At U. Penn, we have several payroll systems.
These systems have shared permissions as far as which
business administrators can view/edit which centers of orgs, and/or orgs of employees.
Characteristics:
- The centers (groups of orgs) are not just names of centers, but could be
ranges of centers. - The orgs (groups of employees) are not just names of orgs, but could be
ranges of orgs.
Access management need:
- To be able to associate privileges (read or write) to a user, or to a group of users.
For example:
- John S. can see centers: 3, 5, 7; and orgs: 512, 611; and edit centers: 3, 7; and orgs: 611
- medicalGroup can see centers: 2, 4-6; and orgs 712, 934, 975-1034, 1115-1120; and edit centers: 2, 5; and orgs: 934, 982-1005
Each privilege should have an optional startTimestamp and endTimestamp.
There should also be a hook so that we can veto a business administrator
being assigned to their own org.
It would also be nice if we had a hook to centralize the decision making
code, so it is not replicated in all our systems that need to make this
decision, so we can make a call via web service:
Is user 123 allowed to view org 345?
Another hook can see which orgs (including looking at ranges) user 123 can
view, and see if 345 is in there. And if not, do an external query to see
which center org 345 is in, and then see if the user can read that center.
Also it would honor the startTimestamp / endTimestamp. It would return T or
F.
This might seem like a complex use case, but I can picture it living with
grouper, and not being too terribly hard to implement (since hooks, web
services, data layer, ui, gsh, [soon to be auditing], etc already exist)...
Regards,
Chris