Skip to content

Latest commit

 

History

History
55 lines (39 loc) · 2.44 KB

elevated-privileges.md

File metadata and controls

55 lines (39 loc) · 2.44 KB
description
Some users require additional permissions to manage rooms and assets, such as concierge users.

Elevated Privileges

These are the resources that users can access as privileges are raised

ResourceStandard UserManagerAdministrator
AssetsViewCreate, Update, DeleteCreate, Update, Delete
MetadataViewCreate, UpdateCreate, Update, Delete
ZonesViewCreate, UpdateCreate, Update, Delete
SystemsViewCreate, UpdateCreate, Update, Delete, Add / Remove Module
ModulesNoneNoneCreate, Update, Delete, Start, Stop (logic only) and View all types
SettingsNoneViewCreate, Update

This allows a sufficiently privileged individual to perform tasks such as:

  • Creating new systems
    • Add existing Calendar and Staff API modules
    • Create a new Booking, Auto Check-in drivers and start them
    • Configure any custom settings (such as sensor id for the room)
  • Modify metadata in zones
    • Adding or removing bookable desks
    • Changing owner of parking spaces
    • etc

Configuring Permissions

Typically this would be managed via the concierge application. This is a description of the JSON that application generates.

  • User groups are used to apply permissions
  • User groups can be applied at logon via SSO

Enabling Permission Elevation

This must be done on a per-domain basis. Specify a root zone for the domain, permissions will only apply to Systems and Zones that are associated with this zone.

Defining permissions

In the org zone defined in the domain config, create a metadata entry called permissions

{
  # if someone is in group1, group3 and group4 they won't have any permissions
  # deny always takes precedence
  "deny": ["group1"],
  "manage": ["group2", "group3"],
  "admin": ["group4"]
}

You only need to define the keys that you're using.

  • Permissions can be defined at multiple levels in the zone hierarchy
    • i.e. you can provide global permissions to a group then deny that group from modifying certain zones.
    • Or provide allow manage permissions globally and admin in certain zones