Creating parties

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
BJ,
I am not sure if my question is clear. Yes, I have to have PROJECTMGR
permission to access this component. But the tasks are viewable to
anyone.

https://cwiki.apache.org/OFBTECH/ofbiz-security.html
This part explains what I need:


====================================================
At record level

Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
Role limited (or based) permissions (aka Party Roles)

The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
        By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.


Security Roles

Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.

===================================================

Back again to my original question, to protect the tasks from being
seen by Parties (logins), that are NOT a resource of that paroject, do I
have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
makes more sense that a "party login" who is not a member of a project should
not be able to see work effort or task in that project.


On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:

> permission usually refer to the Login of a party.
> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
> your login must have this security level.
>
> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
> > BJ,
> > thank you for all your help. I looked at the links you sent me, and they
> > were usefull. I still don't understand why permissions are checked in
> > the ftl and not the service layer. However this is not the issue I am
> > stuck at now.
> > I think I am still confused about permissions.
> > I created an account on trunk demo to show what I am talking about.
> >
> > If you go to:
> > https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> > and try to login with mansour:ofbiz you will be greated with a screen
> > saying:
> >
> > org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
> >
> > This is fine, as the user "mansour" doesn't have persmission to view
> > this project, but shouldn't this screen display the projects he is
> > member of (if any).
> >
> > The second part is if you go to:
> >
> > https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >
> > and hit find, the user can see all the tasks that he is not member of,
> > and clicking on any of them, will open the details about that task.
> >
> > This user is in "PROJECTUSER"  security group, which has:
> >
> > ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
> > PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
> > PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
> > PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
> > PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
> >
> > On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> > still this user can see others tasks.
> >
> > Am I doing something wrong here?
> >
> > I appreciate your help.
> >
> > On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> >> New Role Type (see chapter two of the Book)
> >> lets you define a new role type to use.
> >> it is best to link with the book to use the webtools
> >> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> >> you can also get the xml structure from the data and created a bunch of
> >> them then load them via the web tools import. note: that service engine
> >> and UI (widgets and ftls) need to changed if you want that role type to
> >> have access.
> >>
> >> doing a google search for
> >> ofbiz main role
> >> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >>
> >> I hope these tips help you research you answer more. and As I said
> >> before parts of you question are already been answered.
> >>
> >>
> >> This may clear up more on security and Role View all.
> >> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>
> >>
> >> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> >>> Hello BJ,
> >>> and thank you for your reply.
> >>>
> >>> You can check the link here:
> >>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> >>>
> >>> It has
> >>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
> >>> select soemthing like "Calendare" for the first one, you will get a
> >>> third field "Add To Second Role". What is the difference between them ?
> >>>
> >>> I was confused with the security part, because was adding a user to a
> >>> group, but still the user was not allowed to edit a project. I have to
> >>> add the user as a resource for that project.
> >>>
> >>> What I understand now is, Party Roles has nothing to do with
> >>> permissions, and the later has to be handled separately through the
> >>> security group.
> >>>
> >>>
> >>> Thank you.
> >>>
> >>>
> >>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> >>>> Yes I still have to go back and review. The book Deals only with Roles
> >>>> related to Party. Security based on login is not in the Book.
> >>>> The is covered in the Service Engine and Webapps, widgets
> >>>>
> >>>> It helps if you give complete URL to the places you talking about. It
> >>>> saves time of the answerer and verify we are talking the same component.
> >>>> The labels are in seperate files from actual code, so depending on who
> >>>> put in the text for that label, it may not be clear as to its meaning.
> >>>>
> >>>> you can limit based on Roles, security groups and/or security roles
> >>>> which is different from roles.
> >>>> going through the widgets and Ftls will give you code examples of how
> >>>> this is accomplished.
> >>>>
> >>>> The example component is good to review.
> >>>>
> >>>>
> >>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> >>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
> >>>>> again, especially while trying to match the readings with  the
> >>>>> functionality offered by OFBiz.
> >>>>>
> >>>>> Now I have a question related to adding roles. In the "Add To Role"
> >>>>> screen:
> >>>>>
> >>>>>
> >>>>> Add To Main Role
> >>>>> --> Role Type Id
> >>>>>
> >>>>> Add To Second Role
> >>>>> --> Role Type Id
> >>>>>
> >>>>> Add To Role : view all
> >>>>> --> Role Type Id
> >>>>>
> >>>>> What is the difference between "Main Role" and "Second Role" and how do
> >>>>> I use them ?
> >>>>> What is the "Add To Role" mean ?
> >>>>>
> >>>>> Back again to the senario in the first email, and after I modeled the
