Security and System administration - inteacc/hrishelp GitHub Wiki
The security subsystem provides an easily configurable access control mechanism for your application. It is based on Spring Security and adds the following features:
Integration with your data model.
Permissions to invoke CRUD operations on entities and to view/modify specific entity attributes. For example, a user can view documents, but cannot create, update, or delete them, and can view all document attributes except amount.
Row-level access control restricts access to individual entity instances. For example, users can view documents that have been created in their department only.
Integration with UI.
Permissions to open UI views and see main menu items.
If a visual component like Text Field is bound to an entity attribute, it automatically becomes read-only or hidden depending on the current user rights to the attribute. Table actions are disabled if the corresponding CRUD operations are denied for the user.
Declarative definition of roles and permissions using annotated Java interfaces.
Ability to define roles and permissions at runtime and store them in the database.
User interface for viewing roles and permissions, assigning roles to users, and for creating runtime roles.
A short demo video:
GMT20241219-023237_Recording_2048x1152_Security role.mp4
Roles and Policies Below is a diagram that shows relationship between users, roles and policies.
A user can have multiple roles of two distinct types: resource and row-level.
Resource roles - give users permissions to specific objects and operations, that are denied by default. A user without resource roles has no permissions and cannot access the system.
Row-level roles - in contrast, restrict access to particular entity instances. A user without row-level roles has access to all instances of an entity (if it is permitted by resource roles).
Each role can define policies of different types. Policies specify a target object (a resource for resource permissions, an entity instance or group of instances for row-level policies) and a permission or restriction to apply to this object.
Menu path: System admin > User admin > User list
The screen shows list of employee (left) for which user is not yet created while the list on the right shows the existing users.
If you want to select more than 50 employees to create the users, change the page size as appropriate and select to create.
User creation is made very simple - Select the employee(s) for which you want to create user and click the "Create user" button. This will do the following:
- Create the user with all related user info
- The default info will be employee code as user ID, last name as password
- This creation process will also assign the default Role of users that has role code "EMPLOYEE_USER_DEFAULT_ROLE_CODE"
You can also create users one by one from the "Create" button above the user list (right-hand side).
After the user is created, you can assign one or multiple roles to the user. You can assign roles from Resource role to multiple users or Users to multiple roles as you may prefer.
Select the employee and click "Role assignment".
This will show the role assignment screen from where you click on "Add" button for "Resource role" or "Row level role" and select from there.
User roles and business user roles are defined by the system administrator of the Inteacc HCM application.
There are two types of roles you can create -
- Resource roles
- Row-level roles
The resource roles may contain one or more child resource roles. This is done mainly in two steps depending on how many hierarchies you choose to build on the user access management since a child resource role may contain children resource roles.
- Resource role: This is created for individual transactions with full or sub-section of access privilege.
- Resource role with children resource roles: One or more user roles can be used to create such roles.
Roles and users
A Resource role may have child roles as well as have it's own access definition to different elements of access like Menu, View, Entity (Table), Attributes (Fields) etc.
In order to automatically assign the default resource role to any new users, create a default user resource role with role code "EMPLOYEE_USER_DEFAULT_ROLE_CODE" -
Select the "Menu policy" from the Create button, the menu selection option will be popped up as below from where select the menu from context sensitive pull-down menu.
When you select menu policy, apart from selecting the menu itself, check "Grant access to the view".
This will also include the respective list screen that is called by the menu.
Use this option to authorize, mostly the detail; but of course any other view (screen) can be authorized.
In case you select the view, the checkbox "Grant access to the menu item" is not relevant.
Each view (screen) may have one or many Entities (e.g. database tables) associated. Therefore, when you give access to the view, we need to given access to the Entities too.
In this example of Leave application detail screen, there are several Entities (tables) access needed e.g. hr_LeaveApplication, hr_LeaveApplicationLine, hr_LeaveAppliType, hr_LeaveApplicationLine, etc.
