Hi all,
I need to implement the following security in Adempiere:
1) Role based security where each person is assigned a role.
2) Data based security where each user can only view data that is assigned to him. A sales representative cannot view the users/quotation etc. of other region that that assigned to him. Similarly with the price list.
How can we achieve this in adempiere?
Best regards,
Amit
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1) Yes, ADempiere support role based security. Open Role window and you will have the ideas.
2) You can play around with Role Data Access. You can also play around with SQLWhere in Window, Tab & Field.
To get you some ideas, this is an example:
(instr('@#User_Level@','C')<>0 OR C_BPartner.CreatedBy=@#AD_user_ID@ OR C_BPartner.SalesRep_ID=@#AD_User_ID@)
For pricelist, there's one place you can't hide price from user, which is Product Info. You need to modify some codes to do this. What I did is add IsCanViewPrice option in Role so now each role can be set either they can view price or not. Is anyone interested in this functionality ?
Armen
Goodwill.co.id
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I guess also there is a need for more security in the documents, for example, may be an user should be able to complete, but no to cancel it, or reactivate it.
Best Regards!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's a slightly more technical solution but offers the ultimate control.
Also, Note the comment regarding "approve own documents" change Victor made. Not sure if this is the trunk but it would be easy enough to check!
colin
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear ,
Thanks Armen for the solution.
However looking at the long term functionality is it possible to add to a tab to document windows where we can add the users with different permissions. For example for a quotation the concerned sales department and marketing head of the region can read and write but others donot have permission to see it. Once the order is materialized, accounts can see the complete purchase order. Procurement can see what all items have been ordered but not the commercial part.
Can somebody help me how to create such a tab on the windows to achieve it. It is important for us to implement it before adopting adempiere.
Best regards,
Amit
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi ,
Any type of help will do.
However looking at the problem I feel that it is due to missing functionality in the code. I believe it can be easily put in also by putting the document level control tab on each window where the collaboraters can be decided. The collaboratoers will have different permission level eg. Read/Write. A window also has different tabs. These permission should be for each tab to giver higher control. The collaboration should also take place based on Role. The rules should apply along with the other security rules. For ease it should be possible to select everyone.
Kindly let me know what you think.
Best regards,
Amit
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But why do you want to introduce a new tab in document. I believe you can achieve this with simple customization / personalization of windows as per role (except complete / cancel as per role).
I think Armen suggestion should be able to solve your problems.
Best Regards'
Sandeep.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi ,
What I am thinking now is generic functionality in the Adempiere and not for a specific document. As I said before, Armen solution works fine. But that solves only part of the problem. Let me just take few possible cases:
A) If there is a document that a specific people need to see. Even in the same role only few people may be working on a specific project and/or may be authorized to see the document. Even in the project different people may be handling different subsystems and they may need to collaborate but not others. Some subteams may need to collaborate with teams of different projects for example for FMEA etc.
B) A part of the document may be visible to some people. For example a purchase order will be completely visible to the sales representative, Sales Manager and Top management and accounts. However the items ordered should be visible to the planning team for the specific manufacturing unit.
The list goes on.
The long term problem with current solution is that
A) You need system admin every time to change the preferences. This I believe should be possible to be done by document owner or any body who is authorized to do so.
B) Even if certain tabs are not visible to some people, the same information is generally available through other tabs. For example, the sales order tab was not available but the information was available through business partner info window. The document level security should be independent of the view.
C) With every change of collaboration requirement here will be a considerable logic change that will have to go in.
D) From the user point of view it is simpler to check and uncheck boxes then to go and change to logic every time. Changing logic every time also can be error prone.
What I am proposing is for a new functionality in Adempiere for document level security. I will be more than happy to help in implementing it (if time permits me.) . And moreover these are the requirement which I could think of. We should start of with writing the specification for the functionality first.
What do you say?
Best regards,
Amit
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry for the delayed response. Please check out the Personal Lock functionality of Adempiere. In user or role window you can activate personal lock feature for a particular role or user.
This will show a yellow color icon on toolbar. Probably this is the same option about which you are talking as this give end user and option to limit the access of other users to that particular record.
Regards'
Sandeep.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
Thanks Sandeep. It solved the bigger of the issue of security. Collaboration is still an issue with this but I can live with it for now. May be it will be explored in future releases.
Best regards,
Amit
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
I need to implement the following security in Adempiere:
1) Role based security where each person is assigned a role.
2) Data based security where each user can only view data that is assigned to him. A sales representative cannot view the users/quotation etc. of other region that that assigned to him. Similarly with the price list.
How can we achieve this in adempiere?