> >>>>> Parties, how do I let each access only to the functionality they need to
> >>>>> access ? For example, "Approver" to aprove timesheet and work effort.
> >>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
> >>>>> have to be separately using "Security Groups" ?
> >>>>>
> >>>>> Thank you.
> >>>>>
> >>>>>
> >>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> >>>>>> as both Adrian and I mentioned most of that would be described well in
> >>>>>> the Data model book that ofbiz was modeled after, which is why not much
> >>>>>> documentation is written specifically in ofbiz.
> >>>>>>
> >>>>>> There are emails in the archive that have covered different parts of
> >>>>>> your question.
> >>>>>>
> >>>>>> Actually it has been a good time for the Documentation for over 6 years,
> >>>>>> problem is getting someone to volunteer to do it. We have added internal
> >>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> >>>>>>
> >>>>>> Normally such Contributions have been from someone hiring someone to do
> >>>>>> the documentation, because it takes a lot of time to volunteer and those
> >>>>>> that have to make a living do not have such time free. Then that
> >>>>>> documentation was volunteered to ofbiz community.
> >>>>>>
> >>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
> >>>>>> unless i have a vested interest in it. I have even stopped answering on
> >>>>>> here because my time has become very limited. as an example this email
> >>>>>> took over two hours to finish because of interruptions to do business.
> >>>>>>
> >>>>>> so maybe others that have the time will volunteer the information you
> >>>>>> desire.
> >>>>>>
> >>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
> >>>>>> volunteering the time to document.
> >>>>>>
> >>>>>> That said, feel free once you understand to volunteer you time to
> >>>>>> documented this the way you think it should be done.
> >>>>>> BTW I have made this offer to others that presented the same proposal in
> >>>>>> the past and they have not volunteer such documentation yet.
> >>>>>>
> >>>>>> I would suggest you draw an organizational chart then use the fields in
> >>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
> >>>>>> organization chart.
> >>>>>>
> >>>>>> Demo employee shows two relationships as examples, in a normal Company
> >>>>>> there may be many relationships. like the one that says the demo
> >>>>>> employee is a employee.
> >>>>>>
> >>>>>> you would use roles and relationship
> >>>>>>
> >>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> >>>>>>> BJ thank you.
> >>>>>>>
> >>>>>>> My question is related more to ofbiz usage. In the relationship page:
> >>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> >>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
> >>>>>>> in the role of  | is A of Party | in the role of
> >>>>>>>
> >>>>>>> There two relations for DemoEmployee. And each relation has two fields
> >>>>>>> "in the Role Of".
> >>>>>>> Further more, there is some confusion about where to relate employee
> >>>>>>> to organization. I mean if you go to:
> >>>>>>>
> >>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> >>>>>>>
> >>>>>>> You will see four tabs with labels indicates similar functionality:
> >>>>>>> -Roles
> >>>>>>> -Link Party
> >>>>>>> -Relationships
> >>>>>>> -Segments
> >>>>>>>
> >>>>>>>
> >>>>>>> What is the difference between these ? To add employee to Organization
> >>>>>>> I need to use ..... ?
> >>>>>>> May be it's a good opportunity to discuss and document each of them,
> >>>>>>> instead of referring me to the "BOOK" ;)
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
> >>>>>>>> there is not much documented in ofbiz about party.
> >>>>>>>> however if you read the Data model book Vol I you will see a lot about
> >>>>>>>> partyrelationsips. Good diagram on pg 41
> >>>>>>>> In this case you would have party relationship with the company that
> >>>>>>>> supplies contractors
> >>>>>>>> so you need to setup the roles of each party then setup the relationship
> >>>>>>>> between them
> >>>>>>>> start with organizational party relationship then individual (person)
> >>>>>>>> realtionships with organizations.
> >>>>>>>>
> >>>>>>>> example
> >>>>>>>> the programmer would be a employee role with the recruitment company if
> >>>>>>>> they contract, then the programmer would have a contractor relationship
> >>>>>>>> with the Company.
> >>>>>>>>
> >>>>>>>> the rest you can get from the demo data or you can look at the demo site
> >>>>>>>> at the different parties to see the relationships.
> >>>>>>>>
> >>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> >>>>>>>>> Hello all,
> >>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
> >>>>>>>>> Here's the scenario we have. Three Group parties:
> >>>>>>>>> Programmers
> >>>>>>>>> Recruiter
> >>>>>>>>> Sales /marketing/Distributing
> >>>>>>>>> The distributor obtains the requirements and hires the Programmers
> >>>>>>>>> through the "Recruitment" company. Billing is done by hour.
> >>>>>>>>> In each company there's two employees that interact with the system.
> >>>>>>>>> programmer1 , programmer2
> >>>>>>>>> hr manager 1, hr manager2
> >>>>>>>>> project manager1, project manager2
> >>>>>>>>>
> >>>>>>>>> We need to setup the system, to handle the requirements communication,
> >>>>>>>>> timesheet, project management ... etc.
> >>>>>>>>> I have created the three group parties, and 6 employees parties, and
> >>>>>>>>> stopped there not knowing how to connect them.
> >>>>>>>>>
> >>>>>>>>> How to associate users (employee) with companies (Group Party) ?
> >>>>>>>>> I tried to go to Relationships page and use  "Add other party
> >>>>>>>>> relationship", but those fields are not clear to me. For example  "in
> >>>>>>>>> the Role of" .... etc.
> >>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
> >>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
> >>>>>>>>>
> >>>>>>>>> What do I need to do after that ?
> >>>>>>>>>
> >>>>>>>>> Guessing is not very help full here as it relies on trial and error,
> >>>>>>>>> and an error may not be initially visible. So I like to get an advice
> >>>>>>>>> from someone with more experience in this area.
> >>>>>>>>>
> >>>>>>>>> Thank you.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>
> >>>
> >
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

