Try ERPNext Buy Support Partners Foundation

How to generate security role report for employees?

For security audit purposes, how can I generate a role report by Employee for auditing?

Thanks,
Dale

Could you please elaborate what you would want to see in this report? Do you mean to say you want to see which documents the Employee role has access to? You can check this in the Role Permissions Manager. Filter out the Employee role and you will get the documents and level of access the employee has.

To see which document an individual employee has, check “View Permitted Documents” per user. Go to user list, select the user and click on the “View Permitted Documents”.

If you have a totally different requirement, please elaborate the same.

Hi Dale,

I’m guessing you want to evaluate these roles for segregation of duties purposes. Like one user should not be able to setup a Supplier, Set up an Address, Cut a check (or cheque).

If that’s what you want to do, I think it’s best to revamp the roles. Rather than use the out of the box roles, it may be better to create new ones and build the segregation of duties requirements from the ground up for these roles.

I was into audit, risk & information security in a previous avatar and I know that this could be a big thing for even for organizations with 10-15 users.

The other option is to use reports from Roles, Role Permissions, do a bit of analysis on Excel and then realign the roles as per your policy guidelines.

Hope this helps.

Thanks

Jay

This will need a Script report. I vaguely remember there is a table named HasRole that maps users to Roles. and then you map those users to Employees. But that would help you only map employees to roles. what else do you wish to do.

Yes @JayRam, this is exactly what I meant.

My envisioned use case is for an ERPNext services provider who has configured the system for a client, and before go-live the client’s accountant wants to review employee-role-permission assignment to have confidence there is appropriate separation of responsibility and authority - or at least that the shipping receiver can’t also create and approve POs :wink:

I understand a bottom-up correct-by-construction methodology will increase confidence in the result, but I fear would still be difficult to prove correctness to an auditor. I do wonder if I am overly concerned about this though, when in practice an auditor might do exactly that and just pick an employee at random to check.

@Michelle_Alva, I agree it is possible to inspect individual employees (i.e. spot-checking) but this seems very time consuming if needing to confirm all employees.

Thank you @root13F for your encouragement to investigate script reports. I had wanted to investigate script reports and now have added incentive. :wink:

1 Like

Hi Dale,

The default roles that ERPNext comes with addresses most of these level 1 issues. It’s the level 2 issues (and I am aware that there may not be too many SMBs that could worry about level 2 and beyond issues) where people authorized to do legitimate and required operations on the system manage to subvert the system. Like a person in the accounts department that is authorized to cut checks, can also make purchase invoices (and by that, because of the Update Stock check box, means that the user can technically receive material without any involvement by the stores/inventory team. Now if this person can also setup a supplier and can add an address to the supplier, you could envisage a smart person could setup her/his friend as a supplier, Make a Purchase Invoice, cut a cheque and have it sent to his friend’s address.

Like I said, most organizations may not worry so much about these things as in a SMB, trust is the most important currency.

But humor me for a moment, I imagine a complex spreadsheet, where the roles that are generated from the system, but like what is shown in the screen

is created, with the roles as both column and row labels - Like:

Purchase Invoice Read
Purchase Invoice Write
Purchase Invoice Create
Purchase Invoice Delete
Purchase Invoice Submit…

and you can flag the toxic combinations that are avoidable.

Like Purchase Invoice Create and Supplier Create could be a Level 1 Toxic Combination. Purchase Invoice Create and Payment Entry Submit could be a Level 1 Toxic Combination
Purchase Invoice Create and Payment Entry Create could a Level 2 Toxic Combination

So, at a very complicated level, when the time is ripe, I envision defining these toxic combinations on an ERPNext or Frappe app and then pressing a button and an issue is raised for all the toxic combinations that exist within the various roles defined on the system. The organization is given time to resolve these issues and the compliance calibrator is run every week to see if progress is being made.

I was a Sarbanes Oxley auditor in the US many, many years back. This is exactly what I’d have wanted then.

Thanks

Jay

1 Like