| 1. Access Control: | | 1. People are assigned a "role" that grants them access control to certain types of information. | | 2. Access to information may be "read-only" or "Data Entry" where data entry includes the right to add new and clone information. | | 3. No person has the right to delete any information - history cannot be changed so once data is added and entered, then that fact shall remain for at least seven years. The threat of fraud has been minimised by eliminating any way for a fraud to be lost, hidden, amended or erased. Every change to every field is recorded in an evidence trail that cannot be changed in any way and is replicated to a large number of secure data centres so evidence cannot be lost. | | 4. When a person leaves, the Supervisor, Manager or Owner can mark the persons record as "Inactive" to prevent any further sign-in. | | 5. Any number of Owners may coexist however no Owner have any reason to be aware that any other Owner exists - every Owner percieves themselves as the only Owner. Business data cannot leak or be shared from one owner to another - the threat of a data breach has been eliminated. | | 6. Each Owner shall manage their own list of role names using the finite role numbers. |
| 2. Glossary: | | "Project" means a contract between a client and supplier where the supplier may be known as the owner or contractor. | | "Site" means the business information associated with a person, project or company. | | "HR" means person, project or company information that has an owner. | | "Company" means an Owner, Client or Supplier that has the same owner. | | "RO" means "Read-Only" access to shared information, otherwise "Data-Entry" processing is implied. | | "My Data" means each person has access to their own private diary, HR and Asset information, including invoicing of time and expenses to a company. | | "Knowledge" means a set of business rules to represent a procedure as a work instruction. | | "Business Rule" means a "Cause" (when) has one or more "Consequences" (do). | | "Cause" means when one or more fields match specific field permitted values. | | "Consequence" means to transform one or more fields from one permitted value to another. |
| 3. Access Control Roles: | | Information shall never be leaked to a person by showing them data that they have no right to know. See gliff "B4625" as the business rules. | | r0. "None" is assigned when a person is no longer approved to use that profile because it may have ben compromised. | | r1. "Self" is the "default" role assigned to people when they self register and granting them the right of data-entry access to their own diary, own HR and own assets - every approved person has this right to proccess their own private data. | | r2. "Agent" is simple role assigned to people who have read-only access to one named project information. | | r3. "Trade" is flexible role assigned to people who have read-only access to information about any project operated by the company that pays them. | | r4. "Client" is specific role assigned to people who have read-only access to information about any project paid for by the company that pays them. | | r5. "Supervisor" is project role assigned to people who have data-entry access to information about any project operated-by the company that pays them, and any supplier to the company that pays them, and any person paid by the company that pays them. | | r6. "Manager" is company role assigned to people who have have data-entry access to information about any project, supplier or person associated with their company, and read-only access to their company information. | | r7. "Owner" is an executive role assigned to people who have data-entry access to all business information that they own. |
| 4. Clock-In Roles: | | Information shall never be leaked to a person by showing them a drop down list of data that they have no right to know. | | r1. "Self" is the default role assigned to people when they self register and they may clock-in to their own data. | | r2. "Agent" is simple role assigned to people who have to the right to clock-in to one named project. | | r3. "Trade" is flexible role assigned to people who have to the right to clock-in to any project operated-by the company that pays them. | | r4. "Client" is specific role assigned to people who have to the right to clock-in to any project paid-by the company that pays them. | | r5. "Supervisor" is project role assigned to people who have to the right to clock-in to any project operated-by the company that pays them, and any supplier to the company that pays them. | | r6. "Manager" is company role assigned to people who have to the right to clock-in to any project operated-by the company that pays them, and the company that pays them and any supplier to the company that pays them. | | r7. "Owner" is an executive role assigned to people who have to the right to clock-in to any project, any company and any person operated by their company. |
| 5. Access Control Lists: | | Access control is deployed in a way where the only variable is that a manager must assign the correct role for each approved person. Every role change is reported in real-time to the Owner for verification. | | w1. "my self" is the private diary, HR, asset and account data of a registered person. | | w2. "named project" is one assigned project to an approved person. | | w3. "Projects by Owner" is a list of projects that are operated by the company that the person is paid by. | | w4. "Projects by Client" is a list of projects that are paid for by a client where the person is also paid by the same client. | | w5. "People by Owner" is a list of people that are used by the company that the person is paid by. Supervisors and above have access to this list of people so role and rates can be managed - people can also be marked as "inactive" when they have left. | | w6. "Companies by Owner" is a list of supplier and client companies that are used by the company that the person is paid by. | | w7. "Client Company" is the name of the client company where the person is paid by. | | w8. "Owner Company" is the name of the company where the person is paid by. |
| 6. Matrix: | | Role | Clock-In Location List | Welcome Site List | | r1. Self | w1. my self | w1. my self | | r2. Agent | w1. my self +
w2. named project | w1. my self +
w2. RO named project | | r3. Trade | w1. my self +
w3. projects by owner | w1. my self +
w3. RO projects by owner | | r4. Client | w1. my self +
w4. projects by client | w1. my self +
w4. RO projects by client +
w7. RO client company | | r5. Supervisor | w1. my self +
w3. projects by owner | w1. my self +
w3. projects by owner +
w5. people by owner +
w6. companies by owner | | r6. Manager | w1. my self +
w3. projects by owner +
w8. owner company | w1. my self +
w3. projects by owner +
w5. people by owner +
w6. companies by owner +
w8. RO owner company | | r7. Owner | w1. my self +
w3. projects by owner +
w8. owner company | w1. my self +
w3. projects by owner +
w5. people by owner +
w6. companies by owner +
w8. owner company |
| | Edit this matrix to manage role names for each fixed role number. |
| 7. Clock In Matrix: | | Role | w1.