BJ Freeman
since access for user is through the UI there is no need to go to record
level.
Now if you have a service that accesses the records then the it is the
service that should check.


Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:

> BJ,
> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
> permission to access this component. But the tasks are viewable to
> anyone.
>
> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> This part explains what I need:
>
>
> ====================================================
> At record level
>
> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
> Role limited (or based) permissions (aka Party Roles)
>
> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
>
>
> Security Roles
>
> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
>
> ===================================================
>
> Back again to my original question, to protect the tasks from being
> seen by Parties (logins), that are NOT a resource of that paroject, do I
> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
> makes more sense that a "party login" who is not a member of a project should
> not be able to see work effort or task in that project.
>
>
> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
>> permission usually refer to the Login of a party.
>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
>> your login must have this security level.
>>
>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
>>> BJ,
>>> thank you for all your help. I looked at the links you sent me, and they
>>> were usefull. I still don't understand why permissions are checked in
>>> the ftl and not the service layer. However this is not the issue I am
>>> stuck at now.
>>> I think I am still confused about permissions.
>>> I created an account on trunk demo to show what I am talking about.
>>>
>>> If you go to:
>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
>>> and try to login with mansour:ofbiz you will be greated with a screen
>>> saying:
>>>
>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
>>>
>>> This is fine, as the user "mansour" doesn't have persmission to view
>>> this project, but shouldn't this screen display the projects he is
>>> member of (if any).
>>>
>>> The second part is if you go to:
>>>
>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
>>>
>>> and hit find, the user can see all the tasks that he is not member of,
>>> and clicking on any of them, will open the details about that task.
>>>
>>> This user is in "PROJECTUSER"  security group, which has:
>>>
>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
>>>
>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
>>> still this user can see others tasks.
>>>
>>> Am I doing something wrong here?
>>>
>>> I appreciate your help.
>>>
>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
>>>> New Role Type (see chapter two of the Book)
>>>> lets you define a new role type to use.
>>>> it is best to link with the book to use the webtools
>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
>>>> you can also get the xml structure from the data and created a bunch of
>>>> them then load them via the web tools import. note: that service engine
>>>> and UI (widgets and ftls) need to changed if you want that role type to
>>>> have access.
>>>>
>>>> doing a google search for
>>>> ofbiz main role
>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
>>>>
>>>> I hope these tips help you research you answer more. and As I said
>>>> before parts of you question are already been answered.
>>>>
>>>>
>>>> This may clear up more on security and Role View all.
>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>
>>>>
>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
>>>>> Hello BJ,
>>>>> and thank you for your reply.
>>>>>
>>>>> You can check the link here:
>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
>>>>>
>>>>> It has
>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
>>>>> select soemthing like "Calendare" for the first one, you will get a
>>>>> third field "Add To Second Role". What is the difference between them ?
>>>>>
>>>>> I was confused with the security part, because was adding a user to a
>>>>> group, but still the user was not allowed to edit a project. I have to
>>>>> add the user as a resource for that project.
>>>>>
>>>>> What I understand now is, Party Roles has nothing to do with
>>>>> permissions, and the later has to be handled separately through the
>>>>> security group.
>>>>>
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
>>>>>> Yes I still have to go back and review. The book Deals only with Roles
>>>>>> related to Party. Security based on login is not in the Book.
>>>>>> The is covered in the Service Engine and Webapps, widgets
>>>>>>
>>>>>> It helps if you give complete URL to the places you talking about. It
>>>>>> saves time of the answerer and verify we are talking the same component.
>>>>>> The labels are in seperate files from actual code, so depending on who
>>>>>> put in the text for that label, it may not be clear as to its meaning.
>>>>>>
>>>>>> you can limit based on Roles, security groups and/or security roles
>>>>>> which is different from roles.
>>>>>> going through the widgets and Ftls will give you code examples of how
>>>>>> this is accomplished.
>>>>>>
>>>>>> The example component is good to review.
>>>>>>
>>>>>>
>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
>>>>>>> again, especially while trying to match the readings with  the
>>>>>>> functionality offered by OFBiz.
>>>>>>>
>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
