@ -51,7 +51,7 @@ Centurion ERP contains the following modules:
|
||||
|
||||
- [Markdown](./user/core/markdown.md)
|
||||
|
||||
- [Multi-Tenant](./user/access/organization.md)
|
||||
- [Multi-Tenant](./user/access/tenant.md)
|
||||
|
||||
- [Single Sign-On {SSO}](./user/configuration.md#single-sign-on)
|
||||
|
||||
|
||||
@ -6,14 +6,14 @@ template: project.html
|
||||
about: https://gitlab.com/nofusscomputing/infrastructure/configuration-management/centurion_erp
|
||||
---
|
||||
|
||||
The Access module provides the multi-tenancy for this application. Tenancy is organized into organizations, which contain teams which contain users. As part of this module, application permission checking is also conducted.
|
||||
The Access module provides the multi-tenancy for this application. Tenancy is organized into tenants, which contain teams which contain users. As part of this module, application permission checking is also conducted.
|
||||
|
||||
|
||||
## Components
|
||||
|
||||
- [Contact / Corporate Directory](./contact.md)
|
||||
|
||||
- [Organization](./organization.md)
|
||||
- [Tenant](./tenant.md)
|
||||
|
||||
- [Roles](./role.md)
|
||||
|
||||
@ -22,10 +22,10 @@ The Access module provides the multi-tenancy for this application. Tenancy is or
|
||||
|
||||
## Permission System
|
||||
|
||||
The permission system within Centurion ERP is custom and built upon Django's core permission types: add, change, delete and view. For a user to be granted access to perform an action, they must be assigned the permission and have that permission assigned to them as part of the organization they are performing the action in. ALL assigned permissions are limited to the organization the permission is assigned.
|
||||
The permission system within Centurion ERP is custom and built upon Django's core permission types: add, change, delete and view. For a user to be granted access to perform an action, they must be assigned the permission and have that permission assigned to them as part of the tenant they are performing the action in. ALL assigned permissions are limited to the tenant the permission is assigned.
|
||||
|
||||
!!! tip
|
||||
User `A` is in organization `A` and has device view permission. User `A` can view devices in Organization `A` **ONLY**. User `A` although they have the device view permission, can **not** view devices in organization `B`. For User `A` to view devices in organization `B` they would also require the device view permission be assigned to them within organization `B`.
|
||||
User `A` is in tenant `A` and has device view permission. User `A` can view devices in Organization `A` **ONLY**. User `A` although they have the device view permission, can **not** view devices in tenant `B`. For User `A` to view devices in tenant `B` they would also require the device view permission be assigned to them within tenant `B`.
|
||||
|
||||
Unlike filesystem based permssions, Centurion ERP permissions are not inclusive, they are mutually exclusive. That is:
|
||||
|
||||
@ -42,7 +42,7 @@ The exclusitvity is that each of the permissions listed above, dont include an a
|
||||
|
||||
### Gloabl Organization
|
||||
|
||||
If the webmaster has setup Centurion ERP to have a [global organization](../settings/app_settings.md#global-organization), as long as the user has the a `view` permission for the model in question in **any** organization, they will be able to view that item within the global organization. This is not the same for the other permissions: `add`, `change` and `delete`. To which they must be granted those permissions within the global organization exclusively.
|
||||
If the webmaster has setup Centurion ERP to have a [global tenant](../settings/app_settings.md#global-tenant), as long as the user has the a `view` permission for the model in question in **any** tenant, they will be able to view that item within the global tenant. This is not the same for the other permissions: `add`, `change` and `delete`. To which they must be granted those permissions within the global tenant exclusively.
|
||||
|
||||
!!! tip
|
||||
User `A` is in organization `A` and the webmaster has setup Centurion to use organization `B` as the global organization. If user `A` has been granted permission `itam.view_software` in organization `A` they will be able to view software within both organization `A` and `B`.
|
||||
User `A` is in tenant `A` and the webmaster has setup Centurion to use tenant `B` as the global tenant. If user `A` has been granted permission `itam.view_software` in tenant `A` they will be able to view software within both tenant `A` and `B`.
