snipe-it
snipe-it copied to clipboard
snipe
Add multicompany access permission
Description
Introduces a new permission to allow access to multiple companies without being a Super User.
This work was mostly done previously by @Robert-Azelis in #9641 and #9642.
Fixes #9621
Type of change
- [x] New feature (non-breaking change which adds functionality)
- [x] This change requires a documentation update
How Has This Been Tested?
Testing WIP
Test Configuration:
- PHP version:
- MySQL version
- Webserver version
- OS version
Checklist:
- [ ] I have read the Contributing documentation available here: https://snipe-it.readme.io/docs/contributing-overview
- [ ] I have formatted this PR according to the project guidelines: https://snipe-it.readme.io/docs/contributing-overview#pull-request-guidelines
- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
Okay, so let me just see if I'm reading this right. What this seems to do is create a brand-new permission for 'multicompany' - which can be granted to administrators instead of fully granting them superUser permissions.
So people who were already superusers will automatically pass any hasAccess() call - so those superusers will still have the same privileges they had before. But now, we can grant this lower privilege level to some administrators, and they will have access to all companies, but will not be superUsers.
Okay, so let me just see if I'm reading this right. What this seems to do is create a brand-new permission for 'multicompany' - which can be granted to administrators instead of fully granting them superUser permissions.
So people who were already superusers will automatically pass any
hasAccess()call - so those superusers will still have the same privileges they had before. But now, we can grant this lower privilege level to some administrators, and they will have access to all companies, but will not be superUsers.
Yes, that is true, no negative influence on SuperUser role. This new permision 'mulitcompany' will be available in scope of roles for group or users, so you can manage which kind of group or user should get access to multicompany ;) I think it's milestone for improve this part. Of course in future will be great to get posibility select per company access :)
Heya - just checking in here :) This is still listed as a draft, so I'm not sure how I should handle it.
@snipe thanks for checking in! I haven't been able to resume work on this yet. I do want to ensure this is a the right direction to go before putting to much more in to it.
And as @Robert-Azelis mentioned, I agree that ideally users can be associated with multiple companies, not just all-or-one.
Hello, Is this feature still under development, it would be really useful for users to be associated with multiple companies, not just all-or-one. We could have one admin per companies/or multiple and Finance/others could access all companies department (read only) Thank you
Also need this for our organization! I am trying to work around this right now by creating duplicate users for the second company.
Hi @travismiller , I think we should push deployment of this change in this form as it is (allow manage multicompany access via access groups) and looking more improvements in future (like associate users with selected companies). I implemented this modyfication about 2 years ago in my corporate and it is better then nothing ;)
Yes @Robert-Azelis, I agree with you. We've been using it in production for quite some time as-is.
I am going to take it out of draft status as I don't see getting to put any more effort into it in the near future.
It will be the Snipe-IT team’s choice on what to do with it of course.
Hi @snipe, any progress with merge this modification to new v.6.0 release?
I too would be interested in this. I was using a different solution before this, but upgrading to 6.0 broke that. It sounds like this permission would also work as a solution. It's not as granular as what I was using before, but I do need something in order to use 6 over 5.
It would be also handy to also have an additional optional complementary ability to configure that...
People from location X (based on LDAP search OU) will automatically have access to the company or companies that we specify.
People from location Y (based on LDAP search OU) will automatically have access to an alternative set of companies that we specify.. and so on ..etc
This would also allow us to do bulk configuration for who is in what company based on location which would help to save us a lot of time and effort instead of manually having to do it..
AND also an exception list that it can ignore if they are listed as a member of a group of choice as this could also help with flexibility.
Any updates on this one? Looking for exactly this function to be implemented.
Yes I would be also glad if the multi company access for non-super-admins would be possible! A huge +1 for this. Right now I need to create multiple accounts for the same person.
Hi new, Taking Snip-It for a test run and this would be a great feature. When's this going to be merged? My manager is part of multiple companies and so am I and this would be a godsend so I don't have to create the same user per company.
Hello, We would also highly appreciate this PR. Even better would be a more granular selection of access allowed companies, but for the time being, this would be fine.
- 1 for that, having more granular Rights based on Group/Departments/Organisations would be great.
Simplest Form like adding a User/Admin to multiple Companies would really help here :)
Is this in the loop now for an upcoming release? Would really help us! (a larger municipality managing students IT assets in over 100 schools)
We needed to make our users super admins until we found this gem. We implemented it manually and until now it is working flawlessly. Extremely useful if you have several companies/subsidiaries managed by different Asset-Managers in one system! Please review and merge this as soon as it's feasible for you :)
This sounds like it could be the solution we are looking for (we will attempt to patch our test box and see what happens). Not being able to to delegate at a more granular level is keeping us from implementing this.
It will likely not be merged before v7, as it requires a ton of testing and can break things very badly if we miss a test case.
I'm not seeing the gate definition here in the AuthServiceProvider though, so I don't think this would work as expected.
+1 - we have tier 1 helpdesk that do not need super admin to the inventory management system. We support multi-tenancy/companies so this is critical for us as well.
Made the change manually, worked like a charm. Would be awesome if this could be merged in v7.
I'm glad this all worked like a charm for lots of people on this thread, but there are unresolved issues here, including a gate that doesn't seem defined. We're still strongly considering this, but there is a TON of testing and a ton of outstanding questions that we'll run into when people have different setups and workflows than you.
How to do permissions work in a multi company environment? Everyone gets the same permissions across all companies? Okay, but people can have multiple permission groups AND individual permission groups. How do we handle this without breaking all of the bespoke workflows people have created?
(And at the day, people will - and have - asked for the same kinds of constraints for locations, departments, managers, etc - so this is not as straightforward as it seems.)
Is it possible to somehow alter this, so that users could be part of more than 1 company?
That would enable me to have users (non admin) to access assets in two different companies. Without giving them the multiple company support.