In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
On Thursday, August 21, 2014 7:22:12 PM UTC+5:30, Mayur Patel wrote:
Hi There,
In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for “Department Head” role with condition “Department in Employee matches User Property department.” This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
On 21-Aug-2014, at 7:22 PM, Mayur Patel <ma...@gmail.com> wrote:
Hi There,
In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Pretty much the same way. In version 4 user property is "user permission".
You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
I am also the one who feels like Alice in wonderland with regards to permissions in v4.
I am still to understand that what purpose does the v4 permissions solve more than the ones we had in v3.
I think a better thing would be to have 2 or 3 examples written out for permissions manager, since long I have been trying to make some permissions for the my sales persons where we could limit them dynamically based on the sales person and then if a sales person is able to see a customer then he/she must be able to see that customer's transactions
If they have been given access to the transactions. I know I have been asking for the long shots but I guess that would make the system a great one to say the least.
I think a better thing would be have scenarios explained by customers where we could see which cases are not possible in the current permission manager.
On Thursday, August 21, 2014 8:51:26 PM UTC+5:30, Rushabh Mehta wrote:
@rushabh_mehta
via mobile
On 21-Aug-2014, at 7:22 PM, Mayur Patel <ma...@gmail.com> wrote:
Hi There,
In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Pretty much the same way. In version 4 user property is "user permission".
You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
On Thursday, August 21, 2014, Addy <ad…@gmail.com> wrote:
Hi Rushabh,
I am also the one who feels like Alice in wonderland with regards to permissions in v4.
I am still to understand that what purpose does the v4 permissions solve more than the ones we had in v3.
I think a better thing would be to have 2 or 3 examples written out for permissions manager, since long I have been trying to make some permissions for the my sales persons where we could limit them dynamically based on the sales person and then if a sales person is able to see a customer then he/she must be able to see that customer's transactions
If they have been given access to the transactions. I know I have been asking for the long shots but I guess that would make the system a great one to say the least.
I think a better thing would be have scenarios explained by customers where we could see which cases are not possible in the current permission manager.
On Thursday, August 21, 2014 8:51:26 PM UTC+5:30, Rushabh Mehta wrote:
@rushabh_mehta
via mobile
On 21-Aug-2014, at 7:22 PM, Mayur Patel <ma...@gmail.com> wrote:
Hi There,
In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Pretty much the same way. In version 4 user property is "user permission".
You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
User permissions from 3 to 4 are not that different, it just might take a little getting used to. The main difference is
1. Instead of "fieldname", permissions are now set on values of link fields (like Territory or Company) (which is more correct IMO)
2. Links are automatically validated, if user permissions are applied (Ideal for restricting documents by Company, Territory, Department, which are the most common use cases).
I am also the one who feels like Alice in wonderland with regards to permissions in v4.
I am still to understand that what purpose does the v4 permissions solve more than the ones we had in v3.
I think a better thing would be to have 2 or 3 examples written out for permissions manager, since long I have been trying to make some permissions for the my sales persons where we could limit them dynamically based on the sales person and then if a sales person is able to see a customer then he/she must be able to see that customer's transactions
If they have been given access to the transactions. I know I have been asking for the long shots but I guess that would make the system a great one to say the least.
I think a better thing would be have scenarios explained by customers where we could see which cases are not possible in the current permission manager.
On Thursday, August 21, 2014 8:51:26 PM UTC+5:30, Rushabh Mehta wrote:
@rushabh_mehta
via mobile
On 21-Aug-2014, at 7:22 PM, Mayur Patel <ma...@gmail.com> wrote:
Hi There,
In version 3, we were able to use condition to define permission. For example, in version 3, one can add a Read permission on Employee doctype for "Department Head" role with condition "Department in Employee matches User Property department." This gives department head read access over for all employees from the same department. When a new employee gets added to the same department, the department head automatically able to see this new employee. How do you achieve the same in version 4?
Pretty much the same way. In version 4 user property is "user permission".
