search

bsed / ala

Automatically exported from code.google.com/p/ala
0 stars 0 forks source link

CAS role between ALA_ADMIN and FC_ADMIN required #505

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Since ROLE_FC_ADMIN has been used for the 200+ Departmental staff requiring 
access to all projects in MERIT, it was necessary to remove the editing 
permission to static content for this role, thus returning the maintenance of 
static content to ALA staff. DoE has requested that they still have access to 
this administrative function, but only to 2-3 nominated people. It is also 
anticipated that these few people will need to be able to unlock "Approved" 
stage reports for editing - functionality still to be developed.

In order to more fully devolve operational admin to DoE, another CAS role is 
required which has all of the permissions of ROLE_FC_ADMIN + edit permission to 
"Static pages" and stage unlocking (when built).

Options:
1) Use ROLE_FC_ADMIN for the higher permissions and create a ROLE_FC_OFFICER 
for the permissions currently attributed to ROLE_FC_ADMIN (preferred in respect 
to terminology, but some overhead in reconfiguring the role for 200+ users), or
2) Create a new ROLE_FC_?????? for the higher permissions.

Original issue reported on code.google.com by CoolDa...@gmail.com on 6 Jan 2014 at 4:24

GoogleCodeExporter commented 9 years ago 
I'd vote for (1). Switching the role over for users should be possible with SQL.

Original comment by moyesyside on 13 Jan 2014 at 1:58

GoogleCodeExporter commented 9 years ago 
Option 2 would be a more minor change, as it would not involve a bulk change 
over of roles (SQL editing on live AUTH server)  nor changing/checking of all 
the existing ROLE code in the FC app (should be a simple matter of updating 
conf file but not 100% sure all lookups are using the conf var). A possible 
role name could be ROLE_FC_SYSADMIN.

Original comment by nickdos on 13 Jan 2014 at 10:52

GoogleCodeExporter commented 9 years ago 
Went with option 1 - commit was for 11 files so it was a major refactor. Will 
need to be tested on test server before migrating. All existing ROLE_FC_ADMIN 
users will need to be given ROLE_FC_OFFICER in auth with SQL:

insert into user_role( user_id, role_id ) select user_id, "ROLE_FC_OFFICER" 
from user_role where role_id = 'ROLE_FC_ADMIN'

Then after migration, ROLE_FC_ADMIN will be removed from everyone and then 
added back to the few who need it (less than 10).

Original comment by nickdos on 15 Jan 2014 at 4:50

GoogleCodeExporter commented 9 years ago 

delete from user_role where role_id = "ROLE_FC_OFFICER"

update user_role set role_id = "ROLE_FC_OFFICER" where role_id = "ROLE_FC_ADMIN"

Original comment by nickdos on 16 Jan 2014 at 10:50