/roles-management

Roles management software designed by UC Davis DSS IT

Primary LanguageRuby

DSS Roles Management

Roles Management (RM) is a web-based management interface for people, roles, and applications, developed by the UC Davis Social Sciences IT Service Center.

RM is designed to allow anyone with employees or virtual appliances (file servers, mailing lists, web applications) to manage and assign people and groups whatever permissions they wish without requiring the help of IT.

Requirements

  • Ruby 2.x (tested with 2.6.5)
  • MySQL (tested with 5.6)
  • Docker (optional, tested with engine 19.03.5)

Installation

Step 1. Set up secrets file

  • Copy docker-web-secrets.env.sample to docker-web-secrets.env and fill in values.

Step 2. Run the services

  • docker-compose up

Step 3. Set up the database

  • docker exec rails db:setup
  • docker exec rails activitylog:create_table

Step 4. Seed initial data

  • docker exec rails title:import_titles_with_ucpath_csv[file.csv]
  • docker exec rails dw:import_pps_departments

Step 5. Add the first user and grant admin rights

  • docker exec rails dw:import[username]
  • docker exec rails user:grant_admin[username]

Step 6. Visit the service

  • Open your browser to localhost:3000

Running Tests

Roles Management has two forms of tests: Rails-based unit tests and Cypress end-to-end tests.

Running Rails tests

  1. rails test

Running Cypress tests

  1. Ensure Cypress is installed: npm install
  2. Ensure Roles management is running with CAS override: _RM_DEV_LOGINID=dssapps rails s
  3. Ensure CAS override user is in RM database
  4. Run Cypress: npx cypress open

Screenshots

Group rule editor Person dialog relations tab

Owners and Operators

RM has two classes of users with administrative behavior: owners and operators. Their application applies to both groups and applications:

  • Application/Group Owners: Can create, edit, and delete all attributes of an application or group.
  • Application Operators: Can make role assignments with that group or application but cannot edit any attributes.
  • Group Operators: Similar to Application Operators but with the added ability to add or remove explicit membersbut cannot edit the group rules.

Misc. Setup

Import titles from CSV in Docker container

  1. docker cp titles.csv :/usr/src/app
  2. docker exec rails title:replace_titles_with_csv[titles.csv]

Import departments

  • docker exec rails dw:import_pps_departments

Tracking departments

By default, Roles Management only imports people who are manually specified, and only updates those already in the system.

If you wish to start automatically importing people based on their department, enable the department to be "tracked" in the UI under "Administrate" in the upper-right, then "Tracking ...". Turn on the appropriate department. Changes will take effect the next time the "dw:import" task is run.

Background Tasks

The following is a list of background tasks that should be configured for proper RM behavior:

  • Continuously (recommended):
    • Ensure delayed_job is running (for on-demand syncing)
  • Every 24 hours (recommended):
    • rake 'dw:import_pps_departments'
    • rake 'iam:import_sis_majors'
    • rake 'iam:import_bous'
    • rake 'group:recalculate_inherited_application_operatorships'
    • rake 'group:recalculate_inherited_application_ownerships'
  • Every 12 hours (recommended):
    • rake 'dw:import'
    • rake 'person:update_active_flag'
    • rake 'person:remove_inactive'
  • Every 6 hours (recommended):
    • rake 'ad:resync_roles'
  • Unknown
    • rake 'group:audit_inherited_roles' (was found disabled in AWS)

Authors

Christopher Thielen (cmthielen@ucdavis.edu)