Re: draft Re: [Gnumed-devel] Managing users: restricting access within G

gnumed-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft Re: [Gnumed-devel] Managing users: restricting access within G

From:	Karsten Hilbert
Subject:	Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed
Date:	Thu, 6 Aug 2009 23:29:10 +0200
User-agent:	Mutt/1.5.20 (2009-06-14)

On Thu, Aug 06, 2009 at 11:46:02AM -0700, Jim Busser wrote:

> > > >a) enable GNUmed to create clerical and clinical users
> > > >   (currently all users are clinically enabled)
> > > 
> > > create/add?
> > > 
> > >   gm-clinical
> > >   gm-clerical
> > 
> > Yes. gm-doctors can be used as gm-clinical
> 
> So...
> 
> 1) are you suggesting that the *database* groups be
> 
>    gm-clerical
>    gm-doctors
>    gm-clinical

No.

I was suggesting to

        add "gm-clerical"
        think of "gm-doctors" as "gm-clinical"

and that way provide a two-way split only for now to study
the fallout. Not renaming gm-doctors to gm-clinical allows
for easier adding of gm-non-doctor-but-clinical (better name
to be decided upon, of course) later on.

> where 
> 
> - gm-clerical will obsolete gm-staff_office

yes

> - gm-doctors will obsolete gm-staff_medical

no

> - gm-doctors will have more access rights than gm-clinical
> (who would eventually be defined as having some in-between
> grants)?

If gm-non-doctor-but-clinical is to become gm-clinical,
then, yes. Although I don't think that's the right name for
it.

> 2) if each member of dem.staff might be able to have more
> than one dem.staff_role, do we need a link table to support
> this one-to-many?

No. They would simply get another database account for each
role. In dem.staff:

- each db_user can only exist once
- each association of db_user and fk_role must be unique
  thereby by extension each db_user can only have one role

I shall add the restriction that

- each association of fk_role and fk_identity must be unique

Thus, each fk_identity can have several fk_roles but must
have a different db_user for each :-)

> I would be happy to test some of the restriction that we
> intend to support using such a role.

Never fear, you won't be spared the testing :)

> In order for this to
> work, will it need every schema and table (except those we
> wish to restrict) to be tagged accessible by gm_clerical,
> and all tagged accessible by gm-doctors.

That's right.

> The alternative of
> specifying only those database groups which *cannot* access
> certain schemas and tables (if exists) may be attractive,

That is not an option.

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346

[Prev in Thread]

Current Thread

[Next in Thread]

Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, James Busser, 2009/08/06
- Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, Karsten Hilbert <=
  - Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, Karsten Hilbert, 2009/08/07
    - Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, Jim Busser, 2009/08/07
    - Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, Karsten Hilbert, 2009/08/07
    - Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed, Jim Busser, 2009/08/07

Prev by Date: Re: [Gnumed-devel] Re: Bootstrapping for production -- user accounts
Next by Date: Re: [Gnumed-devel] Re: Bootstrapping for production -- user accounts
Previous by thread: Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed
Next by thread: Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed
Index(es):
- Date
- Thread