Tutorial: Control Access
You have extensive control over who can use your system, what information they can see and what they can modify. The elaborate access model also makes it one of the more complex parts of the SuperSaaS system so let’s start with some background.
Roles: users, superusers and the administrator
An account has one administrator, typically you, and many users, the end-users of your schedule typically your clients or students. In addition you can choose to create one or more ‘superusers’ with additional abilities. For example you can assign a superuser in your organization to change appointments for people who do not have access to their computer.
The settings are divided into two logical groups: ‘Who can sign up to be a user?’ and ‘What can users do with the schedule?’ found on two different pages. You can also let people use your appointment calendar without any form of registration at all. This is appropriate if you don’t allow them change anything anyway, or if you have another way to identify them such as IP address.
Who can sign up to be a user?
The first question is answered in the ‘Access control’ screen that you can reach from the right-hand menu on the dashboard. You have quite a few options here.
The default option is to simply let clients create their own user name and password. This is convenient for everyone involved but this option has one obvious downside: anyone can sign up, including people you may not want to. There are several ways to discourage unwanted visitors. For example you can require them to verify their email address, or you can require that they make a (partial) payment before they make an appointment. You can also avoid them altogether by filtering IP addresses or only allowing people you invite.
In practice, problems seldom occur with the default ‘anyone can sign up’ policy. Search engines are deliberately not allowed to index SuperSaaS, so the visitors to your schedule are most likely coming from your own site. And should someone misbehave you can block their account and revert the changes. You can change the access policy to be more or less restrictive at any time.
When clicking an access option additional information and settings appear further down the page. At the most restrictive setting clients cannot create an account themselves and you have to create each account yourself (by hand, or by uploading a file with account names).
An account has one user database. This means that if you have multiple schedules a client only needs to create one login and can then use that for all your schedules. If this is not what you want you can create a separate account for each schedule.
Customize the sign up process
Also on this page are details on the sign up process. By default the system uses the email address as the login name. If you are using SuperSaaS for an organization that already has user names you may want to change that so people can use the same name in both places by unchecking the box next to “Use email address as login name”. If you do not intend to use any form of registration it may be a good idea to uncheck this box, because it will allow you to more easily collect email addresses upon booking.
The fields you select in the table under the second heading appear on the sign-up form for a new user. They can change their own information later by clicking the “Your settings” link after logging in. That link is only visible when logged in as a regular visitor and when you haven’t blocked users from updating their own information. Selecting a button in the column ‘Mandatory’ ensures people cannot leave the field empty when signing up, ‘Optional’ shows the field but allows it to be empty, and ‘Don’t ask’ removes the field entirely. Note that ‘Password’ can be switched off too, this will also remove the password field from the login dialog for your application. If you use the custom text fields, then those will also become available for use in creating appointments on the “Process” tab of your schedule configuration.
You can check the flowchart on the page to understand what the sign up process looks like to your users. It instantly reflects any changes you make to the page. So if you select the option “Only people from a specific IP address” the graphic will update to show a step that says the IP address will be checked. Note that this is only the registration process, there is another flowchart that show the booking process on the “process” tab of the configuration screen. It is still a good idea to actually try the process from your users point as well, we will have more to say on that in the next section.
What can my users do on my schedule?
You determine what people can do on the ‘Access’ tab of the configuration screen for your schedule. You reach this page from your dashboard by first clicking the blue ‘Configure’ button and then selecting the ‘Access’ tab. (The access page will look slightly different for ‘resource’, ‘capacity’ and ‘service’ type schedules)
The default access setting is that people are always allowed to look at a calendar, but they will need to log in to add an appointment, or change one they made earlier. If the information on your calendar is confidential you should hide the information for regular users, or change the setting to require people to log in before they can see the schedule.
You can also allow people to make changes to the schedule without signing in at all. However, you then have no way to block mischievous activity so you should only do this if you are confident that won’t happen, for example because you used the IP address filtering options earlier. If you allow people to make changes without signing in, you may also want to uncheck the option “Use email address as login name” on the Access Control page discussed above, to reveal the email field as a separate entry option.
The page automatically prevents you from making illogical choices. For example, if you select that only you can make changes, the option further down ‘Anyone can update bookings’ will get grayed out.
Preventing and dealing with abuse
SuperSaaS prevents search engines such as Google from indexing our schedules. We do this mainly because to a search engine a schedule looks mostly like a bunch of numbers and dates that change from day to day, so it doesn’t give it a proper ranking. An added benefit is that this makes your schedule harder to find for spammers who crawl the web looking for places to register with names like ‘www.cheapmedicine.com’. You are, of course, more than welcome to let Google index your own web page that contains the link to your SuperSaaS schedule. Doing so can help your clients find you, but you also run a small risk of inviting vandals.
In practice most spammers are already deterred if they are required to sign up for something, so the first thing you can do is requiring registration. If abuse still becomes a problem you can simply switch on the option “Send a confirmation email with a link the user has to click before he can log in” on the Access Control page. This should solve most cases but it is a minor extra hassle and has a small risk that some people will have trouble getting the email through their spam filter.
If someone who signed up misbehaves you should not delete his account, since that would allow him to re-register, instead you can block his account in the user management section that you can find in the right-hand menu on the dashboard. By clicking the spyglass icon next to an entry you can see all the activity of that user so you can quickly undo any damage that has been done.
Once you have configured the access controls you should test if the system behaves as you expect when someone other than you logs in.
Next chapter: Test what you have built