composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

User profiles: created in dedicated module itop-profiles-itil

Browse Source 
SVN:trunk[980]
This commit is contained in:
Romain Quetiez
2010-11-26 15:55:38 +00:00
parent c8384cc8a4
commit 7d13ec00e4
6 changed files with 371 additions and 629 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
addons/userrights/userrightsmatrix.class.inc.php
View File

@@ -149,6 +149,7 @@ class UserRightsMatrix extends UserRightsAddOnAPI
return ($oUser->GetKey() == 1);
}
// Deprecated - create a new module !
public function Setup()
{
// Users must be added manually

5
addons/userrights/userrightsnull.class.inc.php
View File

@@ -42,11 +42,6 @@ class UserRightsNull extends UserRightsAddOnAPI
return true;
}
public function Setup()
{
return true;
}
public function Init()
{
return true;

267
addons/userrights/userrightsprofile.class.inc.php
View File

@@ -471,14 +471,6 @@ class UserRightsProfile extends UserRightsAddOnAPI
return true;
}
public function Setup()
{
SetupProfiles::ComputeITILProfiles();
//SetupProfiles::ComputeBasicProfiles();
SetupProfiles::DoCreateProfiles();
return true;
}
public function Init()
{
MetaModel::RegisterPlugin('userrights', 'ACbyProfile');
@@ -825,265 +817,6 @@ exit;
}
}
//
// Create simple profiles into our user management model:
// - administrator
// - readers
// - contributors
//
class SetupProfiles
{
protected static $m_aActions = array(
UR_ACTION_READ => 'Read',
UR_ACTION_MODIFY => 'Modify',
UR_ACTION_DELETE => 'Delete',
UR_ACTION_BULK_READ => 'Bulk Read',
UR_ACTION_BULK_MODIFY => 'Bulk Modify',
UR_ACTION_BULK_DELETE => 'Bulk Delete',
);
// Note: It is possible to specify the same class in several modules
//
protected static $m_aModules = array();
protected static $m_aProfiles = array();
protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true)
{
$oNewObj = MetaModel::NewObject("URP_ActionGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', $bPermission ? 'yes' : 'no');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('action', self::$m_aActions[$iAction]);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass)
{
$oNewObj = MetaModel::NewObject("URP_StimulusGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', 'yes');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('stimulus', $sStimulusCode);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateOneProfile($sName, $aProfileData)
{
$sDescription = $aProfileData['description'];
if (strlen(trim($aProfileData['write_modules'])) == 0)
{
$aWriteModules = array();
}
else
{
$aWriteModules = explode(',', trim($aProfileData['write_modules']));
}
$aStimuli = $aProfileData['stimuli'];
$oNewObj = MetaModel::NewObject("URP_Profiles");
$oNewObj->Set('name', $sName);
$oNewObj->Set('description', $sDescription);
$iProfile = $oNewObj->DBInsertNoReload();
// Grant read rights for everything
//
foreach (MetaModel::GetClasses('bizmodel') as $sClass)
{
self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass);
}
// Grant write for given modules
// Start by compiling the information, because some modules may overlap
$aWriteableClasses = array();
foreach ($aWriteModules as $sModule)
{
//$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes');
foreach (self::$m_aModules[$sModule] as $sClass)
{
$aWriteableClasses[$sClass] = true;
}
}
foreach ($aWriteableClasses as $sClass => $foo)
{
if (!MetaModel::IsValidClass($sClass))
{
throw new CoreException("Invalid class name '$sClass'");
}
self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass);
// By default, do not allow bulk deletion operations for standard users
// self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass);
}
// Grant stimuli for given classes
foreach ($aStimuli as $sClass => $sAllowedStimuli)
{
if (!MetaModel::IsValidClass($sClass))
{
// Could be a class defined in a module that wasn't installed
continue;
//throw new CoreException("Invalid class name '$sClass'");
