Keith, I think so, yes. Although I think its funny that we list the role and a description, and the description just repeats the role :) (Although I can see for a few roles where it might help to deepen the description). But otherwise, I think its pretty intuitive.
For sample, here's our baseline configuration for Roles and Permissions in the cloud. http://dl.dropbox.com/u/106137/Roles%20and%20Permissions%20-%20BASELINE.xlsx For clarity sake, the titles mean OM = Operations Manager/Management (ie, head office staff) BM = Branch Manager LO = Loan Officer/Data Entry Officer Cheers, Ryan On 9/10/10 23:51, "Keith Woodlock" <[email protected]> wrote: > Ryan, Ed, > > I think what is being asked of the users is simply: > > 'do you find the ability to administrate roles on the application at > such a granular level useful?' > > if so then, what roles does an mfi create for their application users > and where exactly does the granularity of permissions within these > suit their organisations business processes. > > Regards, > Keith. > > On Fri, Sep 10, 2010 at 4:40 PM, Ed Cable <[email protected]> wrote: >> Ryan, >> I agree that I couldn't fully understand the impact changing of >> roles/permissions would be on the administrator maintaining the Mifos >> system. >> I wanted to put this forward to the user community but in my haste probably >> created more confusion. >> Angshu, >> As Ryan suggested, would you be able to provide some more specific scenarios >> that our users could then review to provide feedback. >> Many thanks, >> Ed >> >> On Thu, Sep 9, 2010 at 4:12 PM, Ryan Whitney >> <[email protected]> wrote: >>> >>> Ed and Angshu, >>> >>> To be honest, I read the e-mail in the dev list and read it here again and >>> I >>> don't quite understand the affect that is being proposed (and I'm pretty >>> technical!). >>> >>> Can we get some other explanation, or a more specific scenario? I think >>> it'd then be easier to give feedback. >>> >>> For the most part though, I would say we should not change how roles and >>> permissions are set, even if we are changing the underlying security >>> mechanism, without very good reason (and wouldn't hopefully be due to it >>> being stronger/better). >>> >>> Ryan >>> >>> >>> On 9/9/10 10:07, "Ed Cable" <[email protected]> wrote: >>> >>>> Mifos Users, >>>> >>>> Forwarding this thread over from mifos-developer so that end users can >>>> respond to Angshu regarding the improvements being made to security >>>> and permissioning as we move over to the Spring Security framework. >>>> >>>> Angshu is exploring creating higher level roles for security with less >>>> granularity. He would like to know if we need to keep security at such >>>> granular levels as it is currently. >>>> >>>> Could you please share your thoughts on the level of granularity you >>>> are using with the roles and permissions in Mifos? >>>> >>>> Are you using Mifos with such granular activities that grouping these >>>> into hierarchical roles would affect you? >>>> >>>> Please see his message below for examples of various scenarios. >>>> >>>> >>>> >>>> >>>> >>>> >>>> ---------- Forwarded message ---------- >>>> From: Angshuman Sarkar <[email protected]> >>>> Date: Sep 8, 8:51 am >>>> Subject: Mifos security enhanced >>>> To: Mifos Developer >>>> >>>> >>>> regarding hierarchical roles, I think it is possible, technically! >>>> >>>> We can group granualar activities to higher orders: >>>> In "modify role" page, you would find that the permissions are >>>> grouped. At >>>> the datamodel level, the groups are also activities although they >>>> aren't >>>> assigned to the role. Possibly they are just for UI display/grouping >>>> purpose >>>> only. (like "Organization management"). >>>> So one possible way is to use these activities as higher level roles. >>>> >>>> e.g. - following SQL would get you those group level activities >>>> -------------------------------------------------- >>>> select a.activity_id, >>>> a.parent_id, l.lookup_name >>>> from activity a >>>> left outer join lookup_value l on >>>> a.activity_name_lookup_id=l.lookup_id >>>> where parent_id is null; >>>> -------------------------------------------------- >>>> >>>> While we hook with spring security, we can have another mapper (like >>>> activity_id to role properties >>>> file mapping) - this