Best regards,
Amit
Hi Amit,
1) Yes, ADempiere support role based security. Open Role window and you will have the ideas.
2) You can play around with Role Data Access. You can also play around with SQLWhere in Window, Tab & Field.
To get you some ideas, this is an example:
(instr('@#User_Level@','C')<>0 OR C_BPartner.CreatedBy=@#AD_user_ID@ OR C_BPartner.SalesRep_ID=@#AD_User_ID@)
For pricelist, there's one place you can't hide price from user, which is Product Info. You need to modify some codes to do this. What I did is add IsCanViewPrice option in Role so now each role can be set either they can view price or not. Is anyone interested in this functionality ?
Armen
Goodwill.co.id
Hi Armen!
That's sounds like an interesting functionality.
I guess also there is a need for more security in the documents, for example, may be an user should be able to complete, but no to cancel it, or reactivate it.
Best Regards!
this topic sounded very familiar ... a little searching and i found this
http://sourceforge.net/tracker/index.php?func=detail&aid=1566089&group_id=176962&atid=879333
It's a slightly more technical solution but offers the ultimate control.
Also, Note the comment regarding "approve own documents" change Victor made. Not sure if this is the trunk but it would be easy enough to check!
colin
Dear ,
Thanks Armen for the solution.
However looking at the long term functionality is it possible to add to a tab to document windows where we can add the users with different permissions. For example for a quotation the concerned sales department and marketing head of the region can read and write but others donot have permission to see it. Once the order is materialized, accounts can see the complete purchase order. Procurement can see what all items have been ordered but not the commercial part.
Can somebody help me how to create such a tab on the windows to achieve it. It is important for us to implement it before adopting adempiere.
Best regards,
Amit
Hi Amit,
>Can somebody help me how to create such a tab on the windows to achieve it. It is important for us to implement it >before adopting adempiere.
When you say help. Do you mean free or paid help?
Kind regards,
Trifon
Hi ,
Any type of help will do.
However looking at the problem I feel that it is due to missing functionality in the code. I believe it can be easily put in also by putting the document level control tab on each window where the collaboraters can be decided. The collaboratoers will have different permission level eg. Read/Write. A window also has different tabs. These permission should be for each tab to giver higher control. The collaboration should also take place based on Role. The rules should apply along with the other security rules. For ease it should be possible to select everyone.
Kindly let me know what you think.
Best regards,
Amit
Hi Amit,
But why do you want to introduce a new tab in document. I believe you can achieve this with simple customization / personalization of windows as per role (except complete / cancel as per role).
I think Armen suggestion should be able to solve your problems.
Best Regards'
Sandeep.
Hi ,
What I am thinking now is generic functionality in the Adempiere and not for a specific document. As I said before, Armen solution works fine. But that solves only part of the problem. Let me just take few possible cases:
A) If there is a document that a specific people need to see. Even in the same role only few people may be working on a specific project and/or may be authorized to see the document. Even in the project different people may be handling different subsystems and they may need to collaborate but not others. Some subteams may need to collaborate with teams of different projects for example for FMEA etc.
B) A part of the document may be visible to some people. For example a purchase order will be completely visible to the sales representative, Sales Manager and Top management and accounts. However the items ordered should be visible to the planning team for the specific manufacturing unit.
The list goes on.
The long term problem with current solution is that
A) You need system admin every time to change the preferences. This I believe should be possible to be done by document owner or any body who is authorized to do so.
B) Even if certain tabs are not visible to some people, the same information is generally available through other tabs. For example, the sales order tab was not available but the information was available through business partner info window. The document level security should be independent of the view.
C) With every change of collaboration requirement here will be a considerable logic change that will have to go in.
D) From the user point of view it is simpler to check and uncheck boxes then to go and change to logic every time. Changing logic every time also can be error prone.
What I am proposing is for a new functionality in Adempiere for document level security. I will be more than happy to help in implementing it (if time permits me.) . And moreover these are the requirement which I could think of. We should start of with writing the specification for the functionality first.
What do you say?
Best regards,
Amit
Hi Amit,
Sorry for the delayed response. Please check out the Personal Lock functionality of Adempiere. In user or role window you can activate personal lock feature for a particular role or user.
This will show a yellow color icon on toolbar. Probably this is the same option about which you are talking as this give end user and option to limit the access of other users to that particular record.
Regards'
Sandeep.
Hi,
Thanks Sandeep. It solved the bigger of the issue of security. Collaboration is still an issue with this but I can live with it for now. May be it will be explored in future releases.
Best regards,
Amit
Hi All,
I know it is very old post. But we are interested in the same functionality. Only the purchase department should be able to see the price.
Thank you very much in advance.
Best Regards,
Rahul.