My client has a three tier organizational model, with 184 total business units. I imported the business units from file, which created a default team for each business unit. Unfortunately these teams by default have no user roles and cannot be assigned ownership of entities.
My next move was to select all of my teams and do a bulk "Manage Roles" to set all teams to have a user role of Customer Service Rep. This results in a warning that "You have selected users from different business units. Users cannot be assigned roles from business units outside their own, so only the selected roles from each user's business unit will be assigned." In essence, this means that if I bulk edit roles, I will need to select 184 roles, one instance of the Customer Service Rep role for each business unit.
This seems remarkably stupid, since there is in fact only one Customer Service Rep role that to my knowledge behaves identically across all 184 business units. I am looking for insight into why the bulk role editing behaves this way, as well as a solution for assigning all of my business units the desired role.
Thanks!
Related
I've a question re how to cater for a specific scenario in the security model of D365/CRM.
Say we have User 1 and User 2 that are in the same business unit.
User 1 has full Business Unit read access to contacts.
User 2 has just user level read access to contacts.
We want User 1 to have visibility of all contact records that are available to all users in that business unit.
Using the OOB D365 security model - if somebody shares a contact with User 2 that is owned by a user from a another business unit, User 1 cannot see this contact record.
I'm just wondering what the best/cleanest way to resolve this requirement is?
Thank you
Just exploring options at this point. I believe one option is to create a team for the business unit that only user 1 gets added to and then also sharing the record with the team would work - but that seems to involve a lot of overhead in terms of maintaining shares etc.
Was hoping there might be a cleaner way to implement somehow using OOB functionality that I may not be fully aware of.
We want to move our entire IT side of the business onto firebase but need to find the right architectural approach before we do so.
Here's our company and business setup:
one company with one domain i.e. example.com
several business areas independent from each other. For example: one sells bananas, another one is about facility services, yet another one about local transport services & repair
the same customer can be customer to one or more of those business areas i.e. we have centralized billing, centralized auth with SSO, centralized customer relation management etc.
every business area (e.g. selling bananas) has a web as well as it's mobile versions of the app (iOS/Android) aiding that particular business area
How do I map that company with its many business areas onto firebase?
Do I have one project per business area (e.g. selling bananas) containing the three app versions (two mobile, one web) of the specific area and one project that has all the stuff needed for central user management (#3 from above)?
What are my limitations regarding number of projects? If every business area has a staging project for its App then we'll have twice as many projects as we have business areas...
Do I pay per project or per account usage i.e. we would have one account with at least four projects I guess?
Can I have my domains laid out like this
example.com/bananas
example.com/facility-services
example.com/local-transport-and-repair
Thanks a lot for some insight in advance! :)
There's really no direct way to answer this question but Firebase is more than capable of handling this use case within a single project. Doing it that way allows for one user base and if needed, resources can be easily shared between 'departments'
Conceptually, it's pretty straight forward; but we don't have a lot of specific info to go on in the question so here's one example.
Supposed this is a fictuous company that distributes bananas as well as offers banana services for facilities and repairs and maintains banana trucks. We'll call this company; Real Ap-Peel.
real-apPeel
sell_banana_div
//here we store all data about selling bananas
facility_services_div
//here we store the data about facility services
services_repair_div
//here we store service and repair data
users //all users
uid_0:
div:
sell_banana_div: true
uid_1:
div:
facility_services_div: true
uid_2:
div:
sell_banana_div: true
services_repair_div: true
In the above setup for our company, we have three separate divisions with their own subset of data. We also have one unified users node to track the users and a child called 'div' which will determine what division that user belongs to.
The last user, uid_2 belongs to two divisions and can therefore access data in the sell_bananas_div as well as the services_repair_div. Handling accessing data in both divisions is done through code and enforced through Firebase Rules.
If you NEVER need to share ANY data between any of the divisions, then there's no reason to have a combined structure like this so go ahead and split it out into separate apps.
However...
Combining data lets you have one app, one code base and one set of users which makes it considerably more maintainable and expandable.
You asked the following:
Do I have one project per business area (e.g. selling bananas)
containing the three app versions (two mobile, one web) of the
specific area and one project that has all the stuff needed for
central user management (#3 from above)?
All of that is combined into one app, per my above example, and can be any combo or mobile or web.
What are my limitations regarding number of projects? If every
business area has a staging project for its App then we'll have twice
as many projects as we have business areas...
Issue eliminated as it's just one project
Do I pay per project or per account usage i.e. we would have one
account with at least four projects I guess?
This is more of a direct question to Firebase if you choose this path. Contact support#firebase.com
Can I have my domains laid out like this example.com/bananas
example.com/facility-services example.com/local-transport-and-repair
My above example pretty much does that - a single realappeel.com and then the references to the child nodes are realappeel.com/sell_banana_div etc.
I hope this isn't too far off the question. If so, post and comment and I will update (or delete if its waaaaaay off base!)
I am developing a school management system and I am struggling whether I should develop for [desktop app + wcf] or web app(website). Which one is going to be the best for the given scenario?
The main goals for the “Integrated Web-Based School Management and Quality Audits Software Project for Secondary Schools are outlined below. In addition, specific objectives within each of the goals have been provided.
Goal 1: To facilitate automated data entries in secondary schools
Objective 1:1- To provide internet facilities and computer systems for secondary schools to further facilitate entries of student information into an integrated school management system.
Objective 1:2- To provide teachers with the possibility to enter continuous assessment data into the computer systems for each student.
Objective 1:3- To provide teachers with the possibility to enter end of term results for each student.
