Article: AN0001836Updated:
In this chapter, there are described requirements on this system for access control that we will try to meet.
ObjectGears user is able to request access right for themselves or for another user. Besides role users can in its request add a comment explaining why they ask for a role and select an account to which the role shall be granted. After the request is entered there will be automatically added information about user that created the request, time of request and request status (request creation).
After that user can follow status of the request and course of their approval process (approval by a manager, role gestor, application gestor or realization by application administrator). The request can be displayed only by the user that created the request, by user for whom the access roights are requested or by managers of these users.
The request is submitted for approval to a user manager, if there is manager defined for the user. The request is submitted to a role gestor if such a person exists. If a role gestor does not exist the request is submitted to an application gestor. If the gestor or manager does not exists the request is considered approved by these roles. The ruquest is submitted to the gestor and manager in a parallel way in order that the whole process is not delayed. If the request is rejected by any of them causes immediated termination of the process and cancellation of tasks, that relate to the request.
After the request is approved, access rights can be assigned in two ways. If the role that is requested has a group defined in MS Active Directory, is the user account immediatelly added to this role. If such a group is not defined, there will be a task submitted to the application administrator to which the role belongs in order that the administrator assignes the role manually.
Within the whole process the request status is kept up to date in order that the user can see which of his requests wait for approval ,which are already approved, which implemented (access rights actually assigned) and which were rejected. In the request detail it is possible to see a history of the workflow showing persons to whom the requests were assigned for approval or realization with show their statement (approval/rejection). Users approving the request are able to add to their statement (approval/rejection) a comment justifying, why the request was approved/rejected.