Permission in Version 4

82 views
Skip to first unread message

Mayur Patel

unread,
Aug 21, 2014, 9:52:12 AM8/21/14
to erpnext-u...@googlegroups.com
Hi There,

In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?

Kind regards,
Mayur Patel

Sunil Kumar

unread,
Aug 21, 2014, 10:38:00 AM8/21/14
to erpnext-u...@googlegroups.com
Hello Mayur,

In ver 4, You can manage role permission @

Setup > users and permissions > user permission manager > edit role permission (above quick help section)

----
Sunil
Partner for ERPNext

Rushabh Mehta

unread,
Aug 21, 2014, 11:21:26 AM8/21/14
to erpnext-u...@googlegroups.com


@rushabh_mehta
via mobile

On 21-Aug-2014, at 7:22 PM, Mayur Patel <mayur....@gmail.com> wrote:

Hi There,

In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?

Pretty much the same way. In version 4 user property is "user permission".

You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.


Kind regards,
Mayur Patel

--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-user-forum/f982330b-c2fc-4435-a38a-0ce0532f28a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Addy

unread,
Aug 21, 2014, 1:30:30 PM8/21/14
to erpnext-u...@googlegroups.com
Hi Rushabh,

I am also the one who feels like Alice in wonderland with regards to permissions in v4.

I am still to understand that what purpose does the v4 permissions solve more than the ones we had in v3.

I think a better thing would be to have 2 or 3 examples written out for permissions manager, since long I have been trying to make some permissions for the my sales persons where we could limit them dynamically based on the sales person and then if a sales person is able to see a customer then he/she must be able to see that customer's transactions

If they have been given access to the transactions. I know I have been asking for the long shots but I guess that would make the system a great one to say the least.

I think a better thing would be have scenarios explained by customers where we could see which cases are not possible in the current permission manager.


On Thursday, August 21, 2014 8:51:26 PM UTC+5:30, Rushabh Mehta wrote:


@rushabh_mehta
via mobile

On 21-Aug-2014, at 7:22 PM, Mayur Patel <mayur....@gmail.com> wrote:

Hi There,

In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?

Pretty much the same way. In version 4 user property is "user permission".

You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.


Kind regards,
Mayur Patel

--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-forum+unsub...@googlegroups.com.

Anand Doshi

unread,
Aug 22, 2014, 3:14:57 AM8/22/14
to erpnext-u...@googlegroups.com
Does reading this help? https://erpnext.com/user-guide/setting-up/permissions

-Anand 
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-user-forum/75eb69bd-ffca-4703-98f0-83e10e71f9e3%40googlegroups.com.

Rushabh Mehta

unread,
Aug 22, 2014, 3:19:05 AM8/22/14
to erpnext-u...@googlegroups.com
Aditya,

Did you read this?


User permissions from 3 to 4 are not that different, it just might take a little getting used to. The main difference is

1. Instead of "fieldname", permissions are now set on values of link fields (like Territory or Company) (which is more correct IMO)
2. Links are automatically validated, if user permissions are applied (Ideal for restricting documents by Company, Territory, Department, which are the most common use cases).



@rushabh_mehta

To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-user-forum/75eb69bd-ffca-4703-98f0-83e10e71f9e3%40googlegroups.com.

Mayur Patel

unread,
Aug 22, 2014, 6:07:57 AM8/22/14
to erpnext-u...@googlegroups.com
Thanks Rushabh, Anand, Aditya and Sunil.