Objective 1:4:- To provide teachers with the possibility to enter students’ conduct at end of term for each student
Objective 1:5:- To provide the administration office with the possibility to register new students into the system
Objective 1:6:- To provide finance/fees office with the possibility to enter fees information for each student
Objective 1:7:- To provide parents with the possibility to access their children’s information online and provide feedback when needed or requested to do so
Goal 2:- To generate a portfolio of student information in respect of each student. A unique student identification will be used to access each student’s portfolio. The following are the main components of the portfolio.
Objective 2:1:- One of the components of the students’ portfolio page will be the Result Slip of the immediate last examination term. This will display all subjects taken by the student, continuous assessment results, examination results, grades and positions obtained in each subject, overall student position, student’s conduct and recommendation information. This report will automatically be gathered from the various inputs made from the individual teachers and staff
Objective 2:2:- Up to date historical record of Fees Information. This is vital information that will be available on each student portal. All fees due and all payments made that are entered by the fees/finance staff will be gathered by this component of the portfolio. Parents will be able to see this as well and provide feedback on any observed discrepancies.
Objective 2:3:- Attendance and Conduct report. This component of the portfolio is intended to give an account of the student’s attendance records and information on conduct as provided by the school authorities. If the information demands parent’s attention and feedback, this will be indicated here, and parents will be able to enter relevant feedback as requested.
Objective 2:4:- Completed and Pending Assignments Module. This component of the student’s portfolio will list all assignments completed by the student in the current term and will list uncompleted ones as well.
Goal 3:- To generate aggregated data for the management of the school. This will enable the school management have a high-level overview of student population, performance statistics for all the modules in the various classes, aggregated data on fees paid and fees pending, etc. There will hyperlinks or select options from which authorized staff will click or select from, in order to reach the requested aggregated data. Main components of the management page are listed below,
Objective 3:1:- One of the components of the staff portfolio page will be the Population Statistics. This will indicate total number of students, which is expandable to also list number of males and number of females. This can further be expanded to list female and male students in the various classes
Objective 3:2:- Performance Overview is another component of the staff portfolio. This will provide a high level overview of students’ performance. Per each class and for each subject, this module will list the number of Grade A students, Grade B students and so on and so forth. This links can be further expanded to view the number of males and females who obtained the various grades in the various classes. This module will also compare grades obtained in one subject with another to give an overview of modules that students do very well with those that they do not, to help management take quick action to rectify any anomalies
Objective 3:3:- Fees Overview is another component of the staff portfolio. This will provide fees information in the form of total fees paid within a specific period (Selectable from term, year, previous year(s), all years until current term, etc.). This information can be further expanded to show fees owed per class, payments overdue and allow the fees office to generate generic reminder messages in the form of email or text messages to parents of students who are overdue.
Reading through those requirements, it sounds like this is more than one application.
Undoubtedly you need some sort of web application (probably ASP.NET in some form?) to allow the parents of students to asses their children's records.
However for security purposes this same application should probably not be used for teachers and administrative staff to edit these records. Those functions should be on a protected LAN, and require more application security for viewing or editing any potentially sensitive data (especially financial records).
I don't see where WCF would fit into this, unless you need to provide some web service support to some other system? Or perhaps proving some "application server" on a protected LAN that can use WCF to serve data to 2 separate applications for outside / public access (from separate web servers in a DMZ) and one for internal users.
There isn't really 1 answer to this question.
You said "I am struggling whether I should develop for [desktop app + wcf] or web app(website)", but it sounds like you need to develop the [desktop app + wcf] anyway because the school administration is already using some sort of desktop application to update the data. You also need a web application for the parents to view their children's record. If you can, I strongly suggest you skip the wcf and just do a web application. At my current job, there's something similar to what rally25rs describe, and it is a pain in the ass to maintain the desktop application, the asp.net website and the wcf service business logic. But it sounds like you have no choice, so good luck!
I am building a subscription based web site, which currently has three subscription levels, i.e. Horses, Soccer, and Horses and Soccer. I was thinking of implementing standard role based authorization, where a Horses subscriber would get roles including those to use the Horses section, etc.
Should I use a standard role provider, and when a member subscribes to the site, assign roles for his subscription to him, or use a hierarchical role provider, that when asked for the roles for a member, only then uses the member's subscription level to 'calculate' a set of roles for the member.
Approach 1 is more controlled and deterministic as opposed to approach 2.
It will depend on how many 'public' areas you have.. If there are manu public areas and roles apply only to chosen few content, I would go with option 2 otherwise option 1.
Seems to be aspnet roles and assing the roles seems like a good solution to me that requires minimal amount of code
In real-world enterprise web applications for enterprise businesses, we always need to limit the access to the data by the user's unit and role.
Consider that we have an enterprise company with many shopping stores in a country.
So the company has headquarter which has view access to all invoices and statistics for all branches. Each region in the country manages and plans the regional sales strategies for its own branches. Then the region's user also can see the all invoices which have been created by its branches. Each branch can create invoice, customer, and view only its data.
We can see that we have two main access control definitions:
1- Roles (which has been thought and implemeneted many years ago!): we can easily implement using RoleProvider and controlling the access control in UI level (web.config and sitemap.config)
2- Units and its relation with roles to deny/grant the user access to update/view data.
I have implemented a custom principal in ASP.NET to get the user's unit and roles, but I think there should be a classic solution...
Check these out:
http://netsqlazman.codeplex.com/discussions/352107
http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/
Here is MY explanation.
http://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/
............
The MembershipProvider is based on ROLES,....and that is for your kid's soccer club...NOT a professional DotNet application.
There is a "middle ground" workaround.
http://www.lhotka.net/weblog/CommentView,guid,9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx
Basically. Use the MembershipProvider......but treat the word/phrase "Role" as "Right". (In your mind..you cannot change the names of objects in MS code of course)
Rocky's NUTSHELL ( from url above)
bool result = currentPrincipal.IsInRole(requiredPermission);