updated as of: December 5, 2013
last author: Andy Theuninck
Fannie includes an option for user authentication. When this is enabled,
various tools with require a username and password. This is disabled by
default. To enable it, go to the Authentication tab on Fannie's install/config
page and set Authentication Enabled to Yes.
If this is your first time using Fannie's user accounts, you will be to enter
a password for the first user who is named admin. You must have at least
one user with the admin permission to create additional accounts or
groups. Do not delete the account named admin unless you have granted
that permission to another user or group.
Fannie's user system is oriented around permissions or authorization classes.
Rather than a tiered system where higher levels have access to a wider and wider set of
features, a user is granted permission to access a specific tool or toolset. For example,
one user may be allowed to edit items and another may be allowed to edit member accounts.
Neither has a higher level of access; they just have access to different tools.
Users may be arranged into groups. Permissions can be assigned to a group rather than
to each individual user. Be aware that a group must have at least one user; deleting
all the users from a group will also delete the group itself. Fannie's sample data
includes a set of default groups for common roles. The first user named admin
is automatically a member of all these groups as a placeholder. Default groups are:
- Administrators - simply given all available permissions.
- Items - this group has permission to create, edit, and delete items
as well as set up sales batches and manage shelftags. Buyers and/or
Scanning staff often belong in this group.
- Membership - this group has permission to create and edit member
accounts. Terminology and staff structure varies more here but every
co-op will have someone who belongs here.
- FE Management - Front End management has permission to create
and edit cashiers, use tools related to tenders and variances, and
view cashier performance reporting.
- Limited Editors - this group can adjust contact information
on memberships but not other settings. They can also edit items
and sales batches but when they do so notifications are dispatched
to whoever is normally responsible for those items. This role can
be useful for floor managers or equivalent staff to make small fixes
on weekends or odd hours when people in the Items or
Membership groups aren't present - e.g., adjusting a price to
match floor signage rather than continually open ringing the item.
Fannie can authenticate against other sources to re-use existing user accounts.
There are currently two options:
- Shadow Logins is Linux authentication. If users have accounts on
the server that's hosting Fannie, this option will check their names
and passwords against the /etc/shadow file. There's an extra utility
required to provide the webserver limited access to that file. The
authentication tab on the install/config page will provide instructions
- LDAP Logins is what it sounds like. The defaults are probably
correct for a typical openldap installation with user accounts in
an organization unit named People. Adjusting the domain name
part(s) and host/port should be all that's needed. If anybody ever
sets up authentication against an Active Directory server, this
documentation will be updated with details. It's likely possible
but you're currently on your own to figure it out.