|
||||
|
||||
@ -1,19 +0,0 @@
|
||||
---
|
||||
title: Organization
|
||||
description: Organization Documentation for Centurion ERP by No Fuss Computing
|
||||
date: 2024-06-17
|
||||
template: project.html
|
||||
about: https://gitlab.com/nofusscomputing/infrastructure/configuration-management/centurion_erp
|
||||
---
|
||||
|
||||
An organization is how multi-tenancy is conducted within this application. All data within the application is tied to an organization and only users whom are members of the organization with the correct permission can view that item within an organization.
|
||||
|
||||
!!! warning
|
||||
Any object within any organization that has been marked as `global`. Any user whom has the correct `view` permission will be able to see the global object.
|
||||
|
||||
_**Note:**: This does not include other items that may be attached to the global object that is itself not marked as global._
|
||||
|
||||
|
||||
## Organization Manager
|
||||
|
||||
An organization manager is to be viewed as the "owner" of an organization. With the exception of editing the organization itself, the manager can conduct **ALL** operations against an organization regardless of their permissions. An orgnization manager does not need any permissions to add, change delete or view a `Team` or `Team User`. This also includes not requiring the `view` permission for an `Organization`.
|
||||
@ -6,9 +6,9 @@ template: project.html
|
||||
about: https://gitlab.com/nofusscomputing/infrastructure/configuration-management/centurion_erp
|
||||
---
|
||||
|
||||
A Team is subordinate to an organization and is a way of grouping permissions with users. A team as the name implies is a collection, in this case contains application users-whom once assigned to a team will be granted the permissions of that team. Permission assigned are an _"allowed"_ to conduct that action. It is not possible to add deny permissions
|
||||
A Team is subordinate to an tenant and is a way of grouping permissions with users. A team as the name implies is a collection, in this case contains application users-whom once assigned to a team will be granted the permissions of that team. Permission assigned are an _"allowed"_ to conduct that action. It is not possible to add deny permissions
|
||||
|
||||
Team permission are not application wide, their scope is limited to objects that are a part of the same organization. In addition any object that is marked `is_global` a user with the objects view permission can see that object.
|
||||
Team permission are not application wide, their scope is limited to objects that are a part of the same tenant. In addition any object that is marked `is_global` a user with the objects view permission can see that object.
|
||||
|
||||
!!! warning
|
||||
An Organization manager can conduct **ALL** operations against a team regardless of their permissions.
|
||||
|
||||
19
docs/projects/centurion_erp/user/access/tenant.md
Normal file
19
docs/projects/centurion_erp/user/access/tenant.md
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
title: Tenant
|
||||
description: Tenant Documentation for Centurion ERP by No Fuss Computing
|
||||
date: 2024-06-17
|
||||
template: project.html
|
||||
about: https://gitlab.com/nofusscomputing/infrastructure/configuration-management/centurion_erp
|
||||
---
|
||||
|
||||
An tenant is how multi-tenancy is conducted within this application. All data within the application is tied to an tenant and only users whom are members of the tenant with the correct permission can view that item within an tenant.
|
||||
|
||||
!!! warning
|
||||
Any object within any tenant that has been marked as `global`. Any user whom has the correct `view` permission will be able to see the global object.
|
||||
|
||||
_**Note:**: This does not include other items that may be attached to the global object that is itself not marked as global._
|
||||
|
||||
|
||||
## Tenant Manager
|
||||
|
||||
A tenant manager is to be viewed as the "owner" of an tenant. With the exception of editing the tenant itself, the manager can conduct **ALL** operations against an tenant regardless of their permissions. An orgnization manager does not need any permissions to add, change delete or view a `Team` or `Team User`. This also includes not requiring the `view` permission for an `Tenant`.
|
||||
@ -28,7 +28,7 @@ Within the services the following fields are available:
|
||||
|
||||
- Name _name of the cluster_
|
||||
|
||||
- [Organization](../access/organization.md) _organization this cluster belongs to_
|
||||
- [Tenant](../access/tenant.md) _tenant this cluster belongs to_
|
||||
|
||||
- [Nodes](../itam/device.md) _Cluster Nodes_
|
||||
|
||||
|
||||
Reference in New Issue
Block a user