On-Call scheduling permissions

Phillip Tharp · ‎11-22-2019

I am trying to modify the set of users that can create on call schedules. My issue is that I can't find where the "select group" dialog is configured. I have adjusted the script include referenced in the various related ACLs to allow the other set of users to click into the dialog but now I'm stuck because the group dropdown only loads groups for which the user is a manager. I think I can probably make enough ACL adjustments to allow these users to directly create records in the tables but I want the experience to be the same for group managers and other users.

For reference the url that loads for a new schedule is: /nav_to.do?uri=%2F$oc_creation_wizard.do

Summary- looking for where to edit the dialogs for on call schedule creation.

Naveen20 · ‎11-22-2019

The acl is at the module level. rota_admin role is needed to create / edit schedule. Give this role to users who would want to create or edit schedule.

Divakar3 · ‎11-25-2019

Hi Phillip,

I also having issue related on-call scheduling, I am having issue that user unable to get groups which are manager assigned to him, but when I'm adding rota_admin role then he could see all the groups. Have you done any changes to get his groups only.

Thank you!

Divakar

Phillip Tharp · ‎11-26-2019

Thanks for the replies, I'll share some information I've found:

First, this statement: " rota_admin role is needed to create / edit schedule." is inaccurate based on my testing. Impersonating a manager gives them access to the create/edit schedule dialog if they click "my group's schedules" and then the NEW button.

Second, I've found that all of the permissions for the on-call application are controlled via a script include that you can find referenced in the table ACLs: OnCallSecurityNG.

There are also functions in that script concerning the getting of groups, which seems to answer my posted question about how to populate the group selector for my subset of users I want to provision schedule creation access to.

The function "isManagerOfAnyGroup" seems to give group managers access to the NEW button to get into the dialog.

The function "getGroups" seems to be what is called in the group-selector dialog.

The funtion "rotaMgrAccess" seems to control edit permissions of existing schedules.

Lastly, the rota_admin role, as you noted, provides admin-level permission, including creating/editing ALL calendars, as well as the ability to delete ANY schedule, and as such is not appropriate for my use case

Side note- I would have expected that applying the rota_manager role directly to a user in a group would cause them to have "manager" level permissions for that group but that seems to be not the case. I did test delegating the rota_manager role per group, which did get them into the dialog, but no groups loaded for them.

I'll try to come back and post my final strategy and solutions when I get it working.

Phillip Tharp · ‎12-06-2019

I have a working solution.

I found the Shift Manager field in group preferences that allows members of a group to be given shift management permissions.

Then I had to edit the script that populates the users that can be added as shift managers by adding to the getRotaManagersFromGroup function a snippet of code that pulls users matching my criteria.

(the function returns a comma-separate list of user sys_ids, just queried based on my criteria)

Then I had to add similar code to the query that populates the group dialog

//gaGroup.addQuery("manager", userSysId);//COMMENTED

gaGroup.addEncodedQuery('manager=' + userSysId + '^OR{Insert criteria here});//ADDED

After all that, I still found that there was a business rule that checked for the validity of users being added as shift managers: [Validation of Rota Managers from Group] Based on what it was doing, I just disabled it but I may later dig in and add my secondary criteria in this script similar to how I worked on the others.