LogoLogo
1.1
1.1
  • 🏠Overview
  • 🏢Architecture
  • 📋Registration
    • Registration Interfaces
      • ODK Collect App
      • Self Service Portal
      • API Interface
      • Manual Entry
      • Bulk Export From CSV
    • ID Verification
    • Registry
  • 🅿️Program Management
    • Eligibility Assessment
    • Proxy Means Test
    • Enrolment
    • Deduplication
    • Program Cycles
    • Entitlement
    • Notifications
  • 💵Payments
    • Payment Modes
    • Payment Manager
    • Payment Batches
    • ID Account Mapper
    • Payment Rails
    • Reimbursements
      • Service Provider Portal
  • 🔐Privacy & Security
  • 📊Monitoring and Reporting
  • 🔧System Administration
    • Developer Mode
    • Role-Based Access Control
    • Internationalization (i18n)
    • Document Store
    • Apps
  • ⛓️Workflows
    • Cash grant scenario
    • Immediate Individual Assistance On-Demand
    • Service Provider Reimbursement
  • 🔗Integrations
    • M-PESA Integration
    • Mojaloop Integration
    • MOSIP Integration
      • ODK MTS Connector
      • Registry MTS Connector
      • Integration with e-Signet
  • 📦Releases
    • 1.1.0
      • Release Notes
  • ↔️REST API
  • ⚒️Testing
  • 👥Community
    • Contributing
    • Code of Conduct
  • 📗License
  • Guides
    • 📔How-To Guides
      • Install WireGuard Client on Desktop/Laptop
      • Install WireGuard Client on Android Device
      • Create User and Assign Role
      • Create a Custom Group
      • Create Program
      • Create Self-Service Portal Form
      • Map Self-Service Portal Form
      • Self Register Online
      • Integrate with MOSIP e-Signet
      • Create ODK Form
      • Provide Form Access to Field Agent
      • Download Form on ODK Collect
      • Register Offline
      • Create MTS Connector
        • Create ODK MTS Connector
        • Create OpenG2P Registry MTS Connector
      • Create Eligibility Manager Types
        • Create Default Eligibility Manager
        • Create ID Document Eligibility Manager
        • Create Phone Number Eligibility Manager
      • Create Eligibility Manager under Program
      • Configure Proxy Means Test
      • Enrol Registrants into Program
      • Configure ID Types
      • Create Deduplication Manager under Program
      • Create Deduplication Manager Types
        • Create ID Deduplication Manager
        • Create Phone Number Deduplication
      • Deduplicate Registrants
      • Create Notification Manager Types
        • Create SMS Notification Manager
        • Create Email Notification Manager
        • Create Fast2SMS Notification Manager
      • Create Notification Manager under Program
      • Send Notifications to Individual Registrants
      • Configure Program Manager under Program
      • Create and Approve Program Cycle
      • Multi-Stage Approval
      • Create Entitlement Voucher Template
      • Create Entitlement Manager Type
        • Create Default Entitlement Manager
        • Create Voucher Entitlement Manager
      • Configure Entitlement Manager under Program
      • Create Payment Manager Types
        • Create Payment Hub EE Payment Manager
        • Create Payment Interoperability Layer Payment Manager
        • Create Default Payment Manager
        • Create Cash Payment Manager
        • Create File Payment Manager
      • Configure Payment Manager in Program
      • Prepare and Send Payment
      • Install SmartScanner App
      • Submit Reimbursement Using the Service Provider Portal
      • Reimburse the service provider
    • 📙Documentation Guides
      • Creating Diagrams
      • OpenG2P Module Doc Template
      • Writing Guidelines For How-To Guides
    • 👩‍💻Developer Zone
      • Getting Started
      • Installing OpenG2P On Linux
      • Technology Stack
      • Modules
        • G2P Entitlement In-kind
        • G2P SelfServicePortal
        • OpenG2P Program Payment: G2P Connect Payment Manager
        • G2P Notifications: Wiserv SMS Service Provider
        • G2P Registry: Rest API
        • G2P Formio
        • G2P Registry: Base
        • G2P Registry: Individual
        • G2P: Proxy Means Test
    • 📘Deployment Guide
      • Deployment on Kubernetes
        • K8s Cluster Requirements
        • K8s Cluster Setup
        • Rancher Server Setup
        • NFS Server Setup
        • SSL Certificates using Letsencrypt
      • Post Install Configuration
      • Access to Deployed Setup
      • Packaging OpenG2P Docker
Powered by GitBook
LogoLogo

Copyright © OpenG2P. This work is licensed under Creative Common Attribution (CC-BY-4.0) International license unless otherwise noted.

On this page
  • Introduction
  • User types
  • Pre-defined groups
  • Configuring custom groups
  • How-to Guides
  1. System Administration

Role-Based Access Control

PreviousDeveloper ModeNextInternationalization (i18n)

Last updated 1 year ago

Introduction

OpenG2P platform defines role-based access control (RBAC) to authorize users of the OpenG2P platform to access views and menus according to their roles. RBAC also prevents unauthorized access to the OpenG2P system and safeguards beneficiary data from malicious actors.

User types

OpenG2P platform has three types of users:

  1. Internal: These users access the OpenG2P backend application.

  2. Portal: These users access the portals created using the OpenG2P backend application, i.e. Self-Service Portal and Service-Provider Portal users. Access to these portals is governed by the administrative policies of the program.

  3. Public: These users do not have any access to the OpenG2P backend application or portals.

Pre-defined groups

In the OpenG2P platform, a role is implemented by defining a group, and the users playing the role are added to the group. Each user can be added to multiple groups. OpenG2P provides a large variety of pre-defined groups (roles). The users can be directly added to these groups (roles). To learn the steps to assign a user to a pre-defined group, click .

OpenG2P pre-defined group name start with the prefix OpenG2P. All the other groups are provided by underlying Odoo platform.

These are the commonly used roles pre-defined via groups in OpenG2P:

  • Administrator: The users in this group are system administrators and superusers who assign user access to other users in the OpenG2P platform. These users must install the Odoo platform on their machines, which will be used to provide access.

  • Registrar: Every user who needs access to the registry views and menus should be assigned to this group.

  • Program Validator: The users in this group validate the soundness of the program and duplicate registrants. Therefore, these users can access Programs->Programs and Programs->Duplicates view and menus.

  • Program Cycle Approver: These users in this group approve the program cycles and have access rights to Program -> Cycles views and actions.

  • Program Manager: The users in this group have access to all the menus, views, and actions related to program management, payments, account journals, and funds.

  • Finance Validator: These users in this group have access to all the menus, views, and actions related to entitlement/fund/batch finance, program funds, and account journals.

  • Document Write, Document Read, Document Admin: Registrants' documents, payment files, entitlement vouchers, etc. are stored in the storage configured by the administrators. To preserve privacy and enforce authorized viewing, these documents can only be accessed by authorized users who are part of these groups.

  • Rest API POST, Rest API GET: The OpenG2P platform provides access to REST APIs for various functionalities. However, access to these APIs is restricted to only authorized users who are part of these groups.

The excel below describes all the OpenG2P pre-configured groups and their access permissions.

Configuring custom groups

The administrators can also create custom groups from scratch or inherit from pre-defined groups. Inheriting from an existing group is the most effective way to create new groups as menus, views and access rights from the existing groups need not be redefined. After inheriting from existing groups, system administrators can add custom menus, views and access rights.

The figure below shows the access rights for a group (role) that requires access to payment accounts.

How-to Guides

To learn the steps to create a custom group, click .

🔧
here
Create User and Assign Role
Create a Custom Group
here