The Problem:
dotProject currently uses ldap for "authentication" (ie you can point to an LDAP server to check password hashes against a username), but by default a user does not have access to anything until they have gone through a manual "authorisation" setup (eg being given access to certain companies, or be assigned a certain dP user type).
A subset of this problem occurs when:
- users leave the company (off-boarding) - users must be manually set inactive, or
- change roles internally (cross-boarding) - users must have their permissions manually updated (which currently ends up with users getting way more access than they perhaps should)
The Proposed Outcome:
Scenarios:
- A new user starts, and is given authorisation attributes in LDAP as part of their onboarding process
The user logs into dotProject for the first time, and the user account is created automatically (this is current behaviour):
- the user account then has it's Company and Department fields populated based on LDAP group membership (or some other definable attribute)
- the user is authorised to access (view/edit etc) Company/Department (perhaps even, to project level?) based on required attributes
- An existing user changes role and has some permissions added, and some removed:
- the user logs into dP after these changes are made, and the dP user account should update it's authorisation fields for this user automatically
- A user leaves De Bortolis:
- the way we handle this in LDAP at the moment is to remove the user from the "Active Users" ldap group - I'm not sure how industry standard this is
- the dP user account should be in the dP inactive users group now, and should no longer be available for selection as project contact/resource etc
Looking for proposals on how we can enhance the existing authorisation system in dP so that we can define and check ldap based require attributes.
I'm wondering if the plugin interface gives us enough access to hook in to Company and Department configs to add extra fields? As a plugin/module, this seems like the least generally invasive way to implement
The Problem:
dotProject currently uses ldap for "authentication" (ie you can point to an LDAP server to check password hashes against a username), but by default a user does not have access to anything until they have gone through a manual "authorisation" setup (eg being given access to certain companies, or be assigned a certain dP user type).
A subset of this problem occurs when:
The Proposed Outcome:
Scenarios:
The user logs into dotProject for the first time, and the user account is created automatically (this is current behaviour):
Looking for proposals on how we can enhance the existing authorisation system in dP so that we can define and check ldap based require attributes.
I'm wondering if the plugin interface gives us enough access to hook in to Company and Department configs to add extra fields? As a plugin/module, this seems like the least generally invasive way to implement