diff --git a/addons/userrights/userrightsmatrix.class.inc.php b/addons/userrights/userrightsmatrix.class.inc.php index 7c7e9ca9e..3f4f9369b 100644 --- a/addons/userrights/userrightsmatrix.class.inc.php +++ b/addons/userrights/userrightsmatrix.class.inc.php @@ -149,6 +149,7 @@ class UserRightsMatrix extends UserRightsAddOnAPI return ($oUser->GetKey() == 1); } + // Deprecated - create a new module ! public function Setup() { // Users must be added manually diff --git a/addons/userrights/userrightsnull.class.inc.php b/addons/userrights/userrightsnull.class.inc.php index f31ce3b25..760b93ab7 100644 --- a/addons/userrights/userrightsnull.class.inc.php +++ b/addons/userrights/userrightsnull.class.inc.php @@ -42,11 +42,6 @@ class UserRightsNull extends UserRightsAddOnAPI return true; } - public function Setup() - { - return true; - } - public function Init() { return true; diff --git a/addons/userrights/userrightsprofile.class.inc.php b/addons/userrights/userrightsprofile.class.inc.php index 0226ffde5..5cdad21c8 100644 --- a/addons/userrights/userrightsprofile.class.inc.php +++ b/addons/userrights/userrightsprofile.class.inc.php @@ -471,14 +471,6 @@ class UserRightsProfile extends UserRightsAddOnAPI return true; } - public function Setup() - { - SetupProfiles::ComputeITILProfiles(); - //SetupProfiles::ComputeBasicProfiles(); - SetupProfiles::DoCreateProfiles(); - return true; - } - public function Init() { MetaModel::RegisterPlugin('userrights', 'ACbyProfile'); @@ -825,265 +817,6 @@ exit; } } -// -// Create simple profiles into our user management model: -// - administrator -// - readers -// - contributors -// -class SetupProfiles -{ - protected static $m_aActions = array( - UR_ACTION_READ => 'Read', - UR_ACTION_MODIFY => 'Modify', - UR_ACTION_DELETE => 'Delete', - UR_ACTION_BULK_READ => 'Bulk Read', - UR_ACTION_BULK_MODIFY => 'Bulk Modify', - UR_ACTION_BULK_DELETE => 'Bulk Delete', - ); - - // Note: It is possible to specify the same class in several modules - // - protected static $m_aModules = array(); - protected static $m_aProfiles = array(); - - - protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true) - { - $oNewObj = MetaModel::NewObject("URP_ActionGrant"); - $oNewObj->Set('profileid', $iProfile); - $oNewObj->Set('permission', $bPermission ? 'yes' : 'no'); - $oNewObj->Set('class', $sClass); - $oNewObj->Set('action', self::$m_aActions[$iAction]); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass) - { - $oNewObj = MetaModel::NewObject("URP_StimulusGrant"); - $oNewObj->Set('profileid', $iProfile); - $oNewObj->Set('permission', 'yes'); - $oNewObj->Set('class', $sClass); - $oNewObj->Set('stimulus', $sStimulusCode); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - protected static function DoCreateOneProfile($sName, $aProfileData) - { - $sDescription = $aProfileData['description']; - if (strlen(trim($aProfileData['write_modules'])) == 0) - { - $aWriteModules = array(); - } - else - { - $aWriteModules = explode(',', trim($aProfileData['write_modules'])); - } - $aStimuli = $aProfileData['stimuli']; - - $oNewObj = MetaModel::NewObject("URP_Profiles"); - $oNewObj->Set('name', $sName); - $oNewObj->Set('description', $sDescription); - $iProfile = $oNewObj->DBInsertNoReload(); - - // Grant read rights for everything - // - foreach (MetaModel::GetClasses('bizmodel') as $sClass) - { - self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass); - } - - // Grant write for given modules - // Start by compiling the information, because some modules may overlap - $aWriteableClasses = array(); - foreach ($aWriteModules as $sModule) - { - //$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes'); - foreach (self::$m_aModules[$sModule] as $sClass) - { - $aWriteableClasses[$sClass] = true; - } - } - foreach ($aWriteableClasses as $sClass => $foo) - { - if (!MetaModel::IsValidClass($sClass)) - { - throw new CoreException("Invalid class name '$sClass'"); - } - self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass); - // By default, do not allow bulk deletion operations for standard users - // self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass); - } - - // Grant stimuli for given classes - foreach ($aStimuli as $sClass => $sAllowedStimuli) - { - if (!MetaModel::IsValidClass($sClass)) - { - // Could be a class