Notes on Permissions in V4

95 views
Skip to first unread message

lxnow

unread,
Feb 28, 2014, 9:02:46 PM2/28/14
to erpnext-u...@googlegroups.com
USER ACTIONS
Starting to test V4.  First thing I noticed is that the permission system choices are now more; however the instructions on the permissions manager page "Meaning of Submit, Cancel, Amend:" have not changed.  Can I ask for feedback defining each action with question marks:
  • Read - open a document
  • Restricted - apply restrictions defined in User Properties (new!, this is interesting)
  • Write - save a document
  • Create - create a new document
  • Delete - delete the document (yes separate from cancel now!)
  • Submit - submit a document if submittable
  • Cancel - cancel the document
  • Amend - amend the document
  • Report - read reports on the document
  • Import - ? is this for data import tool?
  • Export - ? is this under the standard reporting format? Does this mean "Report Manager" role is no longer needed to export reports?
  • Print - print the document
  • Email - email out the document
  • Can Restrict - ? create restrictions, how? The page reads "Apart from System Manager, roles with Restrict permission can restrict other users for that Document Type". How do other users do this? 

USER PROPERTIES / RESTRICTIONS
In Permission Manager, conditions are now just limited to "all" and "user is creator of document".  All restricted properties are now moved to User Properties (renamed Restrictions). important changes:
  • Warehouse now a restriction -- so no separate table to manage. 
  • Don't see a USER ID field for restricting (useful for restricting employees to only viewing their own employee profile)

Item: Do conditions follow parent?

Addy

unread,
Feb 28, 2014, 11:54:56 PM2/28/14
to erpnext-u...@googlegroups.com
Hi,

I would also want to test v4 but going by what I understand from your post I think I can find one thing missing in V4. I think there should be a separate permission for CANCEL and DELETE, currently in the system if a person has the right to CANCEL then that person can delete a non-linked transaction which is very dangerous and I would request if the 2 can be separated since we have taken away the Cancel rights from all users after finding out that users can also delete a cancelled transactions which basically removes the precedents for the transactions.

lxnow

unread,
Mar 1, 2014, 12:06:58 AM3/1/14
to erpnext-u...@googlegroups.com
Addy, the actions I listed are from V4.  Cancel and delete *are* separated now, which is good news.

Addy

unread,
Mar 1, 2014, 12:23:14 AM3/1/14
to erpnext-u...@googlegroups.com
My Bad,

I somehow missed your line mentioning the same point....this is indeed great news.

Anand Doshi

unread,
Mar 1, 2014, 12:54:06 AM3/1/14
to erpnext-u...@googlegroups.com, lxnow
Hi Laurence,

USER ACTIONS
Thanks a lot for such a detailed feedback on User Actions.
I will write a detailed help document on the permissions system and get back to you.

The employee restriction gets added using code. So if say employee X has user id te...@example.com.
Now if this user does not have the rights to restrict someone else for Employee records, Employee X will be added to this user’s restrictions list for Employee record. So Employee X will only be able to access their own record.

But say user te...@example.com has role HR user, who also has Can Restrict rights, i.e. they can add User Restriction records and restrict access for other users; Then, they would be able to access all Employee records, since the code wouldn’t add a User Restriction for this user.


Item: Do conditions follow parent?

I didn’t understand this question.


Best,
Anand Doshi.
--
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-user-forum/187a99bf-3369-442d-b95e-19dfa9b4b4f2%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

lxnow

unread,
Mar 1, 2014, 2:17:36 AM3/1/14
to erpnext-u...@googlegroups.com, lxnow
Anand, 

In old ERPNext employee role, restriction is `user_id:user` or in other words "Value of field User ID is the User." In V4, this is no longer available. So now users with roles with permission to view "Employee" form are no longer restricted as `user_id:user`.  This has been replaced with "All Users" upon migration of data (I am using a test account c/o Pratik). So the same user with same roles can now see all Employee records.

I can't figure out how to correctly restrict the user to viewing its own record only. 
  • I've tried limiting user to Read, Email, Restricted, Report and Print on Employee Document Type. It still shows all records.
  • I created a user property (also known as restriction) so us...@example.com PROFILE = us...@example.com, and voila! this creates the restriction.... BUT it creates two restrictions: (1) User ID = us...@example.com and (2) Or Created By = us...@example.com.  How do I get rid of #2?
Laurence 


To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-forum+unsub...@googlegroups.com.

Anand Doshi

unread,
Mar 1, 2014, 3:38:03 AM3/1/14
to erpnext-u...@googlegroups.com, lxnow, lxnow

Hi Laurence,

There was a patch that would’ve created restrictions on Employee DocType. Will need to check Setup > User Properties for Employee doctype. It should've restricted users to particular Employee records if they only have Employee role.

Best,
Anand Doshi.
To unsubscribe from this group and stop receiving emails from it, send an email to erpnext-user-fo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/erpnext-user-forum/c4f3e045-bec9-49a1-95b6-f4dedc183246%40googlegroups.com.

Addy

unread,
Mar 21, 2014, 10:10:20 AM3/21/14
to erpnext-u...@googlegroups.com
Hi,

I just got a chance to check out V4 and I must say as always its impressive. But still I would like to point some of the things which I think should be there to make it close to perfect.

  1. First thing is regarding the Permission of the Reports, the problem is the once we restrict a user from accessing a report then the best thing would be NOT to show the link of the report to that person. I hope this can be done. I know the clutter on the reports front has gone down since we have got separate pages for the reports but I am still of the view that if a user is not allowed to view a report then the link should not be visible as it would lessen the clutter of unhelpful reports. I don't think this is impossible but would be very useful for users. I have created a issue for this as well here.
  2. Another thing I have never understood that even though that every update keeps in mind the usability for the Mobile devices but one thing which has not been resolved is that the users are not able to scroll the reports which actually is a big put off for users using erpnext on mobile devices like ipad and phones. Hence I have created a issue for the same here.

Addy

unread,
Mar 21, 2014, 10:40:01 AM3/21/14
to erpnext-u...@googlegroups.com
One more thing I wanted to ask if it could be possible to restrict certain reports from Specific Roles or is it asking for too much
Reply all
Reply to author
Forward
0 new messages