Authorization and membership in a user group


Please tell me about the logic of the decision, I have been discussing with my colleagues for a long time and we cannot come to a common understanding.

Now I will explain our situation.

  1. We have a partner in China who makes the products we need.
  2. Then, we bring these products to Russia and assemble them in our workshop.
  3. Now we will have a partner in Europe.
  • What do we have now?
  1. The site and the Russian ERP program, but it is not convenient for our partners and therefore we want to replace it with Moqui.
  2. We have a website, CRM and PIM + DAM.
  • What do we want to do?
  1. Provide limited access to: ERP, CMS, DAM, CRM.
  • Now we have a problem that one employee must have his own accounts in each system, although there is API integration, it does not solve the problem of single authorization.
  1. Provide new partners with a single panel so that they can install it on their server. But, by protecting this panel from copying. If a partner works with our company, he will use this panel free of charge, and if he does not cooperate, we will not let you use our panel.
  • How do we see the solution?
  1. In a single panel, the Employee registers, selects his group and, after checking by the administrator, gets access.
  2. An employee with his own access rights can do his job.
  • What’s the problem now?
  1. The main problem is where to write the user account (it is not reasonable to write to the database of all systems at the same time) and how to differentiate.
  • For example, if an employee is registered with access to Moqui, then as I understand it, you need to provide a separate base for the panel, so that each system to identify the user addresses it (because of this, we have a dispute with colleagues). And, if an employee is registered with access only for the site, then access to Moqui is closed for him (even if he follows the link).

I’m not sure, but maybe all this integration will help us:

Of course, I wrote a lot :slight_smile: but maybe someone did a similar thing and tell the logic and where to start, especially on Moqui.
We need the panel to act as a connecting bridge for employees and so that there is no chaos, while maintaining the level of encryption from possible hacks and spam. And, for the administrator, make it convenient to see all employees and partners in one place.

1 Like

Sorry for the late reply.

I’m not sure what Kafka and Synapse are, but access rights or authorization in moqui are stored in the ArtifactAuthz entity.

Basically each UserAccount is associated with a UserGroup, and each UserGroup has an ArtifactAuthz entity for given artifacts in the system (each screen, entity, and service is an artifact).

Now for how to integrate with other systems depends on how the other system handles redirection, and security. See this post for more details on how to integrate with other systems.

After reading through this, I’m intrigued with your problem and would like help out. I’ve done a fair bit of contracting work with Moqui, and I’d like to see if I can help solve your problem. Email me if you’re interested: [email protected]