Self Storage Dashboard – Access Control

Progress! Since First Release I have solidified much of what the Self Storage Dashboard will be and do. I’ve been taking feedback and iterating the Leads management section and I feel that I finally have enough proof (read: confidence) to make this project a real business. The other managers who currently use the Dashboard have found it to be intuitive and easy and that has been my focus for the user experience (UX). I want this app to be simple and clean because many self storage managers are not computer or web savvy.

If you recall from my previous posts, I have been practicing Minimum Viable Product (MVP). I did this to test whether the idea had legs. Now that I know it’s worth building I need to consider more carefully how the app is designed. Last night I defined the features, requirements, roles and privileges. I felt the need to wrap my head around the idea as a whole and it seemed like a good place to start. Taking time to define privileges was the most helpful because I was forced to make decisions about which roles should have access to which features. Interestingly, it helped me to define a lot of the features.

Access Control

This is the first project where I needed to consider access control (roles and privileges for web apps). I’ll describe my process just in case someone out there is interested. I began by listing all features for the site. I then considered who would be using the Dashboard and created roles based on those types of users. I discovered seven roles, two of which are: Facility Manager and General Manager. Privileges fell into three categories: User, Facility and Company (a company is the primary account which can have many facilities). It made sense for me to break the privileges into these categories.

I then considered each role and which feature/privilege it would require. For example, the Facility Manager should be able to manage leads for their facility. Here is an excerpt from my Specification Document which describes all roles and privileges (last night I discovered 59 distinct privileges, I won’t list them all).

PRIVILEGES

User
  • Default Privileges (all users)
    • add/edit/view this user’s personal information
    • change this user’s password
    • recover this user’s password via email
    • send/receive messages to/from one, many or all users in this company
  • Timesheet (enables the timesheet feature for this user)
    • add/edit timesheet entries for this user at this user’s facility
    • view timesheet report for this user
Facility
  • Facility Leads
    • add/edit/view leads for this user’s facility
    • view leads report for this user’s facility
Company
  • Company Leads
    • add/edit/view leads for any facility in the company
    • view leads reports for all facilities in the company
  • Company Timesheets
    • add/edit/view timesheet entries for any user in the company
    • view timesheet reports for all users in the company
    • export/print all timesheet data
  • User Control
    • add/edit/delete information for any user account in the company
    • reset password for any user in the company
    • assign any user to any facility in this company
    • set privileges for any user
    • suspend any user in the company (will prohibit a user from logging in to the dashboard and display a “Suspended” message if they try logging in)

ROLES

Once the privileges were defined I added specific privileges to the appropriate roles.

  • Facility Manager
    • Timesheet
    • Facility Leads
  • General Manager
    • Company Timesheets
    • Company Leads
    • User Control

After three hours defining roles and privileges I looked into how to implement privileges using CodeIgniter (the PHP framework I’m building with). Unfortunately, there is no library/extension for doing this. I use the Ion Auth library for authentication (login, account creation, etc) but it is limited to Groups. If I want to enable granular privilege-based control I will need to write a custom solution. I fully intend on doing this but not right now. For now, I created seven groups, one for each role and will allow access to features based on whether a user is in the appropriate group. Knowing this now, I would still spend the time defining privileges, it’s important info that I need in order to code for groups. The next phase is to implement access control on the live server. After that, I will be considering which feature to add next.

I hope you found this post informative. I’m not an expert and I don’t have any training or experience with access control either. If I got something wrong or if there is a better way to do it, let me know. I just did what makes sense to me.

As always, you can find me on Twitter @KeithMon.