Based on how you want the role accesses to the Entities, select CRUD (Create, Read, Update, Delete) options.
This defines how access to different fields of entities (table fields) to be controlled.
You may define the rule field by field for View, Modify or no-view to the role.
If you want to hide any fields, you select the "check box" individually instead of "All attributes(*)". The field you will not select will be hidden from the role.
The resource roles name is a text field, therefore the system will accept any type of name you may consider. However, in order to organize it properly, we would recommend the following coding principle:
| Segment Seq. | Digits | Name | Description |
|---|---|---|---|
| 1 | 2 | Application module | Enter the module code in 2 digits |
| 2 | 2 | Role code | 2 digits main role code. Use "-" between segments 1 and 2 |
| 3 | 1 | CRUD privilage. | CRUD action indicator in 1 digit |
Example
| Module code | Module name |
|---|---|
| 01 | Master data General |
| 02 | Organization and compensation management |
| 03 | Hiring management |
| 04 | Talents and succession planning |
| 05 | Performance management |
| 07 | Leave and attendance |
| 08 | Payroll |
| 09 | Loan management |
| 08 | Income tax |
| 09 | Employee fund |
Role codes will have 3 different categories for which the serial starts as defined below:
Start with 001 and increment by 1
| Category name | Sequence |
|---|---|
| Master data | Start with 11. Each role code will have 0 for all CRUD and part of CRUD as defined in section 3 below |
| Transactions | Start with 41 |
| Business roles or parent role | 91 |
Role creation recorded training session.
| Value | Meaning |
|---|---|
| 0 | When the role is defined with all the access privileges i.e. CRUD - Create, Read, Update, Delete. |
| 1 | Create privilege only |
| 2 | Read only |
| 3 | Update only |
| 4 | Delete only |
| 5 | Create, Read, Update (no delete) |
| 6 | Read entity and attributes only (no menu access) |
Row-level roles allow you to restrict access to particular rows of data, in other words to entity instances.
For example, when you use criteria Company code "RTM" and apply to any role, the user of the role will have access to only the company code defined.
After you write the rule, click on the Check button to ensure, the syntax is correct.
User substitution option can be used when you want to substitute an user during his/her vacation for example.
As you may have noticed that there is start and end date to specify the effective date.
You can schedule a background job to run a program to update the approval status of different documents e.g. When the workflow is fully approved/declined, the approval status of the original document e.g. Leave application, hiring request etc. to be updated automatically.
In order to automatically update the approval status, you have two alternative options:
- Quartz job in Inteacc
- Schedule job in the database
In your Inteacc HCM system there is a built-in functionality to schedule specific job to be executed automatically based on the frequency scheduled.
In quartz job you can:
- Create new Quartz jobs from the existing implementation of org.quartz.Job interface.
- Pause and resume jobs execution.
- Trigger immediate execution of inactive jobs.
- Edit job triggers and parameters.
- Delete jobs.
Follow the documentation of respective database.
Create the master data according to the following sequence
- Business Industries
- Continents
- Currency
- Country and provinces
- Holiday
- Holiday Calendar
- Punctual attend criteria
- OT rounding rules
- Workshift
- Workshift rotate rules
- Operating location
- Unit of measure
- Religion
- District
- Hierarchy Group
- Hierarchies
- Company
- Account Group
- Account
- Bank Category
- Bank
- Bank branch
- Bank account
- Cash account
- Cost centre category
- Cost centre group
- Cost centre
- Financial year
- Tax authority
- Tax profile
- Job family
- Functional area
- Department
- Section
- Employee group
- Empl grades
- Empl category
- Designation
- Leave type
- Late penalties
- Leave year
- Leave profile
- Calc methods
- Income year
- Allowance
- Payroll rules
- Payscale structure
- Payscale
- OT rounding rules
- Control account Prs
- Employee fund profile
- Financial year
- Fund rules