-
Notifications
You must be signed in to change notification settings - Fork 11
Organizational Data Access
The admin panel implements a concept of organizational access. An admin user's organizational access is configured in the access policy for that user. Organizational access limits an admin panel to viewing only data belonging to that organization. An admin panel user that does not have an organization configured is considered to be a global Greenstand user and has access to ALL data in the admin panel. An organizational admin panel user currently can have access to only a single organization.
Organizations are stored in the entity table. An organization is an entity with the type field set to 'o'. Other entities are not properly organizations, but ANY entity can be configured with 'organizational' access. Organizational access to enabled by configuring an access policy for an admin user that uses this entity id as the organization id.
Organizational data is defined to be any data that falls under the jurisdiction of an organization. This includes tree captures and planter information that is linked to that organization. By default this data is limited only records in the trees table and planters table that are directly linked to the entity id defined for organizational access. However, this can be extended to include other records through hierarchies defined in the entity_relationship table.
By default, data accessible by organizational admin users are limited to records in the trees table that reference a planter through planter_id with person_id set to the access policy's organization entity id, or planting_organization_id column set to the access policy's organization entity id, and records in the planter table that have the organization_id or person_id column set to the access policy's organization entity id.
The entity_relationship table defines relationships between entities. In addition to their default data access, an organizational admin user can access data that is attached to any entity that is in the tree of children under their organizational entity id. In Postgres we have implemented a function, getEntityRelationshipChildren, that can be used to query all children for an entity. This function is used as:
select * from getEntityRelationshipChildren(parent_entity_id);
Entity relationships can also be filtered by 'type' and 'role', but for the time being these do not have implications for data access. An organizational user has hierarchical data access to all trees and planter records that each of the children returned by this query have default data access to.