>>>>>>> screen:
>>>>>>>
>>>>>>>
>>>>>>> Add To Main Role
>>>>>>> --> Role Type Id
>>>>>>>
>>>>>>> Add To Second Role
>>>>>>> --> Role Type Id
>>>>>>>
>>>>>>> Add To Role : view all
>>>>>>> --> Role Type Id
>>>>>>>
>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
>>>>>>> I use them ?
>>>>>>> What is the "Add To Role" mean ?
>>>>>>>
>>>>>>> Back again to the senario in the first email, and after I modeled the
>>>>>>> Parties, how do I let each access only to the functionality they need to
>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
>>>>>>> have to be separately using "Security Groups" ?
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>>
>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
>>>>>>>> as both Adrian and I mentioned most of that would be described well in
>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
>>>>>>>> documentation is written specifically in ofbiz.
>>>>>>>>
>>>>>>>> There are emails in the archive that have covered different parts of
>>>>>>>> your question.
>>>>>>>>
>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
>>>>>>>>
>>>>>>>> Normally such Contributions have been from someone hiring someone to do
>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
>>>>>>>> that have to make a living do not have such time free. Then that
>>>>>>>> documentation was volunteered to ofbiz community.
>>>>>>>>
>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
>>>>>>>> here because my time has become very limited. as an example this email
>>>>>>>> took over two hours to finish because of interruptions to do business.
>>>>>>>>
>>>>>>>> so maybe others that have the time will volunteer the information you
>>>>>>>> desire.
>>>>>>>>
>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
>>>>>>>> volunteering the time to document.
>>>>>>>>
>>>>>>>> That said, feel free once you understand to volunteer you time to
>>>>>>>> documented this the way you think it should be done.
>>>>>>>> BTW I have made this offer to others that presented the same proposal in
>>>>>>>> the past and they have not volunteer such documentation yet.
>>>>>>>>
>>>>>>>> I would suggest you draw an organizational chart then use the fields in
>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
>>>>>>>> organization chart.
>>>>>>>>
>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
>>>>>>>> there may be many relationships. like the one that says the demo
>>>>>>>> employee is a employee.
>>>>>>>>
>>>>>>>> you would use roles and relationship
>>>>>>>>
>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
>>>>>>>>> BJ thank you.
>>>>>>>>>
>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
>>>>>>>>> in the role of  | is A of Party | in the role of
>>>>>>>>>
>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
>>>>>>>>> "in the Role Of".
>>>>>>>>> Further more, there is some confusion about where to relate employee
>>>>>>>>> to organization. I mean if you go to:
>>>>>>>>>
>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
>>>>>>>>>
>>>>>>>>> You will see four tabs with labels indicates similar functionality:
>>>>>>>>> -Roles
>>>>>>>>> -Link Party
>>>>>>>>> -Relationships
>>>>>>>>> -Segments
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What is the difference between these ? To add employee to Organization
>>>>>>>>> I need to use ..... ?
>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
>>>>>>>>> instead of referring me to the "BOOK" ;)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
>>>>>>>>>> there is not much documented in ofbiz about party.
>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
>>>>>>>>>> partyrelationsips. Good diagram on pg 41
>>>>>>>>>> In this case you would have party relationship with the company that
>>>>>>>>>> supplies contractors
>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
>>>>>>>>>> between them
>>>>>>>>>> start with organizational party relationship then individual (person)
>>>>>>>>>> realtionships with organizations.
>>>>>>>>>>
>>>>>>>>>> example
>>>>>>>>>> the programmer would be a employee role with the recruitment company if
>>>>>>>>>> they contract, then the programmer would have a contractor relationship
>>>>>>>>>> with the Company.
>>>>>>>>>>
>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
>>>>>>>>>> at the different parties to see the relationships.
>>>>>>>>>>
>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
>>>>>>>>>>> Hello all,
>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
>>>>>>>>>>> Here's the scenario we have. Three Group parties:
>>>>>>>>>>> Programmers
>>>>>>>>>>> Recruiter
>>>>>>>>>>> Sales /marketing/Distributing
>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
>>>>>>>>>>> In each company there's two employees that interact with the system.
>>>>>>>>>>> programmer1 , programmer2
>>>>>>>>>>> hr manager 1, hr manager2
>>>>>>>>>>> project manager1, project manager2
>>>>>>>>>>>
>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
>>>>>>>>>>> timesheet, project management ... etc.
>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
>>>>>>>>>>> stopped there not knowing how to connect them.
>>>>>>>>>>>
>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
>>>>>>>>>>> the Role of" .... etc.
>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
>>>>>>>>>>>
>>>>>>>>>>> What do I need to do after that ?
>>>>>>>>>>>
>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
>>>>>>>>>>> from someone with more experience in this area.
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
BJ,
The party "Mansour" has only one role "Employee" related to
"Mansour INC" organization !