defined in a module that wasn't installed - continue; - //throw new CoreException("Invalid class name '$sClass'"); - } - - if ($sAllowedStimuli == 'any') - { - $aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass)); - } - elseif ($sAllowedStimuli == 'none') - { - $aAllowedStimuli = array(); - } - else - { - $aAllowedStimuli = explode(',', $sAllowedStimuli); - } - foreach ($aAllowedStimuli as $sStimulusCode) - { - self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass); - } - } - } - - public static function DoCreateProfiles() - { - URP_Profiles::DoCreateAdminProfile(); - URP_Profiles::DoCreateUserPortalProfile(); - - foreach(self::$m_aProfiles as $sName => $aProfileData) - { - self::DoCreateOneProfile($sName, $aProfileData); - } - } - - public static function ComputeBasicProfiles() - { - // In this profiling scheme, one single module represents all the classes - // - self::$m_aModules = array( - 'UserData' => MetaModel::GetClasses('bizmodel'), - ); - - self::$m_aProfiles = array( - 'Reader' => array( - 'description' => 'Person having a ready-only access to the data', - 'write_modules' => '', - 'stimuli' => array( - ), - ), - 'Writer' => array( - 'description' => 'Contributor to the contents (read + write access)', - 'write_modules' => 'UserData', - 'stimuli' => array( - // any class => 'any' - ), - ), - ); - } - - public static function ComputeITILProfiles() - { - // In this profiling scheme, modules are based on ITIL recommendations - // - self::$m_aModules = array( - /* - 'WriteModule' => array( - 'someclass', - 'anotherclass', - ), - */ - 'General' => MetaModel::GetClasses('structure'), - 'Documentation' => MetaModel::GetClasses('documentation'), - 'Configuration' => MetaModel::GetClasses('configmgmt'), - 'Incident' => MetaModel::GetClasses('incidentmgmt'), - 'Problem' => MetaModel::GetClasses('problemmgmt'), - 'Change' => MetaModel::GetClasses('changemgmt'), - 'Service' => MetaModel::GetClasses('servicemgmt'), - 'Call' => MetaModel::GetClasses('requestmgmt'), - 'KnownError' => MetaModel::GetClasses('knownerrormgmt'), - ); - - self::$m_aProfiles = array( - 'Configuration Manager' => array( - 'description' => 'Person in charge of the documentation of the managed CIs', - 'write_modules' => 'General,Documentation,Configuration', - 'stimuli' => array( - //'bizServer' => 'none', - //'bizContract' => 'none', - //'bizIncidentTicket' => 'none', - //'bizChangeTicket' => 'any', - ), - ), - 'Service Desk Agent' => array( - 'description' => 'Person in charge of creating incident reports', - 'write_modules' => 'Incident,Call', - 'stimuli' => array( - 'Incident' => 'ev_assign', - 'UserRequest' => 'ev_assign', - ), - ), - 'Support Agent' => array( - 'description' => 'Person analyzing and solving the current incidents', - 'write_modules' => 'Incident', - 'stimuli' => array( - 'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close', - 'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze', - ), - ), - 'Problem Manager' => array( - 'description' => 'Person analyzing and solving the current problems', - 'write_modules' => 'Problem,KnownError', - 'stimuli' => array( - 'Problem' => 'ev_assign,ev_reassign,ev_resolve,ev_close', - ), - ), - - 'Change Implementor' => array( - 'description' => 'Person executing the changes', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - 'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - 'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - ), - ), - 'Change Supervisor' => array( - 'description' => 'Person responsible for the overall change execution', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish', - 'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish', - 'RoutineChange' => 'ev_assign,ev_reopen,ev_finish', - ), - ), - 'Change Approver' => array( - 'description' => 'Person who could be impacted by some changes', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_approve,ev_notapprove', - 'EmergencyChange' => 'ev_approve,ev_notapprove', - 'RoutineChange' => 'none', - ), - ), - 'Service Manager' => array( - 'description' => 'Person responsible for the service delivered to the [internal] customer', - 'write_modules' => 'Service', - 'stimuli' => array( - ), - ), - 'Document author' => array( - 'description' => 'Any person who could contribute to documentation', - 