User Roles vs Path to user roles - when to use?

0
Dear fellow Mendix developers,   I would like to ask you a question on how you approach a specific situation.   Imagine a scenario where you have four main entities: - Expense - Company - Employee - UserAccount   Associations between those entities: Company 1 - * Expense Company 1 - * Employee Employee 1 - * Expense Employee 1 - 1 UserAccount   We currently have only one user role: 'Employee'. They can create, delete, read and write only their own expenses. We need to add an additional role called 'Administrator'. That role has full access to the expenses of all employees that are associated to their company.   Do you: A) Create a User Role 'Administrator' and define entity access through that user role with a constraint that looks something like: [Expense/Expense_Company/Company/Company_Employee/Employee_UserAccount = '[%CurrentUser%]']   B) Create additional association between Employee and Company called 'Employee_Administrator', and then define access through constraint that looks something like:  [Expense/Expense_Company/Company/Company_Administrator/Employee/Employee_UserAccount = '[%CurrentUser%]']   When do you use A) and when do you use B)? What are pros and cons of each approach?   Edit: How does the approach change if one Employee can be administrator in multiple companies?
asked
1 answers
1

In this case I would advise to create a user role 'Administrator', as this is exactly what it is intended for. If you go route B it will add extra maintenance work for that association.

Scenario A: When you set the company for the administrators, they will automatically get the correct permissions.

Scenario B: When you set the company for the administrators, you will also have to set the association to the employee. Also when an employee changes company for instance, you will need to update it.

 

A is the way to go, as it's easier to maintain

answered