}
if ($sAllowedStimuli == 'any')
{
$aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass));
}
elseif ($sAllowedStimuli == 'none')
{
$aAllowedStimuli = array();
}
else
{
$aAllowedStimuli = explode(',', $sAllowedStimuli);
}
foreach ($aAllowedStimuli as $sStimulusCode)
{
self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass);
}
}
}
public static function DoCreateProfiles()
{
URP_Profiles::DoCreateAdminProfile();
URP_Profiles::DoCreateUserPortalProfile();
foreach(self::$m_aProfiles as $sName => $aProfileData)
{
self::DoCreateOneProfile($sName, $aProfileData);
}
}
public static function ComputeBasicProfiles()
{
// In this profiling scheme, one single module represents all the classes
//
self::$m_aModules = array(
'UserData' => MetaModel::GetClasses('bizmodel'),
);
self::$m_aProfiles = array(
'Reader' => array(
'description' => 'Person having a ready-only access to the data',
'write_modules' => '',
'stimuli' => array(
),
),
'Writer' => array(
'description' => 'Contributor to the contents (read + write access)',
'write_modules' => 'UserData',
'stimuli' => array(
// any class => 'any'
),
),
);
}
public static function ComputeITILProfiles()
{
// In this profiling scheme, modules are based on ITIL recommendations
//
self::$m_aModules = array(
/*
'WriteModule' => array(
'someclass',
'anotherclass',
),
*/
'General' => MetaModel::GetClasses('structure'),
'Documentation' => MetaModel::GetClasses('documentation'),
'Configuration' => MetaModel::GetClasses('configmgmt'),
'Incident' => MetaModel::GetClasses('incidentmgmt'),
'Problem' => MetaModel::GetClasses('problemmgmt'),
'Change' => MetaModel::GetClasses('changemgmt'),
'Service' => MetaModel::GetClasses('servicemgmt'),
'Call' => MetaModel::GetClasses('requestmgmt'),
'KnownError' => MetaModel::GetClasses('knownerrormgmt'),
);
self::$m_aProfiles = array(
'Configuration Manager' => array(
'description' => 'Person in charge of the documentation of the managed CIs',
'write_modules' => 'General,Documentation,Configuration',
'stimuli' => array(
//'bizServer' => 'none',
//'bizContract' => 'none',
//'bizIncidentTicket' => 'none',
//'bizChangeTicket' => 'any',
),
),
'Service Desk Agent' => array(
'description' => 'Person in charge of creating incident reports',
'write_modules' => 'Incident,Call',
'stimuli' => array(
'Incident' => 'ev_assign',
'UserRequest' => 'ev_assign',
),
),
'Support Agent' => array(
'description' => 'Person analyzing and solving the current incidents',
'write_modules' => 'Incident',
'stimuli' => array(
'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close',
'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze',
),
),
'Problem Manager' => array(
'description' => 'Person analyzing and solving the current problems',
'write_modules' => 'Problem,KnownError',
'stimuli' => array(
'Problem' => 'ev_assign,ev_reassign,ev_resolve,ev_close',
),
),
'Change Implementor' => array(
'description' => 'Person executing the changes',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
),
),
'Change Supervisor' => array(
'description' => 'Person responsible for the overall change execution',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish',
'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish',
'RoutineChange' => 'ev_assign,ev_reopen,ev_finish',
),
),
'Change Approver' => array(
'description' => 'Person who could be impacted by some changes',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_approve,ev_notapprove',
'EmergencyChange' => 'ev_approve,ev_notapprove',
'RoutineChange' => 'none',
),
),
'Service Manager' => array(
'description' => 'Person responsible for the service delivered to the [internal] customer',
'write_modules' => 'Service',
'stimuli' => array(
),
),
'Document author' => array(
'description' => 'Any person who could contribute to documentation',
'write_modules' => 'Documentation',
'stimuli' => array(
),
),
);
}
}
UserRights::SelectModule('UserRightsProfile');