'write_modules' => 'Documentation', - 'stimuli' => array( - ), - ), - ); - } -} UserRights::SelectModule('UserRightsProfile'); diff --git a/addons/userrights/userrightsprojection.class.inc.php b/addons/userrights/userrightsprojection.class.inc.php index 5c4d9f79a..4e771051e 100644 --- a/addons/userrights/userrightsprojection.class.inc.php +++ b/addons/userrights/userrightsprojection.class.inc.php @@ -658,16 +658,6 @@ class UserRightsProjection extends UserRightsAddOnAPI // See implementation of userrightsprofile } - public function Setup() - { - SetupProfiles::ComputeITILProfiles(); - //SetupProfiles::ComputeBasicProfiles(); - - SetupProfiles::DoCreateDimensions(); - SetupProfiles::DoCreateProfiles(); - return true; - } - public function Init() { MetaModel::RegisterPlugin('userrights', 'ACbyProfile', array($this, 'CacheData')); @@ -1256,343 +1246,6 @@ exit; } } -// -// Create simple profiles into our user management model: -// - administrator -// - readers -// - contributors -// -class SetupProfiles -{ - protected static $m_aDimensions = array( - 'organization' => array( - 'description' => '', - 'type' => 'Organization', - ), - ); - - protected static $m_aActions = array( - UR_ACTION_READ => 'Read', - UR_ACTION_MODIFY => 'Modify', - UR_ACTION_DELETE => 'Delete', - UR_ACTION_BULK_READ => 'Bulk Read', - UR_ACTION_BULK_MODIFY => 'Bulk Modify', - UR_ACTION_BULK_DELETE => 'Bulk Delete', - ); - - // Note: It is possible to specify the same class in several modules - // - protected static $m_aModules = array(); - protected static $m_aProfiles = array(); - - protected static function DoCreateClassProjection($iDimension, $sClass) - { - $oNewObj = MetaModel::NewObject("URP_ClassProjection"); - $oNewObj->Set('dimensionid', $iDimension); - $oNewObj->Set('class', $sClass); - $oNewObj->Set('attribute', ''); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - protected static function DoCreateDimension($sName, $aDimensionData) - { - $oNewObj = MetaModel::NewObject("URP_Dimensions"); - $oNewObj->Set('name', $sName); - $oNewObj->Set('description', $aDimensionData['description']); - $oNewObj->Set('type', $aDimensionData['type']); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - - protected static function DoCreateProfileProjection($iProfile, $iDimension) - { - $oNewObj = MetaModel::NewObject("URP_ProfileProjection"); - $oNewObj->Set('profileid', $iProfile); - $oNewObj->Set('dimensionid', $iDimension); - $oNewObj->Set('value', ''); - $oNewObj->Set('attribute', ''); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - - protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true) - { - $oNewObj = MetaModel::NewObject("URP_ActionGrant"); - $oNewObj->Set('profileid', $iProfile); - $oNewObj->Set('permission', $bPermission ? 'yes' : 'no'); - $oNewObj->Set('class', $sClass); - $oNewObj->Set('action', self::$m_aActions[$iAction]); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass) - { - $oNewObj = MetaModel::NewObject("URP_StimulusGrant"); - $oNewObj->Set('profileid', $iProfile); - $oNewObj->Set('permission', 'yes'); - $oNewObj->Set('class', $sClass); - $oNewObj->Set('stimulus', $sStimulusCode); - $iId = $oNewObj->DBInsertNoReload(); - return $iId; - } - - protected static function DoCreateAdminProfile() - { - $oNewObj = MetaModel::NewObject("URP_Profiles"); - $oNewObj->Set('name', 'Administrator'); - $oNewObj->Set('description', 'Has the rights on everything (bypassing any control)'); - $iNewId = $oNewObj->DBInsertNoReload(); - if ($iNewId != ADMIN_PROFILE_ID) - { - throw new CoreException('Admin profile could not be created with its standard id', array('requested'=>ADMIN_PROFILE_ID, 'obtained'=>$iNewId)); - } - } - - protected static function DoCreateOneProfile($sName, $aProfileData) - { - $sDescription = $aProfileData['description']; - if (strlen(trim($aProfileData['write_modules'])) == 0) - { - $aWriteModules = array(); - } - else - { - $aWriteModules = explode(',', trim($aProfileData['write_modules'])); - } - $aStimuli = $aProfileData['stimuli']; - - $oNewObj = MetaModel::NewObject("URP_Profiles"); - $oNewObj->Set('name', $sName); - $oNewObj->Set('description', $sDescription); - $iProfile = $oNewObj->DBInsertNoReload(); - - // Project in every dimension - // - $oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_Dimensions")); - while ($oDimension = $oDimensionSet->Fetch()) - { - $iDimension = $oDimension->GetKey(); - self::DoCreateProfileProjection($iProfile, $iDimension); - } - - // Grant read rights for everything - // - foreach (MetaModel::GetClasses('bizmodel') as $sClass) - { - // Skip non instantiable classes - if (MetaModel::IsAbstract($sClass)) continue; - - self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass); - } - - // Grant write for given modules - // Start by compiling the information, because some modules may overlap - $aWriteableClasses = array(); - foreach ($aWriteModules as $sModule) - { - //$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes'); - foreach (self::$m_aModules[$sModule] as $sClass) - { - $aWriteableClasses[$sClass] = true; - } - } - foreach ($aWriteableClasses as $sClass => $foo) - { - // Skip non instantiable classes - if (MetaModel::IsAbstract($sClass)) continue; - - if (!MetaModel::IsValidClass($sClass)) - { - throw new CoreException("Invalid class name '$sClass'"); - } - self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass); - self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass); - // By default, do not allow bulk deletion operations for standard users - // self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass); - } - - // Grant stimuli for given classes - foreach ($aStimuli as $sClass => $sAllowedStimuli) - { - if (!MetaModel::IsValidClass($sClass)) - { - // Could be a class defined in a module that wasn't installed - continue; - //throw new CoreException("Invalid class name '$sClass'"); - } - - if ($sAllowedStimuli == 'any') - { - $aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass)); - } - elseif ($sAllowedStimuli == 'none') - { - $aAllowedStimuli = array(); - } - else - { - $aAllowedStimuli = explode(',', $sAllowedStimuli); - } - foreach ($aAllowedStimuli as $sStimulusCode) - { - self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass); - } - } - } - - public static function DoCreateDimensions() - { - $aClass = MetaModel::GetClasses(); - foreach(self::$m_aDimensions as $sName => $aDimensionData) - { - $iDimension = self::DoCreateDimension($sName, $aDimensionData); - - foreach($aClass as $sClass) - { - // Skip non instantiable classes - if (MetaModel::IsAbstract($sClass)) continue; - - if (!MetaModel::IsValidClass($sClass)) - { - throw new CoreException("Invalid class name '$sClass'"); - } - self::DoCreateClassProjection($iDimension, $sClass); - } - } - } - - public static function DoCreateProfiles() - { - self::DoCreateAdminProfile(); - - foreach(self::$m_aProfiles as $sName => $aProfileData) - { - self::DoCreateOneProfile($sName, $aProfileData); - } - } - - public static function ComputeBasicProfiles() - { - // In this profiling scheme, one single module represents all the classes - // - self::$m_aModules = array( - 'UserData' => MetaModel::GetClasses('bizmodel'), - ); - - self::$m_aProfiles = array( - 'Reader' => array( - 'description' => 'Person having a ready-only access to the data', - 'write_modules' => '', - 'stimuli' => array( - ), - ), - 'Writer' => array( - 'description' => 'Contributor to the contents (read + write access)', - 'write_modules' => 'UserData', - 'stimuli' => array( - // any class => 'any' - ), - ), - ); - } - - public static function ComputeITILProfiles() - { - // In this profiling scheme, modules are based on ITIL recommendations - // - self::$m_aModules = array( - /* - 'WriteModule' => array( - 'someclass', - 'anotherclass', - ), - */ - 'General' => MetaModel::GetClasses('structure'), - 'Documentation' => MetaModel::GetClasses('documentation'), - 'Configuration' => MetaModel::GetClasses('configmgmt'), - 'Incident' => MetaModel::GetClasses('incidentmgmt'), - 'Problem' => MetaModel::GetClasses('problemmgmt'), - 'Change' => MetaModel::GetClasses('changemgmt'), - 'Service' => MetaModel::GetClasses('servicemgmt'), - 'Call' => MetaModel::GetClasses('requestmgmt'), - 'KnownError' => MetaModel::GetClasses('knownerrormgmt'), - ); - - self::$m_aProfiles = array( - 'Configuration Manager' => array( - 'description' => 'Person in charge of the documentation of the managed CIs', - 'write_modules' => 'General,Documentation,Configuration', - 'stimuli' => array( - //'bizServer' => 'none', - //'bizContract' => 'none', - //'bizIncidentTicket' => 'none', - //'bizChangeTicket' => 