It seems that permissions in version 4 doesn't seem to work for us. Or it may not have been setup correctly. We migrated a copy of our production ERPNext server to version 4 using migration script. We noticed following issues:

In version 3 we have followings:
   - For a role called "HR User" we setup role permission to allow them to see all the employees in the departments they are assigned to via user property 'Department'
   - For a role called 'PO user' we setup permission to allow them to see all the POs for the companies they have been assigned to via user property 'Company'. We have 6 companies in our instance. Some PO User have been assigned to multiple companies via user property 'Company'.
  - There is a user call Alison, who has been assigned with HR User role and also PO user role. We have assigned 'Project' and 'Operation' departments to her department User Property. We have assigned YPL and SM companies via company User Property.
  - In HR Module, on Employee screen she sees all the employees from the departments Project and Operation.
  - She is able to see all POs from both YPL and SM.
  - Please note that we have customised Purchase Order screen to include Department custom field. It gets automatically filled based on user's default department when they create a PO. We use this department fill for reporting and also for restricting its access for certain users.

In Version 4 (after migration):
 - HR User has been setup with "apply user permissions" checked.
 - PO User has been setup with "apply user permissions" checked.
 - Alison can see all the employees that are part of her departments. Same as version 3.
 - Alison is only able to see POs from her departments rather then the for the companies she assigned to. I think this is happening because the system is applying department user permission as it is defined for this user. How do we resolve this? Please note that Department field is a custom field that is setup on the Purchase Order doctype and it is needed. It can't be taken off.


Also we notice that in version 3, Alison has only one record for employee property type. but in version 4, there are multiple records for Employee user permission. Why is this?


Kind regards,
Mayur Patel

Rushabh Mehta

unread,
Aug 22, 2014, 6:12:40 AM8/22/14
to erpnext-u...@googlegroups.com
On the department field, for the Role PO User, check "Ignore User Permissions"


Also we notice that in version 3, Alison has only one record for employee property type. but in version 4, there are multiple records for Employee user permission. Why is this?


Could be an issue with the patch... There should be only one record.


Kind regards,
Mayur Patel


--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Mayur Patel

unread,
Aug 22, 2014, 6:12:49 AM8/22/14
to erpnext-u...@googlegroups.com
Hi Again,

I think one option may be to check "Ignore User Permissions" for Department field for Purchase Order doctype. right?

Could you please still answer 2nd question?  see below.

Mayur Patel

unread,
Aug 22, 2014, 6:15:07 AM8/22/14
to erpnext-u...@googlegroups.com

On the department field, for the Role PO User, check "Ignore User Permissions"

How do you do this? I don't see department field for the Role PO user?


MP

Rushabh Mehta

unread,
Aug 22, 2014, 6:27:09 AM8/22/14
to erpnext-u...@googlegroups.com
Sorry in the field not Role Permissions.

Please read this:




--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Rushabh Mehta

unread,
Aug 22, 2014, 6:28:32 AM8/22/14
to erpnext-u...@googlegroups.com
Are they any different. Please raise a GH issue for this.


Kind regards,
Mayur Patel

--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Mayur Patel

unread,
Aug 22, 2014, 6:32:47 AM8/22/14
to erpnext-u...@googlegroups.com
Hi Rushabh,

I read that article multiple time before starting this topic. If I check  "Ignore User Permissions" for Department field for Purchase Order doctype then it will completely ignore user permission.  As I mentioned in my earlier post, we use this department fill for reporting and also for restricting its access for certain users. We have another role called "Department PO User" for these users. We  have setup this role to restrict their access to POs from only their department. So if we ignore permission on the Department field then it will not work for these users. Any suggestions?

Kind regards,
Mayur Patel

Rushabh Mehta

unread,
Aug 22, 2014, 7:10:50 AM8/22/14
to erpnext-u...@googlegroups.com
Mayur,

Well, if the user has any one permission (via Company or Department) then the document should be visible.

@Anand can you verify if the restrictions are applied as AND or OR?


--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Mayur Patel

unread,
Aug 22, 2014, 7:20:35 AM8/22/14
to erpnext-u...@googlegroups.com


On Friday, 22 August 2014 11:28:32 UTC+1, Rushabh Mehta wrote:

On 22-Aug-2014, at 3:42 pm, Mayur Patel <mayur....@gmail.com> wrote:

Hi Again,

I think one option may be to check "Ignore User Permissions" for Department field for Purchase Order doctype. right?