347
addons/userrights/userrightsprojection.class.inc.php
View File

@@ -658,16 +658,6 @@ class UserRightsProjection extends UserRightsAddOnAPI
// See implementation of userrightsprofile
}
public function Setup()
{
SetupProfiles::ComputeITILProfiles();
//SetupProfiles::ComputeBasicProfiles();
SetupProfiles::DoCreateDimensions();
SetupProfiles::DoCreateProfiles();
return true;
}
public function Init()
{
MetaModel::RegisterPlugin('userrights', 'ACbyProfile', array($this, 'CacheData'));
@@ -1256,343 +1246,6 @@ exit;
}
}
//
// Create simple profiles into our user management model:
// - administrator
// - readers
// - contributors
//
class SetupProfiles
{
protected static $m_aDimensions = array(
'organization' => array(
'description' => '',
'type' => 'Organization',
),
);
protected static $m_aActions = array(
UR_ACTION_READ => 'Read',
UR_ACTION_MODIFY => 'Modify',
UR_ACTION_DELETE => 'Delete',
UR_ACTION_BULK_READ => 'Bulk Read',
UR_ACTION_BULK_MODIFY => 'Bulk Modify',
UR_ACTION_BULK_DELETE => 'Bulk Delete',
);
// Note: It is possible to specify the same class in several modules
//
protected static $m_aModules = array();
protected static $m_aProfiles = array();
protected static function DoCreateClassProjection($iDimension, $sClass)
{
$oNewObj = MetaModel::NewObject("URP_ClassProjection");
$oNewObj->Set('dimensionid', $iDimension);
$oNewObj->Set('class', $sClass);
$oNewObj->Set('attribute', '');
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateDimension($sName, $aDimensionData)
{
$oNewObj = MetaModel::NewObject("URP_Dimensions");
$oNewObj->Set('name', $sName);
$oNewObj->Set('description', $aDimensionData['description']);
$oNewObj->Set('type', $aDimensionData['type']);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateProfileProjection($iProfile, $iDimension)
{
$oNewObj = MetaModel::NewObject("URP_ProfileProjection");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('dimensionid', $iDimension);
$oNewObj->Set('value', '<any>');
$oNewObj->Set('attribute', '');
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true)
{
$oNewObj = MetaModel::NewObject("URP_ActionGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', $bPermission ? 'yes' : 'no');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('action', self::$m_aActions[$iAction]);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass)
{
$oNewObj = MetaModel::NewObject("URP_StimulusGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', 'yes');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('stimulus', $sStimulusCode);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateAdminProfile()
{
$oNewObj = MetaModel::NewObject("URP_Profiles");
$oNewObj->Set('name', 'Administrator');
$oNewObj->Set('description', 'Has the rights on everything (bypassing any control)');
$iNewId = $oNewObj->DBInsertNoReload();
if ($iNewId != ADMIN_PROFILE_ID)
{
throw new CoreException('Admin profile could not be created with its standard id', array('requested'=>ADMIN_PROFILE_ID, 'obtained'=>$iNewId));
}
}
protected static function DoCreateOneProfile($sName, $aProfileData)
{
$sDescription = $aProfileData['description'];
if (strlen(trim($aProfileData['write_modules'])) == 0)
{
$aWriteModules = array();
}
else
{
$aWriteModules = explode(',', trim($aProfileData['write_modules']));
}
$aStimuli = $aProfileData['stimuli'];
$oNewObj = MetaModel::NewObject("URP_Profiles");
$oNewObj->Set('name', $sName);
$oNewObj->Set('description', $sDescription);
$iProfile = $oNewObj->DBInsertNoReload();
// Project in every dimension
//
$oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_Dimensions"));
while ($oDimension = $oDimensionSet->Fetch())
{
$iDimension = $oDimension->GetKey();
self::DoCreateProfileProjection($iProfile, $iDimension);
}
// Grant read rights for everything
//
foreach (MetaModel::GetClasses('bizmodel') as $sClass)
{
// Skip non instantiable classes
if (MetaModel::IsAbstract($sClass)) continue;
self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass);
}
// Grant write for given modules
// Start by compiling the information, because some modules may overlap
$aWriteableClasses = array();
foreach ($aWriteModules as $sModule)
{
//$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes');
foreach (self::$m_aModules[$sModule] as $sClass)
{
$aWriteableClasses[$sClass] = true;
}
}
foreach ($aWriteableClasses as $sClass => $foo)
{
// Skip non instantiable classes
if (MetaModel::IsAbstract($sClass)) continue;
if (!MetaModel::IsValidClass($sClass))
{
throw new CoreException("Invalid class name '$sClass'");
}
self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass);
