Problem
Current permission control is mainly on following 3 levels
- role: doctype (table) level
- user permission: document (record) level
- permission level: field level
No permission(create/write/read…) defined in user permission, system applied permissions(read/write…) from all assigned roles on target doctype for filtered documents( allowed value) in user permission. so it is not possible to restricted user to create and change documents of company A, while allow the same user to read access to documents of both company A and B.
Typically in order to control data quality and promote data sharing, it is very common in business world to restrict user create/change permission on documents of his/her own organization(company) and allow the same user read access to other organizations.
Proposed solution
-
add document relevant permissions(create/write/read…) fields into User Permission DocType,
-
change user_permission.get_user_permissions function: add ptype parameter with default value read
def get_user_permissions(user=None, ptype =‘read’)
in this function retrieve the allowed value per ptype(permission)
-
change permissions.has_user_permission, to pass the ptype parameter to get_user_permission
-
change permissions.get_doc_permissions function to retrieve the restricted value from User Permissions by ptype and apply it to the where condition.
Already tested the above solution in my local instance, here I would like to check with community
- whether this feature is really needed?
- whether the above propose solution is acceptable?
Further Thought
Assigning allowed values to each user via user permission will be tedious if so many users to be assigned different values. SAP’s approach is assigning the org levels(Allowed doctype and value in user permission) to each role, in other words, there will be multiple different roles assigned to same set of DocTypes but different org levels. the user’s allowed values(Org Level) is derived from the roles assigned. I am also considering this approach in ERPNext.
What do you think?
Any feedback are welcomed. based on the feedback I will decide to whether and when to initiate the PR.
A little bit background
My previous PR https://github.com/frappe/frappe/pull/6582 user permission refactor which simulates SAP logic had been rejected long time ago because it makes too big changes to the existing framework, it is somewhat too complicated, this proposal seems more aligned within the existing framework.