Could you please still answer 2nd question?  see below.

we notice that in version 3, Alison has only one record for employee property type. but in version 4, there are multiple records for Employee user permission. Why is this?

Are they any different. Please raise a GH issue for this.

Yes, they are different. I have added an issue in GH. https://github.com/frappe/frappe-bench/issues/25.

Kind regards,
Mayur Patel

--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-forum+unsub...@googlegroups.com.

Mayur Patel

unread,
Aug 22, 2014, 7:23:04 AM8/22/14
to erpnext-u...@googlegroups.com
Hi Rushabh,

I think they are AND. But we will wait for Anand to confirm it.

Kind regards,
Mayur Patel

Anand Doshi

unread,
Aug 22, 2014, 7:52:02 AM8/22/14
to erpnext-u...@googlegroups.com
They are AND

A user will be restricted for Company in (X, Y) and Department in (A, B, C)

-Anand. 

Sent from my phone
--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Rushabh Mehta

unread,
Aug 22, 2014, 8:52:52 AM8/22/14
to erpnext-u...@googlegroups.com, erpnext-u...@googlegroups.com
Maybe we should make it OR, it might fix a lot of issues.

@rushabh_mehta
via mobile

wa...@xavierltd.com

unread,
Aug 22, 2014, 8:58:35 AM8/22/14
to erpnext-u...@googlegroups.com
‎Hi Guys, 

Nice to see I'm not the only one who noticed this issue : )

As shown in my thread on this same issue, ‎the fundamental problem with the permission manager in version 4 is that it doesn't allow specific roles to override user permissions (unless you ignore the permissions altogether which is usually unacceptable) 

Version 3 handled this better because you could just set a matching condition for a role and that would automatically give users with that role access to all the docs in the list that matched their respective user permissions

The best solution that was offered (which I believe is currently being worked on) is to allow ignoring of user permissions for specific roles. In Mayur's case for example, ignoring user permissions on the Department field for role PO User should solve the problem 

Cheers!


Kind regards,
Olawale ‎
From: Anand Doshi
Sent: Friday, August 22, 2014 12:52 PM
Subject: Re: [erpnext-user-forum] Permission in Version 4

wa...@xavierltd.com

unread,
Aug 22, 2014, 9:16:54 AM8/22/14
to erpnext-u...@googlegroups.com, erpnext-u...@googlegroups.com
‎Hi Rushabh, 

Trust you're doing great. Not so sure that's a good idea. Check out the following scenario:

-An employee is restricted to seeing only his employee form because he has his Employee ID defined in his user properties

-Same employee also has Department defined in his user properties so that the department field is automatically populated and marked when he raises a document (as in Mayur's example)

-If restrictions are set to OR then it means that this employee (and every other employee who has Department defined in their user properties) will be able to view employee forms for everyone in his department! 

Best solution is still ability to ignore user permissions on fields ‎for specific roles (IMO)

Cheers! 


Kind regards,
Olawale ‎
From: Rushabh Mehta
Sent: Friday, August 22, 2014 1:52 PM
Subject: Re: [erpnext-user-forum] Permission in Version 4

Rushabh Mehta

unread,
Aug 22, 2014, 11:17:51 AM8/22/14
to erpnext-u...@googlegroups.com, erpnext-u...@googlegroups.com
Now I know why I like small companies :P

I think it's time to introduce an hierarchical org unit and allow workflow to be configured around it. Maybe that can solve a lot of issues.

Now please don't say matrix organisations!

@rushabh_mehta
via mobile

Rushabh Mehta

unread,
Aug 23, 2014, 12:04:39 AM8/23/14
to erpnext-u...@googlegroups.com, erpnext-u...@googlegroups.com
Olawale, permissions were OR in version 3, so it makes sense to keep them that way. Additional restrictions can be done via scripting.

@anand let's discuss this Monday.