my
self | w2.
named
project | w3.
projects
by owner | w4.
projects
by client | w5.
people
by owner | w6.
companies
by owner | w7.
client
company | w8.
owner
company | business
rule | | r1. Self | Yes | - | - | - | - | - | - | - | when r1 do w1 | | r2. Agent | Yes | Yes | - | - | - | - | - | - | when r2 do w1+w2 | | r3. Trade | Yes | - | Yes | - | - | - | - | - | when r3 do w1+w3 | | r4. Client | Yes | - | - | Yes | - | - | Yes | - | when r4 do w1+w4+w7 | | r5. Supervisor | Yes | - | Yes | - | - | - | - | - | when r5 do w1+w3 | | r6. Manager | Yes | - | Yes | - | - | - | - | Yes | when r6 do w1+w3+w8 | | r7. Owner | Yes | - | Yes | - | - | - | - | Yes | when r7 do w1+w3+w8 |
| | Edit this matrix to manage access control to clock-in location drop down list. |
| 8. Welcome Site Matrix: | | Role | w1.
my
self | w2.
named
project | w3.
projects
by owner | w4.
projects
by client | w5.
people
by owner | w6.
companies
by owner | w7.
client
company | w8.
owner
company | business
rule | | r1. Self | DE | - | - | - | - | - | - | - | when r1 do w1DE | | r2. Agent | DE | RO | - | - | - | - | - | - | when r2 do w1DE+w2RO | | r3. Trade | DE | - | RO | - | - | - | - | - | when r3 do w1DE+w3RO | | r4. Client | DE | - | - | RO | - | - | RO | - | when r4 do w1DE+w4RO+w7RO | | r5. Supervisor | DE | - | DE | - | DE | DE | - | - | when r5 do w1DE+w3DE+w5DE+w6DE | | r6. Manager | DE | - | DE | - | DE | DE | - | RO | when r6 do w1DE+w3DE+w5DE+w6DE+w8RO | | r7. Owner | DE | - | DE | - | DE | DE | - | DE | when r7 do w1DE+w3DE+w5DE+w6DE+w8DE |
| | Edit this matrix to manage access control to site information as "Read-Only" (RO) or "Data-Entry" (DE). |
| 9. Intellectual Property (IP): | | Trade Secret: | | 1. Program Logic is avoided by diligent architectural design of Data Structures based on Business Rules. | | 2. In the same way as a clock translates a swinging pendulum into time-of-day using the arithmetic of cog wheels, Eliza transposes program logic into data structures and business rules. | | 3. Data Structure (DS) = Program Logic (PL) * Business Rules (BR). As business rules increase, program logic decreases for any given business data model. | | 4. PL = DS / BR = 1 when DS = BR. Business Rules are equivelent to the Data Structure when Program Logic is unity. | | 5. Business Rules are stored as knowledge that can be edited, so without any application programming changes to Program Logic, the application can continually evolve. | | 6. Corporate Policies are decomposed into Procedures as Work Instructions. Each Procesure is expressed as a set of Business Rules and stored as knowledge. | | 7. No program logic is involved so continual improvements are aplied to Business Rules with the simplicity of data maintenance forms. | | 8. No program logic is involved so the standard architectural design of HTML evolves at the steady rate of International standards. It is not practical to apply continual improvement requests to architectural International Standards - HTML must apply to all types of computer devices and browsers. | | 9. No program logic is involved so no person needs to know the many layers of encrytion that are applied to business information. No person needs to know the large number of secure data centres where encrypted images are replicated. | | 10. The threat of a data breach has been eliminated by never storing any readable business information - only fragmented encrypted images that are meaningless and worthless are replicated to many storage places. | | 11. When a person signs in they are assigned to one and only one Owner so they are not aware that any other Owner exists. An Owner is a dimension in space-time and while other space-times may exist, one space-time dimension cannot see another. Business information exists for all space-time events so a historical situation that happened last year can be viewed, but cannot be changed - history is information frozen in time. | |
|
| Document Control. | | 1. Document Title: Access Control. | | 2. Description: Access Control, policies and guidelines. | | 3. Keywords: Access Control, policies and guidelines. | | 4. Privacy: Shared with approved people for the benefit of humanity. | | 5. Edition: 1.1. | | 6. Issued: 2 Jan 2018. |
|
|