// By default, do not allow bulk deletion operations for standard users
// self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass);
}
// Grant stimuli for given classes
foreach ($aStimuli as $sClass => $sAllowedStimuli)
{
if (!MetaModel::IsValidClass($sClass))
{
// Could be a class defined in a module that wasn't installed
continue;
//throw new CoreException("Invalid class name '$sClass'");
}
if ($sAllowedStimuli == 'any')
{
$aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass));
}
elseif ($sAllowedStimuli == 'none')
{
$aAllowedStimuli = array();
}
else
{
$aAllowedStimuli = explode(',', $sAllowedStimuli);
}
foreach ($aAllowedStimuli as $sStimulusCode)
{
self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass);
}
}
}
public static function DoCreateDimensions()
{
$aClass = MetaModel::GetClasses();
foreach(self::$m_aDimensions as $sName => $aDimensionData)
{
$iDimension = self::DoCreateDimension($sName, $aDimensionData);
foreach($aClass as $sClass)
{
// Skip non instantiable classes
if (MetaModel::IsAbstract($sClass)) continue;
if (!MetaModel::IsValidClass($sClass))
{
throw new CoreException("Invalid class name '$sClass'");
}
self::DoCreateClassProjection($iDimension, $sClass);
}
}
}
public static function DoCreateProfiles()
{
self::DoCreateAdminProfile();
foreach(self::$m_aProfiles as $sName => $aProfileData)
{
self::DoCreateOneProfile($sName, $aProfileData);
}
}
public static function ComputeBasicProfiles()
{
// In this profiling scheme, one single module represents all the classes
//
self::$m_aModules = array(
'UserData' => MetaModel::GetClasses('bizmodel'),
);
self::$m_aProfiles = array(
'Reader' => array(
'description' => 'Person having a ready-only access to the data',
'write_modules' => '',
'stimuli' => array(
),
),
'Writer' => array(
'description' => 'Contributor to the contents (read + write access)',
'write_modules' => 'UserData',
'stimuli' => array(
// any class => 'any'
),
),
);
}
public static function ComputeITILProfiles()
{
// In this profiling scheme, modules are based on ITIL recommendations
//
self::$m_aModules = array(
/*
'WriteModule' => array(
'someclass',
'anotherclass',
),
*/
'General' => MetaModel::GetClasses('structure'),
'Documentation' => MetaModel::GetClasses('documentation'),
'Configuration' => MetaModel::GetClasses('configmgmt'),
'Incident' => MetaModel::GetClasses('incidentmgmt'),
'Problem' => MetaModel::GetClasses('problemmgmt'),
'Change' => MetaModel::GetClasses('changemgmt'),
'Service' => MetaModel::GetClasses('servicemgmt'),
'Call' => MetaModel::GetClasses('requestmgmt'),
'KnownError' => MetaModel::GetClasses('knownerrormgmt'),
);
self::$m_aProfiles = array(
'Configuration Manager' => array(
'description' => 'Person in charge of the documentation of the managed CIs',
'write_modules' => 'General,Documentation,Configuration',
'stimuli' => array(
//'bizServer' => 'none',
//'bizContract' => 'none',
//'bizIncidentTicket' => 'none',
//'bizChangeTicket' => 'any',
),
),
'Service Desk Agent' => array(
'description' => 'Person in charge of creating incident reports',
'write_modules' => 'Incident,Call',
'stimuli' => array(
'Incident' => 'ev_assign',
'UserRequest' => 'ev_assign',
),
),
'Support Agent' => array(
'description' => 'Person analyzing and solving the current incidents or problems',
'write_modules' => 'Incident,Problem,KnownError',
'stimuli' => array(
'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close',
'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze',
),
),
'Change Implementor' => array(
'description' => 'Person executing the changes',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
),
),
'Change Supervisor' => array(
'description' => 'Person responsible for the overall change execution',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish',
'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish',
'RoutineChange' => 'ev_assign,ev_reopen,ev_finish',
),
),
'Change Approver' => array(
'description' => 'Person who could be impacted by some changes',
'write_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_approve,ev_notapprove',
'EmergencyChange' => 'ev_approve,ev_notapprove',
'RoutineChange' => 'none',
),
),
'Service Manager' => array(
'description' => 'Person responsible for the service delivered to the [internal] customer',
'write_modules' => 'Service',
'stimuli' => array(
),
),
'Document author' => array(
'description' => 'Any person who could contribute to documentation',
'write_modules' => 'Documentation',
'stimuli' => array(
),
),
);
}
}
UserRights::SelectModule('UserRightsProjection');

