Currently I am working on a project that will have departments managers and users separated by abilities/roles/claims.
I will use the claims-based authorization to accomplish this but I'm having trouble with departments have encapsulated claims
A IT and HR department can create/add a user not only to their respective departments but to other departments. The clerks and sales department admin can only add users to their department.
I don't think this is the best way of handling the UserClaims
IT.CanAddUser
IT.CanAddITUser
HR.CanAddUser
HR.CannAddHRUser
Sales.CanAddSalesUser
Clerks.CanAddClerkUser
I aslo don't think this works because every department have to create a CanAdd[Dept]User.
CanAddSalesUser
CanAddClerkUser
CanAddITUser
I also don't think this is the best way of handling the UserClaims
SuperAdmin
IT.UserAdmin
IT.CanAddUser
HR.UserAdmin
HR.CanAddUser
Sales.CanAddUser
Clerks.CanAddUser
because UserAdmin is still tied to the IT and HR departments so another xxx.UserAdmin
I also don't think adding another column to the UserClaims table will help
Id
UserId
DepartmentId
ClaimType
ClaimValue
Related
Most payroll systems have some sort of employee code that is unique to employees.
I have been using the Employees endpoint to GET all employees in the Demo company and can see the EmployeeID field which appears to be a regular GUID.
But when browsing the employee list through the Xero user interface it is not possible to see an employee's GUID like we can for Contacts or Invoices?
I actually just see a number like this... What is this number at the end of the URL?
https://payroll.xero.com/Employee?CID=!tkSD3#employees/12345678
It looks like this has been an issue with Xero since 2015 that has still not been resolved!
https://community.xero.com/developer/discussion/12133203/
I'm looking at finding a way of restricting access to certain parts of a report using a parameter but I've yet to find a way to do this.
What I want to do is have the report get the persons username and then restrict what options they have available to them in the other parameters of the report.
For example, John is a manager of the Call Centre department so John
shouldn't see the options for the other departments in the business
and should only see the 'Call Centre' option in the Department
parameter.
Is this possible? If it isn't, is there an alternative using something similar?
First you'll need someway of determining who shoudl be able to see what. At it's simplest you could build a table to do this with Users and Departments.
Then create a dataset in your report that returns only values departments, something like
SELECT DepartmentID, DepartmentName FROM UserDepartments WHERE UserName = SYSTEM_USER
I've used SYSTEM_USER here but this will only work if you are executing the dataset with windows authentication.
Then in your Department parameter, just set the available values to the dataset you just created.
So I am trying to Enroll a user in a section for a particular org unit (Course)
This all works fine and I can add them into the section etc using:
POST /d2l/api/lp/(version)/(orgUnitId)/sections/(sectionId)/enrollments/ΒΆ
But the issue is, I am only able to POST one attribute, user ID. I need to be able to post the RoleID as well so I can specify whether they are a student or staff, as it assigned them 'teacher'.
Is there a way to do this / a different approach?
Cheers,
Alex.
Enrollments in Sections and Groups are effectively treated as special sub-components of a Course Offering; the APIs that let you enroll a user into a Section or Group therefore assume that you want to take the user/role enrolled in the parent course offering and "assign" them to this Group or that Section (with the same enrollment role).
You are correct that if you want to have them enrolled with a different role, you should instead use the general enrollments API (assuming you have permissions; your calling user context may well have permissions to assign a user to a group or a section, but not to enroll them generally).
I am working on symfony project. Project is for posting job , and hiring employees.
I have created Admin and front end successfully.
Now what I want is to add multiple user in front end. I have 4 different type of users in front end.
Job Seeker (Candidate looking for new job)
Employees ( who post a job and hiring job seeker candidate)
Premium Employees ( who post a job and hiring job seeker candidate and have some more functionality then Employees )
Guest ( who can only see all the job seeker , Employees , Preminum Employees post )
I just need flow of this functionality after that I will implement all this myself.
So how can I implement this Functionality in Front end ?
I think according to what you try to do. You could give a try to pugx.
You will probably have to change your actual User but it could help you a lot.
PUGXMultiUserBundle
An other way would be to have one user Entity with many ROLE corresponding to what your user can do or not.
see Symfony Authorization documentation on the matter
I'm trying to modify the access control list of Leave Requests to approve under Leave managements module.
I need to make the Leave Requests to approve menu only accessed by each employee's manager.
ea. if the company has 10 employees under Sales/marketing and 5 employees under IT department. I need the sales manager access his 10 employees' leave requests only and not able to access the rest of company's employees who are not under his authority.
To do it, I modified the record rule domain definition of Leaves officer from [(1,'=',1)] to [('employee_id.parent_id,'=',user.id)]
but it didn't work. How to fix it?
In Your case basically your are totally pass the wrong domain for the record rules.
You are previously using the domain like
[(1,'=',1)] = > Access the all the model record for that model
[('employee_id.parent_id,'=',user.id)] = > Access the Manager parent_id as current user employee only
But in your are accessing only with the manager user only not to access its related user.
so you must have to add the below domain in your record rules:
['|',('employee_id.user_id','=',user.id),('employee_id.parent_id.user_id','=',user.id)]
Basically the manager its self as employee of the company and employee having to attached with its related user.
first Need to understand the following relation :
1. employee_id :
which is indicate the each leave related with one employee.
2. parent_id :
which is indicate the each employee related with one manager for hr.holidays model w[('employee_id.parent_id,'=',user.id)]particular model.hich is called the leave request
3. user_id :
If you want to access the login to the particular employee then and then you must have to set the related user for each employee form.which is labeled as Related User.
4. user :
Which is indicate the global user name means current user which you are currently logged in.
5.id :
means unique id for each record
In your case how the domain will work ?
first it will check the current logged in user as attached current leave employee related user or not.
and then then find the user ids which are having with the same employee attached with the same managers.
It means it will perform the OR operation of SQL Statement for both of the domain.
I hope my answer may helpful for you :)