I'm not sure if this is the right place for these questions, but i'll ask anyway.
I'm designing my first customer scheduling and work order tracking system for a franchise. One big issue i'm not sure on how to approach is - user access restrictions once the user is logged into the system. I want to restrict access to the system and data based on the user's access restrictions.
0. In general, how is access restriction implemented.
1. Are access restrictions normally defined in an employee or user database table?
2. Should access restriction be a single field or a group of fields?
3. If a single field, is it normally done using a bit field?
4. Should access restriction be done during each mysql query or at each UI?
Currently there are three levels of authorization:
1. Franchisor - full unrestricted access to system, screens and data.
2. Franchisee - access restricted to franchisee's screens and data only.
3. Technician - access restricted to franchisee technician's assigned work orders.
The system is divided into three components:
1. The Call Center site.
2. Franchisee mobile site.
3. The Technician mobile site.
The "Call Center" site is used by all franchisee call centers for entering, editing and scheduling customer work orders on the dispatch board screen. Each franchisees' instance of the "Call Center" site, based on login and access restriction, must be restricted to show only that franchisees' customer, technician and work order data.
The "Franchisee" mobile site will run off of a smart phone. Each instance of the "Franchisee" mobile site, based on login and access restriction, must be restricted to show only that franchisees' statistics and totals.
The "Technician" mobile site will run off of a data enabled tablet. Each instance of the "Technician" mobile site, based on login and access restriction, must be restricted to show only that Technicians' assigned work orders.
Any help would be appreciated.