10
core/userrights.class.inc.php
View File

@@ -50,7 +50,6 @@ define('UR_ACTION_APPLICATION_DEFINED', 10000); // Application specific actions
*/
abstract class UserRightsAddOnAPI
{
abstract public function Setup(); // initial installation
abstract public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US'); // could be used during initial installation
abstract public function Init(); // loads data (possible optimizations)
@@ -310,15 +309,6 @@ class UserRights
return $bRes;
}
// Installation (e.g: give default values for users)
public static function Setup()
{
// to be discussed...
$bRes = self::$m_oAddOn->Setup();
self::FlushPrivileges(true /* reset admin cache */);
return $bRes;
}
protected static function IsLoggedIn()
{
if (self::$m_oUser == null)

370
modules/itop-profiles-itil/module.itop-profiles-itil.php Normal file
View File

@@ -0,0 +1,370 @@
<?php
// Copyright (C) 2010 Combodo SARL
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; version 3 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
SetupWebPage::AddModule(
__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
'itop-profiles-itil/1.0.0',
array(
// Identification
//
'label' => 'Create standard ITIL profiles',
'category' => 'create_profiles',
// Setup
//
'dependencies' => array(
),
'mandatory' => true,
'visible' => false,
'installer' => 'CreateITILProfilesInstaller',
// Components
//
'datamodel' => array(
//'model.itop-profiles-itil.php',
),
'webservice' => array(
//'webservices.itop-profiles-itil.php',
),
'dictionary' => array(
//'en.dict.itop-profiles-itil.php',
//'fr.dict.itop-profiles-itil.php',
//'de.dict.itop-profiles-itil.php',
),
'data.struct' => array(
//'data.struct.itop-profiles-itil.xml',
),
'data.sample' => array(
//'data.sample.itop-profiles-itil.xml',
),
// Documentation
//
'doc.manual_setup' => '',
'doc.more_information' => '',
// Default settings
//
'settings' => array(
//'some_setting' => 'some value',
),
)
);
// Module installation handler
//
class CreateITILProfilesInstaller extends ModuleInstallerAPI
{
public static function BeforeWritingConfig(Config $oConfiguration)
{
//$oConfiguration->SetModuleSetting('user-rigths-profile', 'myoption', 'myvalue');
return $oConfiguration;
}
public static function AfterDatabaseCreation(Config $oConfiguration)
{
self::ComputeITILProfiles();
//self::ComputeBasicProfiles();
self::DoCreateProfiles();
UserRights::FlushPrivileges(true /* reset admin cache */);
}
protected static $m_aActions = array(
UR_ACTION_READ => 'Read',
UR_ACTION_MODIFY => 'Modify',
UR_ACTION_DELETE => 'Delete',
UR_ACTION_BULK_READ => 'Bulk Read',
UR_ACTION_BULK_MODIFY => 'Bulk Modify',
UR_ACTION_BULK_DELETE => 'Bulk Delete',
);
// Note: It is possible to specify the same class in several modules
//
protected static $m_aModules = array();
protected static $m_aProfiles = array();
protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true)
{
$oNewObj = MetaModel::NewObject("URP_ActionGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', $bPermission ? 'yes' : 'no');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('action', self::$m_aActions[$iAction]);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass)
{
$oNewObj = MetaModel::NewObject("URP_StimulusGrant");
$oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', 'yes');
$oNewObj->Set('class', $sClass);
