations and finance), entire user interface segments and menu options are hidden unless the option is enabled. In most other cases, users are allowed to see and interact with anything – if the permission is not enabled, the user will be redirected to /Main.php.

The problem with this current state is twofold:

User management is cumbersome for the system administrator. Each individual user has to have specific permissions enabled or disabled.
User management is inconsequential – a lot of features remain on the user interface even if the user does not have permissions to access them.

Future State

In order to scale an administrator’s ability to control user access, I want to:

Introduce the concept of the Role Editor (/RoleEditor.php)
- Individual permissions will be assigned to a user role
- Individual users will be assigned to a user role
- An Administrator role will be delivered by default
- All privileges will be assigned to the Administrator role by default
- The admin user will be assigned to the Administrator role by default
- The admin user will be able to create a new role
- The admin user will be able to name the new role
- The admin user will be able to toggle individual permissions for the new role
- One role can be designated as the “default” role when creating standard users
Streamline the use of the User Editor feature (/UserEditor.php)
- A login name will be determined for the user
- A role will be assigned to the user
- The ability to reset the password will be available to the system administrator
- All older features will be deprecated and moved to the Role Editor
Rewrite the ChurchCRM sidebar menu framework (/Include/Header-function.php) to properly show/hide UI elements and features based on permission settings
- Potentially expand function GetSecuritySettings()
- Potentially rewrite function addMenu()

Mockup: Role Editor

[image]https://user-images.githubusercontent.com/23409144/33224787-4c682cec-d13b-11e7-929a-ec3c103112e2.png

Mockup: User Editor

[image]https://user-images.githubusercontent.com/23409144/33224788-50b4884a-d13b-11e7-9d29-2070420c3460.png

Mockup: Example View for "Standard Member" role

[image]https://user-images.githubusercontent.com/23409144/33224789-53efbcb4-d13b-11e7-8b85-0ffb4e0c714d.png

Mockup: Example View for "Ministry Leader" role

[image]https://user-images.githubusercontent.com/23409144/33224794-59b31ba0-d13b-11e7-90e2-51aa867eed76.png

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/ChurchCRM/CRM/issues/3428, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAE1j4Zqht1Bte5XJ29fkl4iTQ1pOrkBks5s50CNgaJpZM4QqNsl.

lbridgman commented 6 years ago

@boluak Glad you approve! We need all the help we can get, this is going to be a big one..

boluak commented 6 years ago

Related #3337

DawoudIO commented 4 years ago

I have been looking at this, and I think we need to address it soon with a few improvements

DawoudIO commented 4 years ago

going with basic schema for 4.1.0

MrClever commented 4 years ago

This is a normal data-structure for role-based security; I like it. The important thing is we might be able to shoe-horn existing system users into a new role based their existing permissions. If not, we'll need some pretty solid documentation on how to migrate users to the new schema. Either way, this is a long overdue feature that people have been asking about - exciting stuff @DawoudIO!!

github-actions[bot] commented 4 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] commented 1 month ago

This issue was closed because it has been stalled for 15 days with no activity.

ChurchCRM / CRM