Attendance Management System (Django+flutter)

⌘K
  2. Home
  4. Attendance Management Sys...
  6. Backend
  8. documentation

documentation

Human Resource Management (HRM) Software System Documentation

Overview

The HRM software application is designed to manage multiple companies, with the ability to handle various company subscriptions (Standard, Pro, Enterprise) through the Django Admin Panel. Users, such as employees, can register via email and password and later update their profiles, which are linked to a company. This application includes modules like Employee Information, Attendance, and Shift Management, all of which are tied to specific users and their respective companies. The core functionality ensures that users can only perform CRUD (Create, Read, Update, Delete) operations within the context of their own company, using object-level and field-level permissions for enhanced control.

Core Components

  1. Company Management
    • Admins can activate or deactivate companies.
    • Each company has a subscription tied to a package (Standard, Pro, Enterprise).
    • Users can register without selecting a company initially. Their company information is updated later.
  2. User and Company Association
    • Each user is linked to a company.
    • User profiles have fields to activate/deactivate the user.
    • The company field in the user model is null and blank by default, allowing it to be updated post-registration.
    • A user can only CRUD data related to their assigned company.
  3. Employee Information, Attendance, and Shift Models
    • All models are linked to users.
    • Every model’s CRUD operations must ensure that the user and the data are from the same company.

Permissions Model

1. Model-Level Permissions

  • Uses Django’s default model-level permissions for basic CRUD operations (view, add, change, delete).
  • These permissions are assigned by the admin to users or groups for specific models like Employee Information, Attendance, etc.
  • Permissions are checked at the model level before performing any operation.

2. Object-Level Permissions (Using Django-Guardian)

  • Ensures that a user can only access or modify specific instances (objects) within the models.
  • For example, a user might have permission to view Employee A’s information but not Employee B’s.
  • When a record is created, object-level permissions (view, update, delete) are automatically assigned to the user.
  • A dedicated API allows assigning/removing object-level permissions to users for specific records.

3. Field-Level Permissions (Custom Logic)

  • Implemented in the PATCH (update) method to control which fields can be edited based on the user’s group or role.
  • For example, only users with the HR Admin role can edit the salary field in the Employee Information model.
  • This custom logic ensures granular control over which parts of a record are editable.

System Flow for CRUD Operations

  1. Create Operation
    • Check if the user has add permission for the model.
    • If the user has model-level add permission, the system creates the record, linking it to the user’s company.
    • Object-level permissions (view, update, delete) are automatically assigned for the new record.
  2. Update Operation
    • Check if the user has change permission for the model.
    • If the user has the model-level change permission, it checks object-level permission (can this user update this specific record?).
    • Next, field-level permission is checked: Can the user edit specific fields in the record? For example, the HR Admin role can edit salary fields.
    • The user’s company is compared with the record’s company before proceeding with the update.
  3. Delete Operation
    • Similar to the update process, the system checks if the user has delete permission at the model and object level.
    • Once passed, the system verifies if the user’s company matches the company of the record before deletion is allowed.
  4. View Operation
    • The system checks if the user has view permission for the model and specific object.
    • Company validation is also performed to ensure the user belongs to the same company as the object.

Key Features

  1. User Management and Role Assignment
    • Admins can assign different permissions to users at the model and object level.
    • Permissions can be assigned for entire models or specific objects.
    • Object-level permission ensures that users only access or modify data related to their company.
  2. Field-Level Permissions
    • Certain fields in the models are restricted for editing based on the user’s group or role. For example, only HR Admins can modify salary information.
  3. Subscription Packages
    • Companies are linked to different subscription packages (Standard, Pro, Enterprise) which control the available features and functionalities for the company.
  4. Admin Control Panel
    • Admins have the ability to activate/deactivate companies and assign permissions at the model, object, and field levels.

API Features

  1. Object-Level Permission API
    • Allows assigning/removing object-level permissions for users, ensuring specific records can be controlled by particular users.
    • Enables fine-grained control over which objects each user can access or modify.
  2. Field-Level Control
    • Through custom logic, certain fields can be restricted for editing, ensuring roles like HR Admins have elevated privileges for sensitive data fields such as salary.

Security and Integrity

  • The system ensures that data integrity is maintained by linking every user to a company and validating company-level permissions during every CRUD operation.
  • Object-level and field-level permissions guarantee that unauthorized access or changes are prevented.

Conclusion

This HRM application ensures a secure, role-based, and company-centric data management system. With multiple layers of permission checks (model-level, object-level, and field-level), companies can safely manage employee and attendance records while maintaining strict control over data access. The use of Django Guardian for object-level permissions and custom logic for field-level control makes this application both flexible and secure, allowing for real-world business scenarios where access to sensitive data must be tightly controlled.

Technologies and Tools

  • Django: Core framework for building the application.
  • Django-Guardian: For implementing object-level permissions.
  • Custom Logic: For handling field-level permissions.
  • Django Admin: For managing companies, users, subscriptions, and permissions.

How can we help?