[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft Re: [Gnumed-devel] Managing users: restricting access within G
From: |
Karsten Hilbert |
Subject: |
Re: draft Re: [Gnumed-devel] Managing users: restricting access within GNUmed |
Date: |
Thu, 6 Aug 2009 23:29:10 +0200 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On Thu, Aug 06, 2009 at 11:46:02AM -0700, Jim Busser wrote:
> > > >a) enable GNUmed to create clerical and clinical users
> > > > (currently all users are clinically enabled)
> > >
> > > create/add?
> > >
> > > gm-clinical
> > > gm-clerical
> >
> > Yes. gm-doctors can be used as gm-clinical
>
> So...
>
> 1) are you suggesting that the *database* groups be
>
> gm-clerical
> gm-doctors
> gm-clinical
No.
I was suggesting to
add "gm-clerical"
think of "gm-doctors" as "gm-clinical"
and that way provide a two-way split only for now to study
the fallout. Not renaming gm-doctors to gm-clinical allows
for easier adding of gm-non-doctor-but-clinical (better name
to be decided upon, of course) later on.
> where
>
> - gm-clerical will obsolete gm-staff_office
yes
> - gm-doctors will obsolete gm-staff_medical
no
> - gm-doctors will have more access rights than gm-clinical
> (who would eventually be defined as having some in-between
> grants)?
If gm-non-doctor-but-clinical is to become gm-clinical,
then, yes. Although I don't think that's the right name for
it.
> 2) if each member of dem.staff might be able to have more
> than one dem.staff_role, do we need a link table to support
> this one-to-many?
No. They would simply get another database account for each
role. In dem.staff:
- each db_user can only exist once
- each association of db_user and fk_role must be unique
thereby by extension each db_user can only have one role
I shall add the restriction that
- each association of fk_role and fk_identity must be unique
Thus, each fk_identity can have several fk_roles but must
have a different db_user for each :-)
> I would be happy to test some of the restriction that we
> intend to support using such a role.
Never fear, you won't be spared the testing :)
> In order for this to
> work, will it need every schema and table (except those we
> wish to restrict) to be tagged accessible by gm_clerical,
> and all tagged accessible by gm-doctors.
That's right.
> The alternative of
> specifying only those database groups which *cannot* access
> certain schemas and tables (if exists) may be attractive,
That is not an option.
Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346