And I don't have any service added. It's just the same services
out-of-box.

Anyone knows how to deal with it ?


On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:

> since access for user is through the UI there is no need to go to record
> level.
> Now if you have a service that accesses the records then the it is the
> service that should check.
>
>
> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
> > BJ,
> > I am not sure if my question is clear. Yes, I have to have PROJECTMGR
> > permission to access this component. But the tasks are viewable to
> > anyone.
> >
> > https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> > This part explains what I need:
> >
> >
> > ====================================================
> > At record level
> >
> > Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
> > See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
> > Role limited (or based) permissions (aka Party Roles)
> >
> > The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
> > Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
> > By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
> >
> >
> > Security Roles
> >
> > Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
> >
> > ===================================================
> >
> > Back again to my original question, to protect the tasks from being
> > seen by Parties (logins), that are NOT a resource of that paroject, do I
> > have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
> > makes more sense that a "party login" who is not a member of a project should
> > not be able to see work effort or task in that project.
> >
> >
> > On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
> >> permission usually refer to the Login of a party.
> >> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
> >> your login must have this security level.
> >>
> >> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
> >>> BJ,
> >>> thank you for all your help. I looked at the links you sent me, and they
> >>> were usefull. I still don't understand why permissions are checked in
> >>> the ftl and not the service layer. However this is not the issue I am
> >>> stuck at now.
> >>> I think I am still confused about permissions.
> >>> I created an account on trunk demo to show what I am talking about.
> >>>
> >>> If you go to:
> >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> >>> and try to login with mansour:ofbiz you will be greated with a screen
> >>> saying:
> >>>
> >>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
> >>>
> >>> This is fine, as the user "mansour" doesn't have persmission to view
> >>> this project, but shouldn't this screen display the projects he is
> >>> member of (if any).
> >>>
> >>> The second part is if you go to:
> >>>
> >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >>>
> >>> and hit find, the user can see all the tasks that he is not member of,
> >>> and clicking on any of them, will open the details about that task.
> >>>
> >>> This user is in "PROJECTUSER"  security group, which has:
> >>>
> >>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
> >>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
> >>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
> >>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
> >>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
> >>>
> >>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> >>> still this user can see others tasks.
> >>>
> >>> Am I doing something wrong here?
> >>>
> >>> I appreciate your help.
> >>>
> >>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> >>>> New Role Type (see chapter two of the Book)
> >>>> lets you define a new role type to use.
> >>>> it is best to link with the book to use the webtools
> >>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> >>>> you can also get the xml structure from the data and created a bunch of
> >>>> them then load them via the web tools import. note: that service engine
> >>>> and UI (widgets and ftls) need to changed if you want that role type to
> >>>> have access.
> >>>>
> >>>> doing a google search for
> >>>> ofbiz main role
> >>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >>>>
> >>>> I hope these tips help you research you answer more. and As I said
> >>>> before parts of you question are already been answered.
> >>>>
> >>>>
> >>>> This may clear up more on security and Role View all.
> >>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>>>
> >>>>
> >>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> >>>>> Hello BJ,
> >>>>> and thank you for your reply.
> >>>>>
> >>>>> You can check the link here:
> >>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> >>>>>
> >>>>> It has
> >>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
> >>>>> select soemthing like "Calendare" for the first one, you will get a
> >>>>> third field "Add To Second Role". What is the difference between them ?
> >>>>>
> >>>>> I was confused with the security part, because was adding a user to a
> >>>>> group, but still the user was not allowed to edit a project. I have to
> >>>>> add the user as a resource for that project.
> >>>>>
> >>>>> What I understand now is, Party Roles has nothing to do with
> >>>>> permissions, and the later has to be handled separately through the
> >>>>> security group.
> >>>>>
> >>>>>
> >>>>> Thank you.
> >>>>>
> >>>>>
> >>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> >>>>>> Yes I still have to go back and review. The book Deals only with Roles
> >>>>>> related to Party. Security based on login is not in the Book.
> >>>>>> The is covered in the Service Engine and Webapps, widgets
> >>>>>>
> >>>>>> It helps if you give complete URL to the places you talking about. It
> >>>>>> saves time of the answerer and verify we are talking the same component.
> >>>>>> The labels are in seperate files from actual code, so depending on who
> >>>>>> put in the text for that label, it may not be clear as to its meaning.
> >>>>>>
> >>>>>> you can limit based on Roles, security groups and/or security roles
> >>>>>> which is different from roles.
> >>>>>> going through the widgets and Ftls will give you code examples of how
> >>>>>> this is accomplished.
> >>>>>>
> >>>>>> The example component is good to review.
> >>>>>>
> >>>>>>
> >>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> >>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
> >>>>>>> again, especially while trying to match the readings with  the
> >>>>>>> functionality offered by OFBiz.
> >>>>>>>
> >>>>>>> Now I have a question related to adding roles. In the "Add To Role"
> >>>>>>> screen:
> >>>>>>>
> >>>>>>>