'any', - ), - ), - 'Service Desk Agent' => array( - 'description' => 'Person in charge of creating incident reports', - 'write_modules' => 'Incident,Call', - 'stimuli' => array( - 'Incident' => 'ev_assign', - 'UserRequest' => 'ev_assign', - ), - ), - 'Support Agent' => array( - 'description' => 'Person analyzing and solving the current incidents or problems', - 'write_modules' => 'Incident,Problem,KnownError', - 'stimuli' => array( - 'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close', - 'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze', - ), - ), - 'Change Implementor' => array( - 'description' => 'Person executing the changes', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - 'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - 'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', - ), - ), - 'Change Supervisor' => array( - 'description' => 'Person responsible for the overall change execution', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish', - 'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish', - 'RoutineChange' => 'ev_assign,ev_reopen,ev_finish', - ), - ), - 'Change Approver' => array( - 'description' => 'Person who could be impacted by some changes', - 'write_modules' => 'Change', - 'stimuli' => array( - 'NormalChange' => 'ev_approve,ev_notapprove', - 'EmergencyChange' => 'ev_approve,ev_notapprove', - 'RoutineChange' => 'none', - ), - ), - 'Service Manager' => array( - 'description' => 'Person responsible for the service delivered to the [internal] customer', - 'write_modules' => 'Service', - 'stimuli' => array( - ), - ), - 'Document author' => array( - 'description' => 'Any person who could contribute to documentation', - 'write_modules' => 'Documentation', - 'stimuli' => array( - ), - ), - ); - } -} UserRights::SelectModule('UserRightsProjection'); diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index e4698c5a6..bd3bb81e2 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -50,7 +50,6 @@ define('UR_ACTION_APPLICATION_DEFINED', 10000); // Application specific actions */ abstract class UserRightsAddOnAPI { - abstract public function Setup(); // initial installation abstract public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US'); // could be used during initial installation abstract public function Init(); // loads data (possible optimizations) @@ -310,15 +309,6 @@ class UserRights return $bRes; } - // Installation (e.g: give default values for users) - public static function Setup() - { - // to be discussed... - $bRes = self::$m_oAddOn->Setup(); - self::FlushPrivileges(true /* reset admin cache */); - return $bRes; - } - protected static function IsLoggedIn() { if (self::$m_oUser == null) diff --git a/modules/itop-profiles-itil/module.itop-profiles-itil.php b/modules/itop-profiles-itil/module.itop-profiles-itil.php new file mode 100644 index 000000000..abdfa1e8a --- /dev/null +++ b/modules/itop-profiles-itil/module.itop-profiles-itil.php @@ -0,0 +1,370 @@ + 'Create standard ITIL profiles', + 'category' => 'create_profiles', + + // Setup + // + 'dependencies' => array( + ), + 'mandatory' => true, + 'visible' => false, + 'installer' => 'CreateITILProfilesInstaller', + + // Components + // + 'datamodel' => array( + //'model.itop-profiles-itil.php', + ), + 'webservice' => array( + //'webservices.itop-profiles-itil.php', + ), + 'dictionary' => array( + //'en.dict.itop-profiles-itil.php', + //'fr.dict.itop-profiles-itil.php', + //'de.dict.itop-profiles-itil.php', + ), + 'data.struct' => array( + //'data.struct.itop-profiles-itil.xml', + ), + 'data.sample' => array( + //'data.sample.itop-profiles-itil.xml', + ), + + // Documentation + // + 'doc.manual_setup' => '', + 'doc.more_information' => '', + + // Default settings + // + 'settings' => array( + //'some_setting' => 'some value', + ), + ) +); + + +// Module installation handler +// +class CreateITILProfilesInstaller extends ModuleInstallerAPI +{ + public static function BeforeWritingConfig(Config $oConfiguration) + { + //$oConfiguration->SetModuleSetting('user-rigths-profile', 'myoption', 'myvalue'); + return $oConfiguration; + } + + public static function AfterDatabaseCreation(Config $oConfiguration) + { + self::ComputeITILProfiles(); + //self::ComputeBasicProfiles(); + self::DoCreateProfiles(); + UserRights::FlushPrivileges(true /* reset admin cache */); + } + + protected static $m_aActions = array( + UR_ACTION_READ => 'Read', + UR_ACTION_MODIFY => 'Modify', + UR_ACTION_DELETE => 'Delete', + UR_ACTION_BULK_READ => 'Bulk Read', + UR_ACTION_BULK_MODIFY => 'Bulk Modify', + UR_ACTION_BULK_DELETE => 'Bulk Delete', + ); + + // Note: It is possible to specify the same class in several modules + // + protected static $m_aModules = array(); + protected static $m_aProfiles = array(); + + + protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true) + { + $oNewObj = MetaModel::NewObject("URP_ActionGrant"); + $oNewObj->Set('profileid', $iProfile); + $oNewObj->Set('permission', $bPermission ? 'yes' : 'no'); + $oNewObj->Set('class', $sClass); + $oNewObj->Set('action', self::$m_aActions[$iAction]); + $iId = $oNewObj->DBInsertNoReload(); + return $iId; + } + + protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass) + { + $oNewObj = MetaModel::NewObject("URP_StimulusGrant"); + $oNewObj->Set('profileid', $iProfile); + $oNewObj->Set('permission', 'yes'); + $oNewObj->Set('class', $sClass); + $oNewObj->Set('stimulus', $sStimulusCode); + $iId = $oNewObj->DBInsertNoReload(); + return $iId; + } + + protected static function DoCreateOneProfile($sName, $aProfileData) + { + $sDescription = $aProfileData['description']; + if (strlen(trim($aProfileData['write_modules'])) == 0) + { + $aWriteModules = array(); + } + else + { + $aWriteModules = explode(',', trim($aProfileData['write_modules'])); + } + if (strlen(trim($aProfileData['delete_modules'])) == 0) + { + $aDeleteModules = array(); + } + else + { + $aDeleteModules = explode(',', trim($aProfileData['delete_modules'])); + } + $aStimuli = $aProfileData['stimuli']; + + $oNewObj = MetaModel::NewObject("URP_Profiles"); + $oNewObj->Set('name', $sName); + $oNewObj->Set('description', $sDescription); + $iProfile = $oNewObj->DBInsertNoReload(); + + // Grant read rights for everything + // + foreach (MetaModel::GetClasses('bizmodel') as $sClass) + { + self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass); + self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass); + } + + // Grant write for given modules + // Start by compiling the information, because some modules may overlap + $aWriteableClasses = array(); + foreach ($aWriteModules as $sModule) + { + //$oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes'); + foreach (self::$m_aModules[$sModule] as $sClass) + { + $aWriteableClasses[$sClass] = true; + } + } + foreach ($aWriteableClasses as $sClass => $foo) + { + if (!MetaModel::IsValidClass($sClass)) + { + throw new CoreException("Invalid class name '$sClass'"); + } + self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass); + self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass); + } + + // Grant delete for given modules + // Start by compiling the information, because some modules may overlap + $aDeletableClasses = array(); + foreach ($aDeleteModules as $sModule) + { + //$oPage->p('Granting delete access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes'); + foreach (self::$m_aModules[$sModule] as $sClass) + { + $aDeletableClasses[$sClass] = true; + } + } + foreach ($aDeletableClasses as $sClass => $foo) + { + if (!MetaModel::IsValidClass($sClass)) + { + throw new CoreException("Invalid class name '$sClass'"); + } + self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass); + // By default, do not allow bulk deletion operations for standard users + // self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass); + } + + // Grant stimuli for given classes + foreach ($aStimuli as $sClass => $sAllowedStimuli) + { + if (!MetaModel::IsValidClass($sClass)) + { + // Could be a class defined in a module that wasn't installed + continue; + //throw new CoreException("Invalid class name '$sClass'"); + } + + if ($sAllowedStimuli == 'any') + { + $aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass)); + } + elseif ($sAllowedStimuli == 'none') + { + $aAllowedStimuli = array(); + } + else + { + $aAllowedStimuli = explode(',', $sAllowedStimuli); + } + foreach ($aAllowedStimuli as $sStimulusCode) + { + self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass); + } + } + } + + public static function