7 min read

Recording access security rules

Currently, with our configuration, there are two warehouses available in the Dress organization. These are:

  1. 1st Dress W/h
  2. 2nd Dress W/h

By default, all users that have access rights to the Dress organization will be free to access these warehouses.

Do we have a requirement that allows just user Moses to access 2nd Dress W/h only? Is that possible?

ADempiere has a feature to block users from accessing information in certain records. With this feature, the locking process is applied based on a Role, and not on a certain user ID.

Enabling Personal Lock

There are some prerequisite activities required in order to be able to block access to certain records. This activity defines which Role has the rights to block access.

In our example, we will give the default Sistematika Fashion, Ltd Admin role this right. Log in with user ID admin, select Sistematika Fashion, Ltd Admin as the role. Open the Role window, and access the Role tab. Point your active records to Sistematika Fashion, Ltd Admin, and then find and select the Personal Lock checkbox, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

On enabling the personal lock, if you are logged in as user ID admin have Sistematika Fashion, Ltd Admin as an active Role, on opening all of the ADempiere windows, there will be an additional special Private Record Lock toolbar available, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Blocking access to certain records

With the previous requirement, we will block the user ID (which connects with the Restricted Access role) from accessing the 1st Dress W/h warehouse.

This be done by using the following procedure:

  1. Open the Menu  Material Management | Material Management Rules | Warehouse & Locators window.
  2. In the Warehouse tab, find your 1st Dress W/h record. Press the Ctrl key, and then click on the Private Record Lock button at the same time.
  3. In the upcoming Record Access Dialog confirmation window, set the following information:
    • Set the Role field to Restricted Access (pick from the options available)
    • Select the Active checkbox
    • Select the Exclude checkbox

The following screenshot shows the completed window:

ADempiere 3.4 ERP Solutions

Finalize the process by clicking on the OK button.

Log in with user ID Moses and password 123456, using Restricted Access as the role, and Dress as the organization. Open the Purchase Order window, and try to create a new document. Take a closer look at the available options in the Warehouse field. Now, it will only list 2nd Dress W/h, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Restoring access to certain blocked records

There are two way to restore user rights to certain blocked records.

First, if you know the blocked records and the Role to which these records are blocked (in our case, 1st Dress W/h with Restricted Access), then you can open the Warehouse & Locators window, find your 1st Dress W/h record, press the Ctrl key, and then click on the Private Record Lock button. In the upcoming Record Access Dialog confirmation window, make sure that you set the Role to Restricted Access, and then click on the Delete record button.

The Delete record button is a green recycle button on the right-hand side of the Dependent Entities checkbox.

Second, you can open the Menu  System Admin | General Rules | Security | Role Data Access window. Select the role that needs to be maintained in the Role tab. In our case, this is the Restricted Access role.

Navigate to the Record Access tab. This tab will contain all of the record restriction configuration. This is a sample record format, which contains blocking information for certain records, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Click on the Record ID button, to check what kind of record information is currently blocked. On confirmation, you can press the F3 key to delete this record, and the access rights to this information will be restored.

Using Dependent Entities

With the previous record access lock activity, the user who was connected to the ADempiere system using Restricted Access role could not use the 1st Dress W/h as their target warehouse when working with a new document (such as, Purchase Order, Material Receipt, and so on). They will still be able to access any existing document that uses 1st Dress W/h as part of their warehouse information references.

If you need to hide or restrict access to any document that has 1st Dress W/h as part of its document information, you can select the Dependent Entities checkbox.

Working with Role Data Access in detail

In the Menu  System Admin | General Rules | Security | Role Data Access window, we can define an access right on both the ADempiere database table and column, which is registered in the ADempiere Application Dictionary. We will elaborate on a sample use of this data access in the subsequent sections.

Restricting Table access

Suppose that you need to grant access to a role that can only read or view the Material Receipt window and cannot add or alter any information in this window. With User ID admin and using Sistematika Fashion, Ltd Admin as the role, you need to perform the following steps:

  1. Find the document’s target table. You can get this information by opening the Material Receipt window and clicking on Record Info. In this case, the table name is M_InOut.
  2. Open the Role Data Access window, set your target role (for example, Restricted Access) in the Role tab, and then navigate to the Table Access tab. Enter and then save the following information:
    • Set the Table field to M_InOut (on the screen, it will show as M_InOut_Shipment/Receipt)
    • Select the Exclude checkbox
    • Set the Access Type field to Accessing
    • Select the Read Only checkbox

With this configuration, if the user is connected to the ADempiere system using the Restricted Access role, on opening their Material Receipt window they will have read-only access and will not be able to alter or add any information.

Restricting Report access

In this section, the option was to be able to create a report, and unfortunately, this configuration applies to all of the available windows.

With the combination of the Can Report option and restricting report access, we have the option to give report access by first authorizing access to all of the available reports, and then restricting access to certain selected reports.

We will use this approach. Here, we will show you an example wherein a user ID connected using the Restricted Access role will not be able to access only the Material Receipt report. For this requirement, using user ID admin and Sistematika Fashion, Ltd Admin as the role you need to:

  1. Access the Role tab in the Role Data Access window. Ensure that your active record is Restricted Access.
  2. On the Role tab, select the Can Report option.
  3. Navigate to the Table Access tab, add and then enter and save the following information:
    • Set the Table field to M_InOut (on the screen, it will show M_InOut_Shipment/Receipt)
    • Select the Exclude checkbox
    • Set the Access Type field to Reporting
    • Deselect the Can Report checkbox (this option will be available if the Access Type is set to Reporting)

ADempiere 3.4 ERP Solutions

Restricting Export access

So far, if user ID Moses is connected using the Restricted Access role, he can process a report, print preview, or print the Purchase Order data.

“Okay, this role has rights to create a report, print preview, or print Purchase Order data through the Purchase Order window. For security reasons, could we ensure that the user ID connected to the system using the Restricted Access role cannot export this report?”                          

Yes, this is possible with ADempiere. You can achieve this by carrying out the following steps:

  1. Access the Role tab in the Role Data Access window. Ensure that your active record is Restricted Access.
  2. In the Role tab, select the Can Export option.
  3. Navigate to the Table Access tab, and then enter and save the following information:
    • Set the Table field to C_Order (on the screen, it will show as C_Order_Order)
    • Select the Exclude checkbox
    • Set the Access Type field to Exporting
    • Deselect the Can Export checkbox (this option will be available if the Access Type is set to Exporting)

If the user is connected to the ADempiere system using the Restricted Access role, when making a report and print previewing the document in the Purchase Order window, the Export button will not be available.

LEAVE A REPLY

Please enter your comment!
Please enter your name here