Instead of having individual permissions for each user, and having Users relate back to Employees, there should be Groups which Employees can be associated with.
So each Employee will have a password and group. Each group will have a permission. Any employee without a group is a "guest."
The users table will dissappear, or more accurately, transform into a groups table.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Groups based permissions have been added in 1.1. This change has made life much easier for me.
I immeadiately did an UPDATE query to set all Employees Group to an Employees group. Then I went through & manually set managers to a Management group & the IT Department to another group.
Finally I highly restricted the Guests group, so that people who somehow wander onto the network can't access much.
I like it, but let me know if you think otherwise.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think that's a good idea, because this can help to easily administrate OpenIT. Better than "group permissions" is think as "role permissions" model. This help to open security model in the future and can permit include integrated security based in LDAP servers.
Actual model is better, I'm sure you have choosen the right way. ;-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the input, and I'm glad you mentioned LDAP.
LDAP integration is one of 2 killer features I'd lack to add to OpenIT eventually. The problem is I have very little experience with LDAP.
I've tried to read up on it, it's SQL backend abilities, and different vendors directory configurations, but there's just so much to learn!
I would love to start out with some simple 1-way LDAP integration. For example: sync (or just dump) Employees info (perhaps minus password) with a LDAP server. Ideally I'd just use OpenLDAPs SQL backend to do this, but it might be easier and more useful at first to just write a script that dumps the Employees table to LDAP. Then we could write a script that read the information out of LDAP to try & sync them.
I'm going to go & start a new forum topic on LDAP integration. I would love for you to post some ideas there.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Instead of having individual permissions for each user, and having Users relate back to Employees, there should be Groups which Employees can be associated with.
So each Employee will have a password and group. Each group will have a permission. Any employee without a group is a "guest."
The users table will dissappear, or more accurately, transform into a groups table.
Groups based permissions have been added in 1.1. This change has made life much easier for me.
I immeadiately did an UPDATE query to set all Employees Group to an Employees group. Then I went through & manually set managers to a Management group & the IT Department to another group.
Finally I highly restricted the Guests group, so that people who somehow wander onto the network can't access much.
I like it, but let me know if you think otherwise.
I think that's a good idea, because this can help to easily administrate OpenIT. Better than "group permissions" is think as "role permissions" model. This help to open security model in the future and can permit include integrated security based in LDAP servers.
Actual model is better, I'm sure you have choosen the right way. ;-)
Thanks for the input, and I'm glad you mentioned LDAP.
LDAP integration is one of 2 killer features I'd lack to add to OpenIT eventually. The problem is I have very little experience with LDAP.
I've tried to read up on it, it's SQL backend abilities, and different vendors directory configurations, but there's just so much to learn!
I would love to start out with some simple 1-way LDAP integration. For example: sync (or just dump) Employees info (perhaps minus password) with a LDAP server. Ideally I'd just use OpenLDAPs SQL backend to do this, but it might be easier and more useful at first to just write a script that dumps the Employees table to LDAP. Then we could write a script that read the information out of LDAP to try & sync them.
I'm going to go & start a new forum topic on LDAP integration. I would love for you to post some ideas there.