Fine grained (Institution level) permissions for BVP

[GoogleCodeExporter]

With the creation of the Institution domain object, we should provide a new 
tier of permissions that allow institutions greater autonomy over managing 
their expeditions, whilst protecting other expeditions from accidental 
modification/deletion.

New (BVP application managed) roles 'Institution_Admin' and 
'Institution_Validator' need to be created, which are always linked with an 
institution id. It is conceivable that some users will have multiple 
Institution_Admin and Institution_Validator roles, each with a different 
institution id.

Institution_Admins can:
* Create new expeditions that are implicitly linked to the institution. If a 
user has more than one "Institution_Admin" role, a list of institutions should 
be provided. Perhaps always show a drop down of institutions - with either one 
or many institutions?
* Assign institution_admin role for their institution to other users (again the 
list of institutions is constrained by their own roles)
* Assign "Institution_Validator" roles to users
* Modify institution profile details (description, logos, contact details etc)
* Manage institution picklist items (collection codes?)
* Manage institution templates. All templates will be readonly by default, but 
can be cloned and attached to an institution. 

Consider putting all permission checks in a service so that the rules can be 
easily codified:
* BVP_ADMIN can do anything
* Institution_Admin can do anything to institution expeditions
* Institution_Validator can validate any expedition of that institution
* Existing project_validator roles still need to be honoured
* BVP_USER can transcribe only

Original issue reported on code.google.com by david.ba...@gmail.com on 13 Jun 2014 at 12:26

[GoogleCodeExporter]

Original comment by david.ba...@gmail.com on 13 Jun 2014 at 12:26

• Added labels: Type-Enhancement
• Removed labels: Type-Defect