Try ERPNext Buy Support Partners Foundation

[Permission Refactor Proposal]create/change documents of company A, read documents of company A and B, Row level action(create/write/read) wise permission control

Problem
Current permission control is mainly on following 3 levels

  • role: doctype (table) level
  • user permission: document (record) level
  • permission level: field level

No permission(create/write/read…) defined in user permission, system applied permissions(read/write…) from all assigned roles on target doctype for filtered documents( allowed value) in user permission. so it is not possible to restricted user to create and change documents of company A, while allow the same user to read access to documents of both company A and B.

Typically in order to control data quality and promote data sharing, it is very common in business world to restrict user create/change permission on documents of his/her own organization(company) and allow the same user read access to other organizations.

Proposed solution

  1. add document relevant permissions(create/write/read…) fields into User Permission DocType,

  2. change user_permission.get_user_permissions function: add ptype parameter with default value read

def get_user_permissions(user=None, ptype =‘read’)

in this function retrieve the allowed value per ptype(permission)

  1. change permissions.has_user_permission, to pass the ptype parameter to get_user_permission

  2. change permissions.get_doc_permissions function to retrieve the restricted value from User Permissions by ptype and apply it to the where condition.

Already tested the above solution in my local instance, here I would like to check with community

  1. whether this feature is really needed?
  2. whether the above propose solution is acceptable?

Further Thought
Assigning allowed values to each user via user permission will be tedious if so many users to be assigned different values. SAP’s approach is assigning the org levels(Allowed doctype and value in user permission) to each role, in other words, there will be multiple different roles assigned to same set of DocTypes but different org levels. the user’s allowed values(Org Level) is derived from the roles assigned. I am also considering this approach in ERPNext.

What do you think?

Any feedback are welcomed. based on the feedback I will decide to whether and when to initiate the PR.

A little bit background
My previous PR https://github.com/frappe/frappe/pull/6582 user permission refactor which simulates SAP logic had been rejected long time ago because it makes too big changes to the existing framework, it is somewhat too complicated, this proposal seems more aligned within the existing framework.

2 Likes

I like the idea and might need this feature.

Some idea, maybe if we can incorporate a function in user permission to define whether we want to overwrite the permission(create/update,etc) or just follow the doctype/role permission.

Regards,
Subhajit

Thanks for your feedback, for the above idea, can you explain a little bit with examples?

Something like this.
Before the permissions checkboxes column (read,write,etc), there is a another checkbox (Label : Overwrite perhaps).

User : A
Allow : Company
Company : ACME
Overwrite : Yes
(And below fields are only shown when Overwrite = Yes)
Read : 1
Write : 0
.
So with this additional checkbox, if we want to use the default permissions from Role Permission Manager, just set Overwrite = No

Hope this clear enough