Wednesday, December 8, 2010

Access Control up to Field-Level, now possible in iFreeTools CRM & Creator

Until now, iFreeTools CRM and iFreeTools Creator had role based access control alone.

In this mode, users can be associated to a role which can be admin / user / guest and access control can be specified (in Creator, for custom entities) to restrict read / write operations based on these roles. It was not possible to segment records based on departments (Sales / Marketing / Support / etc.,.) or based on territories (typically useful for geographically distributed offices). It was also not possible to have field-level permissions.

Not anymore.. we have now added support for adding authorization profiles to enable defining access control permissions and associating them with user accounts.

Using authorization profiles, you can..
  • allow / block access to specific modules (record types) as a whole,
  • allow / restrict access to specific operations alone, like controlling permission to View, Add, Edit, Delete, Export records or to Send Emails,
  • define scoping criteria to segment the records at operation-level. This scoping criteria can be based on any attribute which contains choice values (which include departments and territories, if you have enabled them) and based on user-reference attributes. One can define criteria to enforce access conditions like “Allow editing of records only if the user is the record owner”,
  • define permissions for access to fields at the operation-level, to enable conditions like “Allow viewing X, Y and Z fields, but restrict editing to X and Y fields alone”.

Sample Walk-through on using the Auth Profiles in iFreeTools

Let us take a sample application and walk-through the steps to enforce authorization rules for that application using this new feature. Our sample app will be a simple help desk application to hold the records for Customers, Solutions & Cases and will have the following authorization requirements..
  • Customer login :
    • Allowed to view available solutions
    • Raise new cases and edit them as required.
    • Edit their own customer record to update contact details (address, phone, etc.,)

  • Support staff login :
    • Allowed to view all solutions, add new solutions and edit the ones for which they are the owner.
    • Allowed to view all cases and edit to update the records to associate relevant solutions.
    • Full access to Customer records.
For our walk-through, we will define 3 record types : Customers, Solutions and Cases.

Note : While there is more to a full-fledged help-desk application than just maintaining the records - like say, notifying the Customer-owner (support staff) when the Customer adds a new Case, notifying the Customer when the support staff responds to cases and escalating to notify the manager when a case has not been closed for long - we will deal with the records part alone for now. We will come back to this walk-through to cover other use-cases when we add support for work-flows and triggers.

Concise representation of the data-model :

Customer (name*, company, $< phoneEmailEtc >, $< contactAddress >, owner, userAccount< User >*)
Solution (question*, answer*~~, owner*, status&)
Case (subject*, type&*, status&*, origin&, priority&, reason&,
reportedBy< Customer >*, reportedByUser< User >*, description~~*, owner, solution< Solution >)
* means the attribute is required
~~ refers to a Text attribute,
& means the attribute has choiceValues
$< phoneEmailEtc > and $ < contactAddress > add multiple attributes
attributeName< ReferenceClass > refers to a reference attribute, owner defaults to < User > reference

Pseudo-code representation of the data-model :

(useful if you want to add Entities and Attributes)

Customer (plural : Customers ) :
String name as Name required
String company as Company
String emailId as "Email Id" {isEmail:True}
String phone as Phone
String mobilePhone as "Mobile Phone"
String homePhone as "Home Phone"
String skypeId as "Skype Id"
String website as Website
String addressLine1 as "Address Line1"
String addressLine2 as "Address Line2"
String city as City
String zipCode as "Zip Code"
String state as State
String country as Country
GeoPoint addressOnMap as "Address on Map"
Reference owner as Owner {refersTo:User}
Reference userAccount as "User Account" required {refersTo:User}

Solution (plural : Solutions ) :
String question as Question required
Text answer as Answer required
Reference owner as Owner required {refersTo:User}
String status as Status {choiceValues:[Draft, Reviewed, Duplicate]}

Case (plural : Cases ) :
String subject as Subject required
String type as Type required {choiceValues: [Problem, Feature Request, Question] }
String status as Status required {choiceValues:[New, On Hold, Escalated, Closed]}
String origin as Origin {choiceValues:[Web, Email, Phone]}
String priority as Priority {choiceValues:[High, Medium, Low]}
String reason as Reason {choiceValues:[User did not attend any training,
Complex functionality, Existing problem,
Instructions not clear, New problem]}
Reference reportedBy as "Reported by" required {refersTo:Customer}
Reference reportedByUser as "Reported by User" required {refersTo:User}
Text description as Description required
Reference owner as Owner {refersTo:User}
Reference solution as Solution {refersTo:Solution}

You need not have to create these entities and attributes manually. Just use the following CSV files to import this data-model directly into iFreeTools Creator..
Once you have imported the Entities and Attributes to iFreeTools Creator, we can now proceed to defining the authorization profiles for the use in this help-desk application.

Note on additional segmentation : When adding/editing entities, you can configure the entities to use additional segmentation based on department and/or territory. You can choose not to segment the records (default option for empty value), or make it optional / required. Making it optional/required will result in a new attribute getting added to the entity, with selection values to choose from for department/territory. You can customize the values for this selection from under Admin > Enum.

This walk-through does not use additional segmentation. But feel free to add/edit entities, to include them if required.

First we will create an authorization profile for customer login. Proceed to Admin > Auth Profiles > Add Auth Profile.

The initial screen for adding the authorization profile will be like given below..

Customers need not have access to the User records, so we will not enable access for those records.

When customers access the Customer records, they should be able to view their own record and can have the facility to update their contact details themselves. The following image shows the authorization configuration for Customer records..

For Solutions, customers can be allowed to view all Solutions which are in Reviewed status. The fields to be made visible can be restricted to Question, Answer and Created On.

With respect to Case records, customers can be allowed to view only the cases reported by them. They can add new Case records and can edit Cases they had reported earlier. They will not have permission to delete or to export them. The following image shows the required auth-profile configuration to achieve the same..

Proceeding to save the Auth Profile, we get to see the following details page..

Similarly we can add an Auth Profile for support-staff, as per the authorization requirements we listed earlier. The details page of the Auth Profile for support-staff is shown below..

That is it, we have completed the Auth Profile configurations. Now you can add or edit users, from under Admin > Users, and associate the Auth Profiles to the User records.

Note: Auth Profiles take effect only for non-admin users, that is users having role as user or guest.

When the user logs-in into the application, the authorization profile we configured and associated with their user-account will take effect automatically.

Hope you like the our new feature. Such fine-grained access control features are part of the “premium” plans in almost all other online CRM apps / online-database-app builders, if at-all available. We at iFreeTools are glad to offer it as part of our free version at iFreeTools CRM and iFreeTools Creator.

No comments:

Post a Comment