-
Notifications
You must be signed in to change notification settings - Fork 44
User Authentication
Most installations will use some form of user authentication. There are two different kinds of user accounts: Cashiers who can log into a lane machine, and Users (for lack of a better term) who can log into the back end Office systems.
Cashiers are accounts are created and managed via Office. Tools are found in the Admin menu by default. Cashiers simply have a password that can be entered to log into a lane. Historically cashier passwords have simply been numeric although letters are allowed now. Passwords may be printed out as barcodes to allow a "log in via scan" mechanism.
Cashier accounts can be granted Regular or Manager privileges. Which actions require Manager privileges is configurable at the Lane level.
User accounts control access to back end Office software. Configuration for user accounts is found on the Authentication tab of the configuration page. Unlike cashier accounts, user accounts consist of both a username and a password.
By default, user accounts are stored in the database. However, Office can be configured to use other authentication sources. LDAP is the more important of the two and lets CORE authenticate against a directory server. The defaults are set to use an OpenLDAP server's typical schema, but Active Directory authentication is likely possible. The Shadow option lets CORE authenticate local user accounts. This only works when Office is installed on a Linux machine. PHP does not have particularly good PAM integration so the Shadow option requires a specially built C utility to read /etc/shadow. Instructions appear on the configuration page as needed.
User accounts are not organized into a hierarchy. Permissions are configured via authorization classes. One or more classes are assigned to a user accounts and each class gives the user access to a specific set of tools. Users may also be arranged groups.
By default, user authentication is not enabled. When turned on, an account named admin is created and given the authorization class admin. Do not delete this account unless you have granted another account the admin class. This authorization is required to manage other user accounts.
Office's sample data includes a set of default groups for common roles. The first user named admin is automatically a member of all these groups as a placeholder. Default groups are:
- Administrators - simply given all available permissions.
- Items - this group has permission to create, edit, and delete items as well as set up sales batches and manage shelftags. Buyers and/or Scanning staff often belong in this group.
- Membership - this group has permission to create and edit member accounts. Terminology and staff structure varies more here but every co-op will have someone who belongs here.
- FE Management - Front End management has permission to create and edit cashiers, use tools related to tenders and variances, and view cashier performance reporting.
- Limited Editors - this group can adjust contact information on memberships but not other settings. They can also edit items and sales batches but when they do so notifications are dispatched to whoever is normally responsible for those items. This role can be useful for floor managers or equivalent staff to make small fixes on weekends or odd hours when people in the Items or Membership groups aren't present - e.g., adjusting a price to match floor signage rather than continually open ringing the item.
Finally, the Authentication tab of the Office configuration page also contains a setting labeled Authenticate by default. This will force users to log in in order to access any tool or report in Office. This blanket requirement does not involve any specific authorization class.