Domain model
The domain model of the staff members & access rights API consists of the core object types StaffMember, StaffAccessLevel and ApplicationAccessRights. A StaffMember is an employee of the organization. A StaffAccessLevel is an entity that can be granted access rights and that staff members can be assigned to. ApplicationAccessRights is the structure that holds the information what staff member and/or access level has which access rights.
Application Access Rights
The enfore platform manages application access rights on a "per application"-basis. The term "application" in the context of this API means "client application" such as "enforePOS". For this API, the application is always specified via a path parameter (in addition to the staff member/access level and the organization).
There are four distinct types of access rights:
- "Dashboard widgets" grant access to specific widgets on the application dashboard.
- "Dashboard sales channels" grant access to view data for a specific sales channel via the dashboard widgets.
- "Application workflows" grant access to specific workflows in the application (a workflow usually equals a specific sidebar menu item)
- "Application functions" grant access to specific functions of the application (a function is usually some action/operation that can be invoked as part of a workflow)
The granted rights for each of the four types are listed in the map fields of the ApplicationAccessRights structure.
The keys of the dashboard_widgets, application_workflows, and application_functions maps are access right identifiers (see the application-specific documentation appendices for those).
The keys for the dashboard_sales_channels map are sales channel identifiers and are not depending on the application.
The values for all four of the maps ApplicationAccessRightAccessInfo objects holding the IDs of the staff members and/or access level that are granted the right.
For example, the following structure:
{
"dashboard_widgets": {
"top_products": {
"everyone": true
},
"total_revenue": {
"access_level": "X",
"staff_members": [ "A", "B"]
},
"open_invoices": {
"staff_members": [ "A" ]
}
},
"dashboard_sales_channels": {
"hamburg": {
"access_level": "X",
"staff_members": [ "A" ]
},
"berlin": {
"access_level": "X",
"staff_members": [ "B" ]
}
},
"application_workflows": {
"sales_register": {
"access_level": "X",
"staff_members": [ "A" ]
},
"inventory_list": {
"staff_members": [ "B" ]
}
},
"application_functions": {
"void_lineitems": {
"staff_members": [ "A" ]
}
}
}
Means that:
- everyone has access to
- the dashboard widget "top_products"
- access level X has access to
- the dashboard widget "total_revenue"
- the dashboard sales channels "hamburg" and "berlin"
- the application workflow "sales_register"
- staff member A has access to
- the dashboard widgets "total_revenue" and "open_invoices"
- the dashboard sales channel "hamburg"
- the application workflow "sales_register"
- the application function "void_lineitems"
- staff member B has access to
- the dashboard widget "total_revenue"
- the dashboard sales channel "berlin"
- the application workflow "inventory_list"
Default access
When no ApplicationAccessRightAccessInfo is given for a specific right (i.e., when the key is missing from the map), a "default access" configuration is used.
For dashboard_widgets and dashboard_sales_channels, the default access configuration is "no access to anyone".
For application_workflows and application_functions, the default access configuratin is "access to every staff member".