@rushabh_mehta
via mobile

On 22-Aug-2014, at 6:46 PM, wa...@xavierltd.com wrote:

Rushabh Mehta

unread,
Aug 23, 2014, 4:50:55 AM8/23/14
to erpnext-u...@googlegroups.com
I have specifically created an issue for this. Please add your comments here:

https://github.com/frappe/erpnext/issues/2103

wa...@xavierltd.com

unread,
Aug 23, 2014, 8:41:51 AM8/23/14
to erpnext-u...@googlegroups.com, erpnext-u...@googlegroups.com
‎Hi Rushabh, 

I agree about using the OR approach as long as there is additional scripting to handle the scenario I described earlier. If what you're saying is that you want to return the permission manager to functioning how it was in version 3 then that's just great!

The key thing to keep in mind is that you need a way to filter docs within a list for 'roles' probably based on ‎link fields and this needs to override normal user restrictions (which is where the OR comes in I guess) 

By the way, having a hierarchical structure with workflows ‎configured around it would be absolutely awesome ;) 


Kind regards,
Olawale ‎
From: Rushabh Mehta
Sent: Saturday, August 23, 2014 5:04 AM

Rushabh Mehta

unread,
Aug 25, 2014, 1:56:58 AM8/25/14
to erpnext-u...@googlegroups.com
We were going through some use cases and we find that there are more use cases for AND rather than OR.

@Mayurm If you have a user where you want to give specific permissions based on role, I suggest you create separate user ids for that user (Allison Purchase & Allison HR)

https://github.com/frappe/erpnext/wiki/Version-4-Permission-Use-Cases

If you have more use cases, please add to the wiki page.



wa...@xavierltd.com

unread,
Aug 25, 2014, 3:07:35 AM8/25/14
to erpnext-u...@googlegroups.com
‎Hi Rushabh, 

Trust you're doing great. How does creating separate IDs solve the issue? Also, I'm sure you do realize that creating different IDs for separate roles makes using the system quite cumbersome; definitely not the way to go (IMHO) 



Kind regards,
Olawale‎
From: Rushabh Mehta
Sent: Monday, August 25, 2014 6:56 AM

Mayur Patel

unread,
Aug 26, 2014, 9:09:02 AM8/26/14
to erpnext-u...@googlegroups.com
Hi Rushabh,

I agree with Olawale. Having multiple user accounts is very cumbersome.  Alison was just an example users. We have more than 1 users for whom this is an issue. We should look at why this was not an issue in Version 3 and why it is an issue in Version 4. In Version 3, only one use permission was being applied, while in Version 4 multiple user permissions are applied (based on link fields).

Kind regards,
Mayur Patel

Anand Doshi

unread,
Aug 26, 2014, 10:10:22 AM8/26/14
to ERPNext User's Forum
@Wale and @Mayur,

Have a look at this: https://github.com/frappe/frappe/pull/795

This should solve all your problems. The pull request is pending review and merge.

Thanks,
Anand.


--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

wa...@xavierltd.com

unread,
Aug 26, 2014, 11:45:05 AM8/26/14
to ERPNext User's Forum
Hi Anand, 

This looks excellent! If I'm correct, this way we can determine which doc-types are considered for each role. Therefore, un-checking the employee doc-type for example, would allow a user with the appropriate role (e.g HOD) to bypass the restrictions of the 'From Employee' field in an Expense Claim document. Right? 

Thanks a lot for this! Awaiting the review and merge 


Kind regards,
Olawale‎
From: Anand Doshi
Sent: Tuesday, August 26, 2014 3:10 PM
To: ERPNext User's Forum
Subject: Re: [erpnext-user-forum] Permission in Version 4

Anand Doshi

unread,
Aug 26, 2014, 12:35:13 PM8/26/14
to erpnext-u...@googlegroups.com
Yes. Exactly. 

Sent from my phone

Anand Doshi

unread,
Aug 29, 2014, 2:26:46 AM8/29/14
to erpnext-u...@googlegroups.com
Hi Wale and Mayur,

New feature, selectable DocTypes for applying User Permissions, has been released.