> >>>>>>> Add To Main Role
> >>>>>>> --> Role Type Id
> >>>>>>>
> >>>>>>> Add To Second Role
> >>>>>>> --> Role Type Id
> >>>>>>>
> >>>>>>> Add To Role : view all
> >>>>>>> --> Role Type Id
> >>>>>>>
> >>>>>>> What is the difference between "Main Role" and "Second Role" and how do
> >>>>>>> I use them ?
> >>>>>>> What is the "Add To Role" mean ?
> >>>>>>>
> >>>>>>> Back again to the senario in the first email, and after I modeled the
> >>>>>>> Parties, how do I let each access only to the functionality they need to
> >>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
> >>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
> >>>>>>> have to be separately using "Security Groups" ?
> >>>>>>>
> >>>>>>> Thank you.
> >>>>>>>
> >>>>>>>
> >>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> >>>>>>>> as both Adrian and I mentioned most of that would be described well in
> >>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
> >>>>>>>> documentation is written specifically in ofbiz.
> >>>>>>>>
> >>>>>>>> There are emails in the archive that have covered different parts of
> >>>>>>>> your question.
> >>>>>>>>
> >>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
> >>>>>>>> problem is getting someone to volunteer to do it. We have added internal
> >>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> >>>>>>>>
> >>>>>>>> Normally such Contributions have been from someone hiring someone to do
> >>>>>>>> the documentation, because it takes a lot of time to volunteer and those
> >>>>>>>> that have to make a living do not have such time free. Then that
> >>>>>>>> documentation was volunteered to ofbiz community.
> >>>>>>>>
> >>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
> >>>>>>>> unless i have a vested interest in it. I have even stopped answering on
> >>>>>>>> here because my time has become very limited. as an example this email
> >>>>>>>> took over two hours to finish because of interruptions to do business.
> >>>>>>>>
> >>>>>>>> so maybe others that have the time will volunteer the information you
> >>>>>>>> desire.
> >>>>>>>>
> >>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
> >>>>>>>> volunteering the time to document.
> >>>>>>>>
> >>>>>>>> That said, feel free once you understand to volunteer you time to
> >>>>>>>> documented this the way you think it should be done.
> >>>>>>>> BTW I have made this offer to others that presented the same proposal in
> >>>>>>>> the past and they have not volunteer such documentation yet.
> >>>>>>>>
> >>>>>>>> I would suggest you draw an organizational chart then use the fields in
> >>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
> >>>>>>>> organization chart.
> >>>>>>>>
> >>>>>>>> Demo employee shows two relationships as examples, in a normal Company
> >>>>>>>> there may be many relationships. like the one that says the demo
> >>>>>>>> employee is a employee.
> >>>>>>>>
> >>>>>>>> you would use roles and relationship
> >>>>>>>>
> >>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> >>>>>>>>> BJ thank you.
> >>>>>>>>>
> >>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
> >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> >>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
> >>>>>>>>> in the role of  | is A of Party | in the role of
> >>>>>>>>>
> >>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
> >>>>>>>>> "in the Role Of".
> >>>>>>>>> Further more, there is some confusion about where to relate employee
> >>>>>>>>> to organization. I mean if you go to:
> >>>>>>>>>
> >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> >>>>>>>>>
> >>>>>>>>> You will see four tabs with labels indicates similar functionality:
> >>>>>>>>> -Roles
> >>>>>>>>> -Link Party
> >>>>>>>>> -Relationships
> >>>>>>>>> -Segments
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> What is the difference between these ? To add employee to Organization
> >>>>>>>>> I need to use ..... ?
> >>>>>>>>> May be it's a good opportunity to discuss and document each of them,
> >>>>>>>>> instead of referring me to the "BOOK" ;)
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
> >>>>>>>>>> there is not much documented in ofbiz about party.
> >>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
> >>>>>>>>>> partyrelationsips. Good diagram on pg 41
> >>>>>>>>>> In this case you would have party relationship with the company that
> >>>>>>>>>> supplies contractors
> >>>>>>>>>> so you need to setup the roles of each party then setup the relationship
> >>>>>>>>>> between them
> >>>>>>>>>> start with organizational party relationship then individual (person)
> >>>>>>>>>> realtionships with organizations.
> >>>>>>>>>>
> >>>>>>>>>> example
> >>>>>>>>>> the programmer would be a employee role with the recruitment company if
> >>>>>>>>>> they contract, then the programmer would have a contractor relationship
> >>>>>>>>>> with the Company.
> >>>>>>>>>>
> >>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
> >>>>>>>>>> at the different parties to see the relationships.
> >>>>>>>>>>
> >>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> >>>>>>>>>>> Hello all,
> >>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
> >>>>>>>>>>> Here's the scenario we have. Three Group parties:
> >>>>>>>>>>> Programmers
> >>>>>>>>>>> Recruiter
> >>>>>>>>>>> Sales /marketing/Distributing
> >>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
> >>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
> >>>>>>>>>>> In each company there's two employees that interact with the system.
> >>>>>>>>>>> programmer1 , programmer2
> >>>>>>>>>>> hr manager 1, hr manager2
> >>>>>>>>>>> project manager1, project manager2
> >>>>>>>>>>>
> >>>>>>>>>>> We need to setup the system, to handle the requirements communication,
> >>>>>>>>>>> timesheet, project management ... etc.
> >>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
> >>>>>>>>>>> stopped there not knowing how to connect them.
> >>>>>>>>>>>
> >>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
> >>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
> >>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
> >>>>>>>>>>> the Role of" .... etc.
> >>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
> >>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
> >>>>>>>>>>>
> >>>>>>>>>>> What do I need to do after that ?
> >>>>>>>>>>>
> >>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
> >>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
> >>>>>>>>>>> from someone with more experience in this area.
> >>>>>>>>>>>
> >>>>>>>>>>> Thank you.
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>>
> >
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

