Overview
At U. Penn, we have several payroll systems.
These payroll systems have shared permissions as far as which
business administrators can view/edit which centers of orgs, and/or orgs of employees.
Characteristics:
- The centers (groups of orgs) are not just names of centers, but could be
ranges of centers. - The orgs (groups of employees) are not just names of orgs, but could be
ranges of orgs.
Access management need:
To be able to associate privileges (read or write) to a user, or to a group of users.
- For example:
-
- John S. can view centers: 3, 5, 7; and orgs: 512, 611; and edit centers: 3, 7; and orgs: 611
- medicalGroup can view centers: 2, 4-6; and orgs 712, 934, 975-1034, 1115-1120; and edit centers: 2, 5; and orgs: 934, 982-1005
- Each privilege should have an optional startTimestamp and endTimestamp.
- There should also be a hook so that we can veto a business administrator being assigned to their own org.
- It would also be nice if we had a hook to centralize the decision making code, so it is not replicated in all our systems that need to make this decision. So it would be possible to make a call via web service, asking "Is user 123 allowed to view org 345?"
- There would be another hook to see which orgs (including looking at ranges) user 123 can view, and see if 345 is in there. And if not, do an external query to see which center org 345 is in, and then see if the user can read that center. Also it would honor the startTimestamp / endTimestamp. It would return T or F.
Summary
This might seem like a complex use case, but I can picture it living with Grouper, and not being too terribly hard to implement (since hooks, web services, data layer, ui, gsh, [soon to be auditing], etc already exist)...
Regards,
Chris Hyzer