$oNewObj->Set('stimulus', $sStimulusCode);
$iId = $oNewObj->DBInsertNoReload();
return $iId;
}
protected static function DoCreateOneProfile($sName, $aProfileData)
{
$sDescription = $aProfileData['description'];
if (strlen(trim($aProfileData['write_modules'])) == 0)
{
$aWriteModules = array();
}
else
{
$aWriteModules = explode(',', trim($aProfileData['write_modules']));
}
if (strlen(trim($aProfileData['delete_modules'])) == 0)
{
$aDeleteModules = array();
}
else
{
$aDeleteModules = explode(',', trim($aProfileData['delete_modules']));
}
$aStimuli = $aProfileData['stimuli'];
$oNewObj = MetaModel::NewObject("URP_Profiles");
$oNewObj->Set('name', $sName);
$oNewObj->Set('description', $sDescription);
$iProfile = $oNewObj->DBInsertNoReload();
// Grant read rights for everything
//
foreach (MetaModel::GetClasses('bizmodel') as $sClass)
{
self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass);
}
// Grant write for given modules
// Start by compiling the information, because some modules may overlap
$aWriteableClasses = array();
foreach ($aWriteModules as $sModule)
{
//$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes');
foreach (self::$m_aModules[$sModule] as $sClass)
{
$aWriteableClasses[$sClass] = true;
}
}
foreach ($aWriteableClasses as $sClass => $foo)
{
if (!MetaModel::IsValidClass($sClass))
{
throw new CoreException("Invalid class name '$sClass'");
}
self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass);
self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass);
}
// Grant delete for given modules
// Start by compiling the information, because some modules may overlap
$aDeletableClasses = array();
foreach ($aDeleteModules as $sModule)
{
//$oPage->p('Granting delete access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes');
foreach (self::$m_aModules[$sModule] as $sClass)
{
$aDeletableClasses[$sClass] = true;
}
}
foreach ($aDeletableClasses as $sClass => $foo)
{
if (!MetaModel::IsValidClass($sClass))
{
throw new CoreException("Invalid class name '$sClass'");
}
self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass);
// By default, do not allow bulk deletion operations for standard users
// self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass);
}
// Grant stimuli for given classes
foreach ($aStimuli as $sClass => $sAllowedStimuli)
{
if (!MetaModel::IsValidClass($sClass))
{
// Could be a class defined in a module that wasn't installed
continue;
//throw new CoreException("Invalid class name '$sClass'");
}
if ($sAllowedStimuli == 'any')
{
$aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass));
}
elseif ($sAllowedStimuli == 'none')
{
$aAllowedStimuli = array();
}
else
{
$aAllowedStimuli = explode(',', $sAllowedStimuli);
}
foreach ($aAllowedStimuli as $sStimulusCode)
{
self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass);
}
}
}
public static function DoCreateProfiles()
{
URP_Profiles::DoCreateAdminProfile();
URP_Profiles::DoCreateUserPortalProfile();
foreach(self::$m_aProfiles as $sName => $aProfileData)
{
self::DoCreateOneProfile($sName, $aProfileData);
}
}
public static function ComputeBasicProfiles()
{
// In this profiling scheme, one single module represents all the classes
//
self::$m_aModules = array(
'UserData' => MetaModel::GetClasses('bizmodel'),
);
self::$m_aProfiles = array(
'Reader' => array(
'description' => 'Person having a ready-only access to the data',
