Is the new permission system better or worse?

ERPNext
1

Hi ,

I believe the reason for changing the permission system in ERPNext (V11+) is to make things better but so far, we don’t seem to be noticing any of those advantages. Instead, things seem more complicated with more issues! Some of the key issues I’ve encountered so far:

  1. A loophole seems to exist where failing to specify a user permission allows users to view all entries of a doctype. A notable example of this is how all employees can view all salary slips of ALL other employees once you upgrade from V10! I already suggested in another post that there should be a way to specify that a user should not have access to documents unless he/she has a user permission for that doctype

  2. It’s VERY cumbersome managing doctypes that apply to all (or a large number of) Employees. Take for example, I have a new doctype where all users with ‘Employee’ role should only see the records where their Employee ID is selected. We have to manually create a user permission record for a great number of employees! Why? …because of the next point below:

  3. In the User Permissions, we cannot use the generic ‘Apply to All Document Types’ option (especially for the Employee DocType) for a great deal of users because they need access to certain documents for their entire unit, department, or company. This leads to the unbundling of their permissions thereby creating several user permission records for each employee and making the whole system look pretty confusing and complicated. It also means, as mentioned in issue no. 2 above, that adding user permissions for any additional documents needs to be done individually for all these users else you run the risk of falling into the loophole mentioned in issue no. 1 above!

In the former permission system, all you had to do was specify access to ‘DocType A’ for ‘Role B’ if "DocTypes C,D,E’ are permitted for the user… so much easier and less complicated!

Could anyone please explain to me what exactly are the gains (in practice, not theory) of the new permission system over the former and how they deal with the issues listed above? I’m really struggling to make sense of the current permission system

@Chude_Osiegbu @olamide_shodunke @szufisher I’m tagging you guys cos we’ve had some interactions on permission matters in the past… Pls help me here!

Thanks

2

@wale,
So far, I see permission still a hot topic among the community members, but my refactor of the user permission based on SAP’s authorization object concept is never a small and simple change to the core, unfortunately no one really is prepared to adopt my solution in self hosted system, so there is little or no chance to have it accepted and merged into the core because the core team requested any major/big changes to be tested in customer’s live systems.

I am now working on my own system which already included the refactored solution, it will take very long time to prove it production ready.

back to your issue/concern as of now, per my opinion based on the current design, there is no easy solution.

3

Hi @szufisher

Thanks for your response. I know the permission system in ERPNext is still grossly lacking especially when you need to grant multiple levels of access to the same document. I however specifically would like to know what is the advantage (in practice) of the current permission system (V11+) over the previous one (V10)?

Currently, I am not seeing any advantage… it seems less efficient and more complicated for no clear reason!

Thanks