BJ Freeman
OOTB look at the party group Dev and relationships and work your way
down to developer1
you need this to show up in project resources to be added as a resource.
in projects pick Demo project3 and go to resources.
you will see DemoEmployee3

log in as DemoEmployee3
you will notice that only projects and my portals show
click on proects
ingore the error for now
then click on using the project mgr menu select projects you will only
see the one in which DemoEmployee3 is a resource.

once you figure out what you need to make this happen you will have
solved you problem


Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:

> BJ,
> The party "Mansour" has only one role "Employee" related to
> "Mansour INC" organization !
>
> And I don't have any service added. It's just the same services
> out-of-box.
>
> Anyone knows how to deal with it ?
>
>
> On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
>> since access for user is through the UI there is no need to go to record
>> level.
>> Now if you have a service that accesses the records then the it is the
>> service that should check.
>>
>>
>> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
>>> BJ,
>>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
>>> permission to access this component. But the tasks are viewable to
>>> anyone.
>>>
>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>> This part explains what I need:
>>>
>>>
>>> ====================================================
>>> At record level
>>>
>>> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
>>> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
>>> Role limited (or based) permissions (aka Party Roles)
>>>
>>> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
>>> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
>>> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
>>>
>>>
>>> Security Roles
>>>
>>> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
>>>
>>> ===================================================
>>>
>>> Back again to my original question, to protect the tasks from being
>>> seen by Parties (logins), that are NOT a resource of that paroject, do I
>>> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
>>> makes more sense that a "party login" who is not a member of a project should
>>> not be able to see work effort or task in that project.
>>>
>>>
>>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
>>>> permission usually refer to the Login of a party.
>>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
>>>> your login must have this security level.
>>>>
>>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
>>>>> BJ,
>>>>> thank you for all your help. I looked at the links you sent me, and they
>>>>> were usefull. I still don't understand why permissions are checked in
>>>>> the ftl and not the service layer. However this is not the issue I am
>>>>> stuck at now.
>>>>> I think I am still confused about permissions.
>>>>> I created an account on trunk demo to show what I am talking about.
>>>>>
>>>>> If you go to:
>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
>>>>> and try to login with mansour:ofbiz you will be greated with a screen
>>>>> saying:
>>>>>
>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
>>>>>
>>>>> This is fine, as the user "mansour" doesn't have persmission to view
>>>>> this project, but shouldn't this screen display the projects he is
>>>>> member of (if any).
>>>>>
>>>>> The second part is if you go to:
>>>>>
>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
>>>>>
>>>>> and hit find, the user can see all the tasks that he is not member of,
>>>>> and clicking on any of them, will open the details about that task.
>>>>>
>>>>> This user is in "PROJECTUSER"  security group, which has:
>>>>>
>>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
>>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
>>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
>>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
>>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
>>>>>
>>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
>>>>> still this user can see others tasks.
>>>>>
>>>>> Am I doing something wrong here?
>>>>>
>>>>> I appreciate your help.
>>>>>
>>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
>>>>>> New Role Type (see chapter two of the Book)
>>>>>> lets you define a new role type to use.
>>>>>> it is best to link with the book to use the webtools
>>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
>>>>>> you can also get the xml structure from the data and created a bunch of
>>>>>> them then load them via the web tools import. note: that service engine
>>>>>> and UI (widgets and ftls) need to changed if you want that role type to
>>>>>> have access.
>>>>>>
>>>>>> doing a google search for
>>>>>> ofbiz main role
>>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
>>>>>>
>>>>>> I hope these tips help you research you answer more. and As I said
>>>>>> before parts of you question are already been answered.
>>>>>>
>>>>>>
>>>>>> This may clear up more on security and Role View all.
>>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>>>
>>>>>>
>>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
>>>>>>> Hello BJ,