You also have to check "apply user permissions" where you want the rules to apply. For eg in leave application.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
It seems that permissions in version 4 doesn't seem to work for us. Or it may not have been setup correctly. We migrated a copy of our production ERPNext server to version 4 using migration script. We noticed following issues:
In version 3 we have followings: - For a role called "HR User" we setup role permission to allow them to see all the employees in the departments they are assigned to via user property 'Department' - For a role called 'PO user' we setup permission to allow them to see all the POs for the companies they have been assigned to via user property 'Company'. We have 6 companies in our instance. Some PO User have been assigned to multiple companies via user property 'Company'. - There is a user call Alison, who has been assigned with HR User role and also PO user role. We have assigned 'Project' and 'Operation' departments to her department User Property. We have assigned YPL and SM companies via company User Property. - In HR Module, on Employee screen she sees all the employees from the departments Project and Operation. - She is able to see all POs from both YPL and SM. - Please note that we have customised Purchase Order screen to include Department custom field. It gets automatically filled based on user's default department when they create a PO. We use this department fill for reporting and also for restricting its access for certain users.
In Version 4 (after migration): - HR User has been setup with "apply user permissions" checked. - PO User has been setup with "apply user permissions" checked. - Alison can see all the employees that are part of her departments. Same as version 3. - Alison is only able to see POs from her departments rather then the for the companies she assigned to. I think this is happening because the system is applying department user permission as it is defined for this user. How do we resolve this? Please note that Department field is a custom field that is setup on the Purchase Order doctype and it is needed. It can't be taken off.
Also we notice that in version 3, Alison has only one record for employee property type. but in version 4, there are multiple records for Employee user permission. Why is this?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
On 22-Aug-2014, at 3:37 pm, Mayur Patel <ma...@gmail.com> wrote:
Thanks Rushabh, Anand, Aditya and Sunil.
It seems that permissions in version 4 doesn't seem to work for us. Or it may not have been setup correctly. We migrated a copy of our production ERPNext server to version 4 using migration script. We noticed following issues:
In version 3 we have followings: - For a role called "HR User" we setup role permission to allow them to see all the employees in the departments they are assigned to via user property 'Department' - For a role called 'PO user' we setup permission to allow them to see all the POs for the companies they have been assigned to via user property 'Company'. We have 6 companies in our instance. Some PO User have been assigned to multiple companies via user property 'Company'. - There is a user call Alison, who has been assigned with HR User role and also PO user role. We have assigned 'Project' and 'Operation' departments to her department User Property. We have assigned YPL and SM companies via company User Property. - In HR Module, on Employee screen she sees all the employees from the departments Project and Operation. - She is able to see all POs from both YPL and SM. - Please note that we have customised Purchase Order screen to include Department custom field. It gets automatically filled based on user's default department when they create a PO. We use this department fill for reporting and also for restricting its access for certain users.
In Version 4 (after migration): - HR User has been setup with "apply user permissions" checked. - PO User has been setup with "apply user permissions" checked. - Alison can see all the employees that are part of her departments. Same as version 3. - Alison is only able to see POs from her departments rather then the for the companies she assigned to. I think this is happening because the system is applying department user permission as it is defined for this user. How do we resolve this? Please note that Department field is a custom field that is setup on the Purchase Order doctype and it is needed. It can't be taken off.
On the department field, for the Role PO User, check "Ignore User Permissions"
Also we notice that in version 3, Alison has only one record for employee property type. but in version 4, there are multiple records for Employee user permission. Why is this?
Could be an issue with the patch... There should be only one record.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
I think one option may be to check "Ignore User Permissions" for Department field for Purchase Order doctype. right?
Could you please still answer 2nd question? see below.
we notice that in version 3, Alison has only one record for employee
property type. but in version 4, there are multiple records for Employee
user permission. Why is this?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
On 22-Aug-2014, at 3:42 pm, Mayur Patel <ma...@gmail.com> wrote:
Hi Again,
I think one option may be to check "Ignore User Permissions" for Department field for Purchase Order doctype. right?