DoCreateProfiles() + { + URP_Profiles::DoCreateAdminProfile(); + URP_Profiles::DoCreateUserPortalProfile(); + + foreach(self::$m_aProfiles as $sName => $aProfileData) + { + self::DoCreateOneProfile($sName, $aProfileData); + } + } + + public static function ComputeBasicProfiles() + { + // In this profiling scheme, one single module represents all the classes + // + self::$m_aModules = array( + 'UserData' => MetaModel::GetClasses('bizmodel'), + ); + + self::$m_aProfiles = array( + 'Reader' => array( + 'description' => 'Person having a ready-only access to the data', + 'write_modules' => '', + 'delete_modules' => '', + 'stimuli' => array( + ), + ), + 'Writer' => array( + 'description' => 'Contributor to the contents (read + write access)', + 'write_modules' => 'UserData', + 'delete_modules' => 'UserData', + 'stimuli' => array( + // any class => 'any' + ), + ), + ); + } + + public static function ComputeITILProfiles() + { + // In this profiling scheme, modules are based on ITIL recommendations + // + self::$m_aModules = array( + 'General' => MetaModel::GetClasses('structure'), + 'Documentation' => MetaModel::GetClasses('documentation'), + 'Configuration' => MetaModel::GetClasses('configmgmt'), + 'Incident' => MetaModel::GetClasses('incidentmgmt'), + 'Problem' => MetaModel::GetClasses('problemmgmt'), + 'Change' => MetaModel::GetClasses('changemgmt'), + 'Service' => MetaModel::GetClasses('servicemgmt'), + 'Call' => MetaModel::GetClasses('requestmgmt'), + 'KnownError' => MetaModel::GetClasses('knownerrormgmt'), + ); + + self::$m_aProfiles = array( + 'Configuration Manager' => array( + 'description' => 'Person in charge of the documentation of the managed CIs', + 'write_modules' => 'General,Documentation,Configuration', + 'delete_modules' => 'General,Documentation,Configuration', + 'stimuli' => array( + //'Server' => 'none', + //'Contract' => 'none', + //'IncidentTicket' => 'none', + //'ChangeTicket' => 'any', + ), + ), + 'Service Desk Agent' => array( + 'description' => 'Person in charge of creating incident reports', + 'write_modules' => 'Incident,Call', + 'delete_modules' => 'Incident,Call', + 'stimuli' => array( + 'Incident' => 'ev_assign', + 'UserRequest' => 'ev_assign', + ), + ), + 'Support Agent' => array( + 'description' => 'Person analyzing and solving the current incidents', + 'write_modules' => 'Incident', + 'delete_modules' => 'Incident', + 'stimuli' => array( + 'Incident' => 'ev_assign,ev_reassign,ev_resolve,ev_close', + 'UserRequest' => 'ev_assign,ev_reassign,ev_resolve,ev_close,ev_freeze', + ), + ), + 'Problem Manager' => array( + 'description' => 'Person analyzing and solving the current problems', + 'write_modules' => 'Problem,KnownError', + 'delete_modules' => 'Problem,KnownError', + 'stimuli' => array( + 'Problem' => 'ev_assign,ev_reassign,ev_resolve,ev_close', + ), + ), + + 'Change Implementor' => array( + 'description' => 'Person executing the changes', + 'write_modules' => 'Change', + 'delete_modules' => 'Change', + 'stimuli' => array( + 'NormalChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', + 'EmergencyChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', + 'RoutineChange' => 'ev_plan,ev_replan,ev_implement,ev_monitor', + ), + ), + 'Change Supervisor' => array( + 'description' => 'Person responsible for the overall change execution', + 'write_modules' => 'Change', + 'delete_modules' => 'Change', + 'stimuli' => array( + 'NormalChange' => 'ev_validate,ev_reject,ev_assign,ev_reopen,ev_finish', + 'EmergencyChange' => 'ev_assign,ev_reopen,ev_finish', + 'RoutineChange' => 'ev_assign,ev_reopen,ev_finish', + ), + ), + 'Change Approver' => array( + 'description' => 'Person who could be impacted by some changes', + 'write_modules' => 'Change', + 'delete_modules' => 'Change', + 'stimuli' => array( + 'NormalChange' => 'ev_approve,ev_notapprove', + 'EmergencyChange' => 'ev_approve,ev_notapprove', + 'RoutineChange' => 'none', + ), + ), + 'Service Manager' => array( + 'description' => 'Person responsible for the service delivered to the [internal] customer', + 'write_modules' => 'Service', + 'delete_modules' => 'Service', + 'stimuli' => array( + ), + ), + 'Document author' => array( + 'description' => 'Any person who could contribute to documentation', + 'write_modules' => 'Documentation', + 'delete_modules' => 'Documentation', + 'stimuli' => array( + ), + ), + ); + } +} + +?>