mapper will roll up the granular activities to >>>> higher >>>> level roles. >>>> >>>> Instead of using default Spring's default AffirmativeBased access >>>> decision >>>> voting, we can use UnanimousBased voting mechanism. >>>> We can write a custom AccessDecisionVoter implementation, which would >>>> do the >>>> checks against the higher order activities. >>>> >>>> This would give us to secure the application at higher levels, for eg. >>>> @Secured( {"ROLE_ORG_MANAGEMENT"} ) >>>> >>>> [example of using custom access decision manager -http:// >>>> blog.springsource.com/2009/01/02/spring-security-customization... >>>> ] >>>> >>>> However from what I learnt from Udai, >>>> - there are existing customers who use such granular activities >>>> - there are apparently activities dynamically created and permissions >>>> granted to roles at runtime for reports. >>>> (this may change if we move report delivery from a reporting server >>>> eventually) >>>> >>>> So, I guess the question really is - do we want to keep/provide >>>> security at >>>> such low/granular levels? >>>> >>>> Technically this is quite feasible, and as described above, we can >>>> ride on >>>> have existing data model. >>>> >>>> Please let me know your thoughts. >>>> >>>> regards >>>> ~angshu >>>> >>>> >>>> --------------------------------------------------------------------------- >>>> --- >>>> This SF.net Dev2Dev email is sponsored by: >>>> >>>> Show off your parallel programming skills. >>>> Enter the Intel(R) Threading Challenge 2010.http://p.sf.net/sfu/intel- >>>> thread-sfd >>>> >>>> >>>> --------------------------------------------------------------------------- >>>> --- >>>> This SF.net Dev2Dev email is sponsored by: >>>> >>>> Show off your parallel programming skills. >>>> Enter the Intel(R) Threading Challenge 2010. >>>> http://p.sf.net/sfu/intel-thread-sfd >>>> _______________________________________________ >>>> Mifos-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/mifos-users >>> >>> -- >>> Ryan Whitney >>> Mifos Technical Program Manager >>> [email protected] >>> Mifos - Technology that Empowers Microfinance (www.mifos.org) >>> Our mission is to enable the poor, especially the poorest, to create a >>> world >>> without poverty. >>> <http://grameenfoundation.org/take-action/ingenuity-fund-challenge/> >>> P please consider the environment before printing this e-mail. >>> >>> >>> >>> ---------------------------------------------------------------------------- >>> -- >>> Automate Storage Tiering Simply >>> Optimize IT performance and efficiency through flexible, powerful, >>> automated storage tiering capabilities. View this brief to learn how >>> you can reduce costs and improve performance. >>> http://p.sf.net/sfu/dell-sfdev2dev >>> _______________________________________________ >>> Mifos-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/mifos-users >> >> >> ----------------------------------------------------------------------------->> - >> Automate Storage Tiering Simply >> Optimize IT performance and efficiency through flexible, powerful, >> automated storage tiering capabilities. View this brief to learn how >> you can reduce costs and improve performance. >> http://p.sf.net/sfu/dell-sfdev2dev >> _______________________________________________ >> Mifos-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/mifos-users >> >> > > ------------------------------------------------------------------------------ > Automate Storage Tiering Simply > Optimize IT performance and efficiency through flexible, powerful, > automated storage tiering capabilities. View this brief to learn how > you can reduce costs and improve performance. > http://p.sf.net/sfu/dell-sfdev2dev > _______________________________________________ > Mifos-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/mifos-users -- Ryan Whitney Mifos Technical Program Manager [email protected] Mifos - Technology that Empowers Microfinance (www.mifos.org) Our mission is to enable the poor, especially the poorest, to create a world without poverty. <http://grameenfoundation.org/take-action/ingenuity-fund-challenge/> P please consider the environment before printing this e-mail. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Mifos-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mifos-users
