Best Practices for User Management
Recommended principles
- Facilitate understanding by displaying things that are related to each other together in the listings.
- Facilitate search by minimizing the use of asterics -
*. - Abstract in a helpful way the details of the other levels, in such a way that each relationship level can be understood on its own.
Groups
Group names should be separated by spaces.
Group names should be hierarchical, so that related things are ordered by proximity.
That is, you should opt for
FUNC STIandFUNC STI Admininstead ofFUNC STIandFUNC Admin STI.Groups are characterized by the prefixes
FUNCandORG:FUNC: used to assign profiles that provide access to resources.ORG: only used to classify people within the organization. They do not assign profiles.
Roles
In an early period of the CoB platform there was a tendency to group many permissions together in a single role. However, as time went on, we started to create smaller roles. Despite the inevitable proliferation of roles, the latter became more easily understood and combined into different groups.
The aim is that when you look at a group, you can see what its roles allow you to do, without having to look at the details of the permissions. Here are some tips for creating roles:
Role names should be separated by hyphens (
-) when we want to separate sections, or spaces for everything else.Roles should be hierarchically named, according to the format
<product> - <theme> - <capacity>The
productsection is necessary to understand the listing of roles in a Group.Examples of
themes:- name of the RecordM settings
modulesfor UIactionandscriptfor IntegrationM.equipsfor the DeviceM.
Roles should represent the ability to do things in terms of the products, not in terms of the business.
Example:
rm - Absences - readis correct,rm-gp-adminis not!
Permissions
When it comes to permissions, their main difference is that the name follows the scheme of Apache Shiro security framework and therefore here we handle the description.
In practice, experience tells us that the description is quite important in RecordMbased permissions dealing with definitions. This is because definition IDs are not intended by humans. All other permissions are relatively explicit. Their only shortcoming is the fact that they don't allow topic-based sorting in groups (able to group by similar topics).
The description of a permission should be separated by hyphens (
-) if we want to separate sections, or spaces for everything else.The description of a permission should be hierarchical, according to the format
<theme> - <ability>.- the Name in RecordM definitions.
modulesfor UIactionandscriptfor IntegrationM.equipsfor DeviceM.
Compound permissions should be avoided.
Although they appear to be work-saving, in reality they are more difficult to compose.
Example: definitions,instances:*:54,55does not allow you to reuse the expression if you want to separate the reading from the editing of data. And the fact that all permissions for a definition are listed together makes it difficult to work with it. This is because it is not possible to write a description that sorts this definition against two other definitions affected by it.
