If I am contracting an external auditor to do some job, I only want to have this person to access the parts of the system until a job is complete, but still have the user in my base for future contracts.
The way I see it, I would like to add this auditor as a user to a Location, temporarily - with an automatic expiration date. After the time runs out, the user would no longer have access, without the necessity for human intervention to remove the user from the Location.
This association could be done by the Location interface, or - preferably - through the Schedule interface.
If I select an auditor which has access to a form, but does not have an association or group or direct link which would otherwise grant him access to the Location, the default behavior for the interface would be to:
Show a notification that the user needs to have access to the Site for the Audit to happen. this should be a badge, icon or other inobstrusive object (NOT a modal box) in the interface.
The default should be to grant the user access, since it is what is required for the Audit to happen.
It should be configurable by the Admin to set the system setting to have these "spontaneous" User<->Location to be permanent or temporary by default. There should be a checkbox to change the state of the connection being created as temporary or permanent.
In the Due Dates at the end, there should be an additional date for the connection expiration. By default it would be the result of all periods coming before - Audit Duration, Upload date, time limit for CARs to solved. There should be a field to increment the access for + X days after all those variable periods expire (this would be a safety net for increased access duration).
It should also be possible to enable a function to "not expire access until all CARs are resolved", even if they are not all solved when their deadline comes.
Duplicate from SC-I-8:
I would like to be able to set up temporary permissions.
It would be great to be able to grant an external auditor access to a Site for only as long as the Audit and Corrective Actions require.
Just like there can be relative dates for corrective actions, it should be possible to give an auditor temporary permissions which by default would cover the necesasry time. It should be possible also to extend the time with an extra "padding" time if desired, but also to either revoke sooner or to delay the automatic revocation depending on whether or not there are any Corrective Actions still open.
Duplicate from AD-I-52:
The primary purpose would be, after the time window during which audit may occur, the audit is scheduled, and the auditor is selected, the proecss would have up to audit + X days for the CARs to completed, after which the process would be closed, and the Auditor should no longer have rights to the access the site.
An automatically expiring permission - association - would reduce the surface of opportunity for undue access to information.
We are looking at different methods for permissions and access. We will keep this scenario in mind. Here is a recap of the primary items you've described in case others would like to vote on this:
1 - Allow temporary permission/access to an auditor during the audit process until all CAM items are approved and closed
2 - Provide better assignment during the schedule process
3 - Provide visibility when all CAM items for a given audit result are completed and closed.