Skip to main content

Overview

SASCOP BME SubTec uses Django’s permission system to control access to different modules and features. Permissions are assigned to users through groups and individual user settings.

Permission Levels

View

Read-only access to view data

Add

Create new records

Change

Edit existing records

Delete

Delete or deactivate records

Custom

Special permissions for specific features

User Roles

Administrator

Full System Access

Permissions:
  • Manage all users and permissions
  • Configure system catalogs
  • Access all modules without restriction
  • View activity logs
  • Execute administrative tasks
Use Cases:
  • System configuration
  • User management
  • Data maintenance
  • Security oversight

Project Manager

Project Oversight

Permissions:
  • Create and manage PTEs
  • Approve work orders
  • View production reports
  • Assign resources
  • Track project progress
Restrictions:
  • Cannot modify system catalogs
  • Cannot manage user permissions

Field Supervisor

Operational Control

Permissions:
  • Record daily production
  • Update work order status
  • Upload field evidence
  • Generate progress reports
Restrictions:
  • Cannot create PTEs
  • Cannot approve work orders
  • Limited catalog access

Accounting/Finance

Financial Management

Permissions:
  • View all financial data
  • Validate production for billing
  • Generate financial reports
  • Manage payment status
Restrictions:
  • Cannot modify production volumes
  • Cannot change work order details

Read-Only User

View Access Only

Permissions:
  • View PTEs and work orders
  • Access reports
  • View production data
Restrictions:
  • Cannot create or modify any data
  • Cannot access administrative features

Module-Specific Permissions

PTE Management

Permission Code: operaciones.view_pteheaderAllows users to view the list of PTEs and their details.Required for:
  • Viewing PTE list
  • Accessing PTE details
  • Viewing Centro de Consulta
Permission Code: operaciones.add_pteheader
operaciones/views/pte.py
@require_http_methods(["POST"])
@login_required
@registrar_actividad
def crear_pte(request):
    # PTE creation logic
    pte_header = PTEHeader.objects.create(
        oficio_pte=oficio_pte,
        oficio_solicitud=oficio_solicitud,
        descripcion_trabajo=descripcion_trabajo,
        # ...
    )
Permission Code: operaciones.change_pteheaderEdit existing PTE information including:
  • Description and details
  • Dates and deadlines
  • Responsible parties
  • Status changes
Permission Code: operaciones.delete_pteheader
operaciones/views/pte.py
@require_http_methods(["POST"])
@login_required
@registrar_actividad
def eliminar_pte(request):
    if not request.user.has_perm('operaciones.delete_pteheader'):
        return JsonResponse({
            'tipo_aviso': 'error',
            'detalles': 'No tienes permiso para eliminar PTEs',
            'exito': False
        })
Deletion is logical (sets estatus=0), not physical. Data remains in database.
Permission Code: operaciones.view_centro_consultaCustom permission for viewing the consultation center:
operaciones/models/pte_models.py
class Meta:
    db_table = 'pte_header'
    permissions = [
        ("view_centro_consulta", "Puede visualizar el centro de consulta"),
    ]

Work Order Management

1

View Work Orders

Permission: operaciones.view_oteAccess to work order list and details
2

Create Work Orders

Permission: operaciones.add_oteCreate new work orders from approved PTEs
3

Modify Work Orders

Permission: operaciones.change_oteUpdate work order information and status
4

Delete Work Orders

Permission: operaciones.delete_oteRemove or deactivate work orders

Production Management

Production Permissions

View Production: operaciones.view_produccion
  • View production grids
  • Access production reports
Record Production: operaciones.add_produccion
  • Enter daily production volumes
  • Create production records
Modify Production: operaciones.change_produccion
  • Edit production values
  • Correct errors
Validate Production: operaciones.validate_produccion
  • Lock production periods
  • Approve for billing

Catalog Management

Most users can view catalog data for reference purposes.
Restricted to AdministratorsExample permission check:
operaciones/views/catalogos.py
@require_http_methods(["POST"])
def editar_tipos(request):
    if not request.user.has_perm('operaciones.change_tipo'):
        return JsonResponse({
            'tipo_aviso': 'error',
            'detalles': 'No tienes permisos para editar',
            'exito': False
        })

Activity Logging

All user actions are logged for audit purposes:
operaciones/models/registro_actividad_models.py
class RegistroActividad(models.Model):
    registro_id = models.IntegerField(null=True, blank=True)
    evento = models.TextField(null=True, blank=True)
    campo = models.TextField(blank=True, null=True)
    valor_anterior = models.TextField(blank=True, null=True)
    valor_actual = models.TextField(blank=True, null=True)
    afectacion = models.TextField(blank=True, null=True)
    fecha = models.DateTimeField(blank=True, null=True)
    usuario_id = models.ForeignKey(User, on_delete=models.CASCADE)
The @registrar_actividad decorator automatically logs all create, update, and delete operations.

Checking User Permissions

In Python Views

# Check if user has specific permission
if request.user.has_perm('operaciones.change_pteheader'):
    # Allow editing
    pass
else:
    # Return error
    return JsonResponse({'error': 'Permission denied'})

# Check if user is staff
if request.user.is_staff:
    # Show admin options
    pass

# Check if user is superuser
if request.user.is_superuser:
    # Full access
    pass

In Templates

{% if perms.operaciones.change_pteheader %}
    <button>Edit PTE</button>
{% endif %}

{% if user.is_staff %}
    <a href="/admin/">Admin Panel</a>
{% endif %}

User Status

Active Users

Active Status

Users with is_active=True can log in and access the system according to their permissions.
operaciones/views/registro_actividad.py
usuarios = User.objects.filter(is_active=True).values(
    'id', 'username', 'first_name', 'last_name', 'email'
)

Inactive Users

Users with is_active=False cannot log in. This is used for:
  • Temporary suspensions
  • Former employees
  • Security lockouts

Staff Status

is_staff=True grants access to the Django admin interface at /admin/

Permission Best Practices

Principle of Least Privilege

Grant users only the minimum permissions needed for their job function

Use Groups

Assign permissions to groups rather than individual users for easier management

Regular Audits

Review user permissions quarterly to ensure they remain appropriate

Document Changes

Log all permission changes in the activity log with justification

Common Permission Scenarios

Scenario 1: New Field Supervisor

1

Create User Account

Admin creates account with basic info
2

Assign to Group

Add user to “Field Supervisors” group
3

Grant Specific Permissions

  • View PTEs and OTs
  • Add/Change Production
  • View Reports
4

Test Access

Verify user can access needed features

Scenario 2: Temporary Read-Only Access

1

Create Limited Account

Set up account with viewer role
2

Set Expiration

Note account expiration date
3

Grant View Permissions Only

  • View PTEs
  • View OTs
  • View Reports
4

Deactivate When Done

Set is_active=False after project ends

Viewing Your Permissions

Contact your system administrator to review your current permissions or request changes.
Administrators can view user permissions at:
  • Django Admin: /admin/auth/user/
  • Activity Logs: View permission changes in activity log

Managing Users

Admin guide to user management

Activity Logs

View and audit user activities

Build docs developers (and LLMs) love

Get started for freeTalk to us