Could you please still answer 2nd question? see below.
we notice that in version 3, Alison has only one record for employee
property type. but in version 4, there are multiple records for Employee
user permission. Why is this?
Are they any different. Please raise a GH issue for this.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
I read that article multiple time before starting this topic. If I check "Ignore User Permissions" for Department field for Purchase Order doctype then it will completely ignore user permission. As I mentioned in my earlier post, we use this department fill for reporting and also for restricting its access for certain users. We have another role called "Department PO User" for these users. We have setup this role to restrict their access to POs from only their department. So if we ignore permission on the Department field then it will not work for these users. Any suggestions?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups "ERPNext User's Forum" group.
Well, if the user has any one permission (via Company or Department) then the document should be visible.
@Anand can you verify if the restrictions are applied as AND or OR?
On 22-Aug-2014, at 4:02 pm, Mayur Patel <ma...@gmail.com> wrote:
Hi Rushabh,
I read that article multiple time before starting this topic. If I check "Ignore User Permissions" for Department field for Purchase Order doctype then it will completely ignore user permission. As I mentioned in my earlier post, we use this department fill for reporting and also for restricting its access for certain users. We have another role called "Department PO User" for these users. We have setup this role to restrict their access to POs from only their department. So if we ignore permission on the Department field then it will not work for these users. Any suggestions?
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
On Friday, 22 August 2014 11:28:32 UTC+1, Rushabh Mehta wrote:
On 22-Aug-2014, at 3:42 pm, Mayur Patel <ma...@gmail.com> wrote:
Hi Again,
I think one option may be to check "Ignore User Permissions" for Department field for Purchase Order doctype. right?
Could you please still answer 2nd question? see below.
we notice that in version 3, Alison has only one record for employee
property type. but in version 4, there are multiple records for Employee
user permission. Why is this?
Are they any different. Please raise a GH issue for this.
Yes, they are different. I have added an issue in GH. https://github.com/frappe/frappe-bench/issues/25.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
Nice to see I'm not the only one who noticed this issue : )
As shown in my thread on this same issue, the fundamental problem with the permission manager in version 4 is that it doesn't allow specific roles to override user permissions (unless you ignore the permissions altogether which is usually unacceptable)
Version 3 handled this better because you could just set a matching condition for a role and that would automatically give users with that role access to all the docs in the list that matched their respective user permissions
The best solution that was offered (which I believe is currently being worked on) is to allow ignoring of user permissions for specific roles. In Mayur's case for example, ignoring user permissions on the Department field for role PO User should solve the problem
Cheers!
Kind regards, Olawale
From: Anand Doshi
Sent: Friday, August 22, 2014 12:52 PM
To: er...@googlegroups.com
Reply To: er...@googlegroups.com
Subject: Re: [erpnext-user-forum] Permission in Version 4
They are AND
A user will be restricted for Company in (X, Y) and Department in (A, B, C)
-Anand.
Sent from my phone
On 22-Aug-2014, at 16:53, Mayur Patel <ma...@gmail.com> wrote:
Hi Rushabh,
I think they are AND. But we will wait for Anand to confirm it.
Kind regards, Mayur Patel
–
You received this message because you are subscribed to the Google Groups “ERPNext User’s Forum” group.
Trust you're doing great. Not so sure that's a good idea. Check out the following scenario:
-An employee is restricted to seeing only his employee form because he has his Employee ID defined in his user properties
-Same employee also has Department defined in his user properties so that the department field is automatically populated and marked when he raises a document (as in Mayur's example)
-If restrictions are set to OR then it means that this employee (and every other employee who has Department defined in their user properties) will be able to view employee forms for everyone in his department!
Best solution is still ability to ignore user permissions on fields for specific roles (IMO)
Cheers!
Kind regards, Olawale
From: Rushabh Mehta
Sent: Friday, August 22, 2014 1:52 PM
To: er...@googlegroups.com
Reply To: er...@googlegroups.com
Cc: er...@googlegroups.com
Subject: Re: [erpnext-user-forum] Permission in Version 4
Maybe we should make it OR, it might fix a lot of issues.