'write_modules' => '',
'delete_modules' => '',
'stimuli' => array(
),
),
'Writer' => array(
'description' => 'Contributor to the contents (read + write access)',
'write_modules' => 'UserData',
'delete_modules' => 'UserData',
'stimuli' => array(
// any class => 'any'
),
),
);
}
public static function ComputeITILProfiles()
{
// In this profiling scheme, modules are based on ITIL recommendations
//
self::$m_aModules = array(
'General' => MetaModel::GetClasses('structure'),
'Documentation' => MetaModel::GetClasses('documentation'),
'Configuration' => MetaModel::GetClasses('configmgmt'),
'Incident' => MetaModel::GetClasses('incidentmgmt'),
'Problem' => MetaModel::GetClasses('problemmgmt'),
'Change' => MetaModel::GetClasses('changemgmt'),
'Service' => MetaModel::GetClasses('servicemgmt'),
'Call' => MetaModel::GetClasses('requestmgmt'),
'KnownError' => MetaModel::GetClasses('knownerrormgmt'),
);
self::$m_aProfiles = array(
'Configuration Manager' => array(
'description' => 'Person in charge of the documentation of the managed CIs',
'write_modules' => 'General,Documentation,Configuration',
'delete_modules' => 'General,Documentation,Configuration',
'stimuli' => array(
//'Server' => 'none',
//'Contract' => 'none',
//'IncidentTicket' => 'none',
//'ChangeTicket' => 'any',
),
),
'Service Desk Agent' => array(
'description' => 'Person in charge of creating incident reports',
'write_modules' => 'Incident,Call',
'delete_modules' => 'Incident,Call',
'stimuli' => array(
'Incident' => 'ev_assign',
'UserRequest' => 'ev_assign',
),
),
'Support Agent' => array(
'description' => 'Person analyzing and solving the current incidents',
'write_modules' => 'Incident',
'delete_modules' => 'Incident',
'stimuli' => array(
'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close',
'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze',
),
),
'Problem Manager' => array(
'description' => 'Person analyzing and solving the current problems',
'write_modules' => 'Problem,KnownError',
'delete_modules' => 'Problem,KnownError',
'stimuli' => array(
'Problem' => 'ev_assign,ev_reassign,ev_resolve,ev_close',
),
),
'Change Implementor' => array(
'description' => 'Person executing the changes',
'write_modules' => 'Change',
'delete_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
),
),
'Change Supervisor' => array(
'description' => 'Person responsible for the overall change execution',
'write_modules' => 'Change',
'delete_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish',
'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish',
'RoutineChange' => 'ev_assign,ev_reopen,ev_finish',
),
),
'Change Approver' => array(
'description' => 'Person who could be impacted by some changes',
'write_modules' => 'Change',
'delete_modules' => 'Change',
'stimuli' => array(
'NormalChange' => 'ev_approve,ev_notapprove',
'EmergencyChange' => 'ev_approve,ev_notapprove',
'RoutineChange' => 'none',
),
),
'Service Manager' => array(
'description' => 'Person responsible for the service delivered to the [internal] customer',
'write_modules' => 'Service',
'delete_modules' => 'Service',
'stimuli' => array(
),
),
'Document author' => array(
'description' => 'Any person who could contribute to documentation',
'write_modules' => 'Documentation',
'delete_modules' => 'Documentation',
'stimuli' => array(
),
),
);
}
}
?>