CoreBOSBB
What's the use of roles and profiles when we can only select one role per user? - Printable Version

+- CoreBOSBB (https://discussions.corebos.org)
+-- Forum: Support (https://discussions.corebos.org/forumdisplay.php?fid=17)
+--- Forum: Administrator Support (https://discussions.corebos.org/forumdisplay.php?fid=8)
+--- Thread: What's the use of roles and profiles when we can only select one role per user? (/showthread.php?tid=1352)



What's the use of roles and profiles when we can only select one role per user? - Guido1982 - 11-30-2018

This is something that I can imagine has been discussed before and something I may not understand well enough. Anyway, I've always wondered what the use is for separate profiles and roles when we can only select one role for a user. If I have a group of users grouped by their role and I want a subset of that group to have permissions, but deny those permissions for the rest of the group I can't really do that. Sure I can select multiple profiles for the role, but then again I can't really turn that role on or off for certain users. So I'm left with creating roles and profiles that really represent the same thing. Maybe I'm missing some logic here but right now I can't think of any.


RE: What's the use of roles and profiles when we can only select one role per user? - joebordes - 12-09-2018

Have a read at this guide:

http://corebos.org/documentation/doku.php?id=en:adminmanual:securityguide

What I understand is that a Role is a group of profiles.


RE: What's the use of roles and profiles when we can only select one role per user? - Guido1982 - 12-09-2018

Well, reading through that get me to the following text:
Quote:Individual users (e.g. John, Mary) might be assigned to one or more roles, where the roles are based on the user's job responsibilities and competencies in the organization. Users should be assigned multiple roles to reflect the fact that some users connect to the system in different function depending on the tasks. For example, user “John” might be assigned the role “Head-Sales”, because John is the head of sales at your company, as well as the role “admin”, because John is also CRM system administrator. If John wants to work as administrator he logs in as “admin”, if John wants to work as head of sales he logs in as “Head-Sales”. It is possible to let John connect to the system with the same password, regardless of whether he acts as administrator or head of sales.

Where it is stated that users could be assigned to multiple roles. If this was true, it would make a whole lot more sense to me. But I must be missing something, becuase when I edit a user, I can only select a single role. Selecting a new one doesn't add it to the existing roles of the user, it overwrites the old one.

Sometimes you want a specific user in a role to have a little bit more control than other users in that role, or you can have users that perform multiple roles in an organization. Right now, I can't really set them apart. If person A and B belong to the same role, but person A also needs some privileges that person B shouldn't have, I have to kind of copy the existing role, link that to the profiles I need and assign that new 'mixed' role to the user A. It would be nice if we can assign multiple roles to a single user, like the document stated. Surely we could add this to the UI field and the database, but does the current codebase reflect that in the sense that permissions will be checked against multiple roles at the time permissions need to be checked?

Apart from this 'bug' (or maybe I'm just reading it wrong?) it seems like a very powerfull mechanism.

Hmm, reading on I see:
Quote:For example, a single standard user can be associated with one or more roles by different user names,
Which leads me to thinking that the system is set up so that a single person should have multiple usernames/accounts. I don't really like that approach since it would require people to log out and in and out and in over and over. I think setting multiple roles on a single user would be better.


RE: What's the use of roles and profiles when we can only select one role per user? - joebordes - 12-09-2018

(12-09-2018, 02:12 PM)Guido1982 Wrote: Sometimes you want a specific user in a role to have a little bit more control than other users in that role, or you can have users that perform multiple roles in an organization. Right now, I can't really set them apart. If person A and B belong to the same role, but person A also needs some privileges that person B shouldn't have, I have to kind of copy the existing role, link that to the profiles I need and assign that new 'mixed' role to the user A. It would be nice if we can assign multiple roles to a single user, like the document stated. Surely we could add this to the UI field and the database, but does the current codebase reflect that in the sense that permissions will be checked against multiple roles at the time permissions need to be checked?

That documentation is old, so take it with a grain of salt.

Each user has one role.
To accomplish what you explain above the you need two roles, one for A and one for B. A will have all the profiles of B, plus some special profile that will give him the privileges he needs.
I don't actually see the difference between adding various profiles and adding various roles. In the end you are grouping profiles.


RE: What's the use of roles and profiles when we can only select one role per user? - Guido1982 - 12-09-2018

Well yes, I agree that you could and should do it that way. I just never understood the need for the differentiation between roles and profiles and setting privileges on profiles while really, you're setting them on roles. Like you said, I don't really see the difference since you're grouping profiles.

I think I have to change my approach as to how I set up profiles and roles. Semantically I would prefer users being able to have more than one role, since now I have to create roles that are called 'Administration and planning' and 'Administration' to reflect what those people do in the company. I'd rather separate those roles without mixing their privileges and add/remove them to users as needed. But I understand we can reach the same level of fine-grain control with the setup we have now and changing that would mean a massive undertaking.