This is now possible:
screen shot 2014-08-29 at 11 39 56 am

Thanks,
Anand.

wa...@xavierltd.com

unread,
Aug 29, 2014, 3:15:05 AM8/29/14
to erpnext-u...@googlegroups.com
‎Hi Anand, 

Thanks a lot for this update. You guys are simply awesome! 


Kind regards,
Olawale ‎
From: Anand Doshi
Sent: Friday, August 29, 2014 7:26 AM

Mayur Patel

unread,
Aug 29, 2014, 6:26:59 AM8/29/14
to erpnext-u...@googlegroups.com
Great Anand.

But I am unable to test it as "bench update" is giving me below error messages. As per your suggestion, I checked "Ignore User Permissions" for Reports To field for Employee doctype and Updated it. This fixed the issue I was having. But because of this employee.json file got updated on the server. So now whenever I run “bench update”, I am getting below error message. How do I resolve it? Thanks.

 

From https://github.com/frappe/erpnext

* branch            HEAD       -> FETCH_HEAD

Updating 79f9110..ec8964d

error: Your local changes to the following files would be overwritten by merge:

        erpnext/hr/doctype/employee/employee.json

Please, commit your changes or stash them before you can merge.

Aborting

Error: None

Traceback (most recent call last):

  File "/usr/local/bin/bench", line 9, in <module>

    load_entry_point('bench==0.1', 'console_scripts', 'bench')()

  File "/var/www/bench-repo/bench/cli.py", line 27, in cli

    return bench()

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 488, in __call__

    return self.main(*args, **kwargs)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 474, in main

    self.invoke(ctx)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 758, in invoke

    return self.invoke_subcommand(ctx, cmd, cmd_name, ctx.args[1:])

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 767, in invoke_subcommand

    return cmd.invoke(cmd_ctx)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 659, in invoke

    ctx.invoke(self.callback, **ctx.params)

  File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 325, in invoke

    return callback(*args, **kwargs)

  File "/var/www/bench-repo/bench/cli.py", line 107, in update

    pull_all_apps()

  File "/var/www/bench-repo/bench/app.py", line 49, in pull_all_apps

    exec_cmd("git pull {rebase} upstream HEAD".format(rebase=rebase), cwd=app_dir)

  File "/var/www/bench-repo/bench/utils.py", line 56, in exec_cmd

    subprocess.check_call(cmd, cwd=cwd, shell=True)

  File "/usr/lib/python2.7/subprocess.py", line 511, in check_call

    raise CalledProcessError(retcode, cmd)

subprocess.CalledProcessError: Command 'git pull  upstream HEAD' returned non-zero exit status 1


Kind regards,
Mayur Patel

Anand Doshi

unread,
Aug 29, 2014, 7:10:32 AM8/29/14
to ERPNext User's Forum
@Mayur,

You can git checkout the employee.json file. Ideally, for such customizations you can also use Customize Form :)

Check if "git status" shows any unmerged files after that.

If there are no such files, bench update should work.

-Anand.




--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.

Mayur Patel

unread,
Aug 29, 2014, 7:22:35 AM8/29/14
to erpnext-u...@googlegroups.com
Hi Anand,

I used Customize Form for checking "Ignore User Permissions" for Employee Doctype. Didn't that changed the employee.json file?

Kind regards,
Mayur Patel

Mayur Patel

unread,
Aug 29, 2014, 7:35:38 AM8/29/14
to erpnext-u...@googlegroups.com
Hi Anand,

Using Customize Form didn't change the employee.json file on the server but "Role Permissions Manager" seems to updates the  employee.json file on the server every time any changes are made to the permission for Employee doctype. I can confirm that this is true for other doctype too. Doesn't this create an issue every time we run "bench update" command?

Kind regards,
Mayur Patel

Anand Doshi

unread,
Aug 29, 2014, 7:45:53 AM8/29/14
to erpnext-u...@googlegroups.com
You must have set developer mode
It updates the json files too. 

Sent from my phone
--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages