ERPNext.com Frappe Cloud Support Partners Foundation Frappe School

Role permission for specific doctype?

are there a plan to implement a “User Permission” like but based on the role?

for ex. we can set a user permission for single account or any single doctype…
we need to scale out this, and be able to set this permission on the role not only to the user.

is this feasible to be done, or are there anything to achieve the similar?
hope someone to reply

Hi @michaeleino,
not sure, if I get your requirements in detail. But I think we have a similar requirement, so let me share, how we solved it based on what’s included in ERPNext:

First of all:


For all users, we will have a combination of “Technical User Roles” (managed within the “User”) as well as “Business Roles” (managed within each users Contact):

  • Technical roles allows to access the system and specify, what parts/modules of the application can be accessed and what can be done.
  • The Business roles applied to a users Contact, will define business related attributes
  • Based on both, we make user of DocShares and empty User Permission to grant read/write access to specific documents.

Maybe that idea will help for your requirements, too?

Hello @Patrick.St thanks for your reply :slight_smile:
I’ve just taking some time to dig what is DocShares on versions 12/13 but can’t find any definition for it :thinking: i can understand till the first bullet, but the rest is beyond my mind :worried:

for my requirement here is an example:
i have a 3 users that should have access to specific 5 accounts with numbers in CoA for ex.(1100, 1200 , 1500, 5100, 5200)
I want to create a Role to access those accounts -“Just like when you create a user permission to allow access for each user to each account”- and assign this role to the 3 users.

the benefit here, instead of creating 5 permission for 3 users =15 specific permission
-painful on scale and changing users permissions, right?-
i would create 1 role and 1 allow permission to this role… then add the N number of users to this role.

hope this is clearer now :smiley:

Hi @michaeleino,
see this introduction: https://docs.erpnext.com/docs/user/manual/en/setting-up/users-and-permissions/sharing
Based on Shares you can define on document level, which user can read/write/delete/share. In contrast to UserPerm it is “more granular”, but UserPerm would allow you to allso manage the access based on the links within a DocType.

Ok, now I get your requirements. As for my understanding, there is no out-of-the-box solution as you are describing. Based on the question, do you want to manage access for only one specific document, or also for nested/linked documents, I would go ahead with Shares or UserPerms.
As it would be very hard to keep track of the permissions (share or userperm), I would suggest to extend the giving methods/ create a wrapper which gets the group as parameter an manages “internally” the users part of that group.
Sure, at the end, it is what you don’t want to have - many permissions. But why not? Validating permissions is fast.

@michaeleino check for permission_query_conditions


We would like to be grouped based on doctype and “doc/nested doc” :smiley: , so we would add users to those specific “roles”.

i can’t utilize the Docshares, it is based on a single Doc. AFAIK

this is the SAP approach, each role is assigned some filter conditions such as company A order type Xx etc,in SAP this filter fields is called org levels. I have ever tried to implement the SAP permission back to 3 years ago, due to it’s complexity it was not accepted.

2 Likes

Oh wow, I wasn’t aware of that. I have also a long/strong background, especially in SAP CRM (and therefore for sure, it’s auth./perm. approach).
As described before, we make right now heavy use of DocShares, query_conditions, UserPerms and the technical/business roles. It is working good, while it is not ideal, as it is hard to maintain/ extend. Therefore we will evaluate what you did in that PR and check its compatibility with v13.

Have you ever made use of your PR in a production environment or did it never pass the development/ conceptual level?

Never ever fully tested, only my personally testing. hopefully if you can adapt it and I would like to contribute as needed.