>>>>>>> and thank you for your reply.
>>>>>>>
>>>>>>> You can check the link here:
>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
>>>>>>>
>>>>>>> It has
>>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
>>>>>>> select soemthing like "Calendare" for the first one, you will get a
>>>>>>> third field "Add To Second Role". What is the difference between them ?
>>>>>>>
>>>>>>> I was confused with the security part, because was adding a user to a
>>>>>>> group, but still the user was not allowed to edit a project. I have to
>>>>>>> add the user as a resource for that project.
>>>>>>>
>>>>>>> What I understand now is, Party Roles has nothing to do with
>>>>>>> permissions, and the later has to be handled separately through the
>>>>>>> security group.
>>>>>>>
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>>
>>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
>>>>>>>> Yes I still have to go back and review. The book Deals only with Roles
>>>>>>>> related to Party. Security based on login is not in the Book.
>>>>>>>> The is covered in the Service Engine and Webapps, widgets
>>>>>>>>
>>>>>>>> It helps if you give complete URL to the places you talking about. It
>>>>>>>> saves time of the answerer and verify we are talking the same component.
>>>>>>>> The labels are in seperate files from actual code, so depending on who
>>>>>>>> put in the text for that label, it may not be clear as to its meaning.
>>>>>>>>
>>>>>>>> you can limit based on Roles, security groups and/or security roles
>>>>>>>> which is different from roles.
>>>>>>>> going through the widgets and Ftls will give you code examples of how
>>>>>>>> this is accomplished.
>>>>>>>>
>>>>>>>> The example component is good to review.
>>>>>>>>
>>>>>>>>
>>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
>>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
>>>>>>>>> again, especially while trying to match the readings with  the
>>>>>>>>> functionality offered by OFBiz.
>>>>>>>>>
>>>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
>>>>>>>>> screen:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Add To Main Role
>>>>>>>>> --> Role Type Id
>>>>>>>>>
>>>>>>>>> Add To Second Role
>>>>>>>>> --> Role Type Id
>>>>>>>>>
>>>>>>>>> Add To Role : view all
>>>>>>>>> --> Role Type Id
>>>>>>>>>
>>>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
>>>>>>>>> I use them ?
>>>>>>>>> What is the "Add To Role" mean ?
>>>>>>>>>
>>>>>>>>> Back again to the senario in the first email, and after I modeled the
>>>>>>>>> Parties, how do I let each access only to the functionality they need to
>>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
>>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
>>>>>>>>> have to be separately using "Security Groups" ?
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
>>>>>>>>>> as both Adrian and I mentioned most of that would be described well in
>>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
>>>>>>>>>> documentation is written specifically in ofbiz.
>>>>>>>>>>
>>>>>>>>>> There are emails in the archive that have covered different parts of
>>>>>>>>>> your question.
>>>>>>>>>>
>>>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
>>>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
>>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
>>>>>>>>>>
>>>>>>>>>> Normally such Contributions have been from someone hiring someone to do
>>>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
>>>>>>>>>> that have to make a living do not have such time free. Then that
>>>>>>>>>> documentation was volunteered to ofbiz community.
>>>>>>>>>>
>>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
>>>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
>>>>>>>>>> here because my time has become very limited. as an example this email
>>>>>>>>>> took over two hours to finish because of interruptions to do business.
>>>>>>>>>>
>>>>>>>>>> so maybe others that have the time will volunteer the information you
>>>>>>>>>> desire.
>>>>>>>>>>
>>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
>>>>>>>>>> volunteering the time to document.
>>>>>>>>>>
>>>>>>>>>> That said, feel free once you understand to volunteer you time to
>>>>>>>>>> documented this the way you think it should be done.
>>>>>>>>>> BTW I have made this offer to others that presented the same proposal in
>>>>>>>>>> the past and they have not volunteer such documentation yet.
>>>>>>>>>>
>>>>>>>>>> I would suggest you draw an organizational chart then use the fields in
>>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
>>>>>>>>>> organization chart.
>>>>>>>>>>
>>>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
>>>>>>>>>> there may be many relationships. like the one that says the demo
>>>>>>>>>> employee is a employee.
>>>>>>>>>>
>>>>>>>>>> you would use roles and relationship
>>>>>>>>>>
>>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
>>>>>>>>>>> BJ thank you.
>>>>>>>>>>>
>>>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
>>>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
>>>>>>>>>>> in the role of  | is A of Party | in the role of
>>>>>>>>>>>
>>>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
>>>>>>>>>>> "in the Role Of".
>>>>>>>>>>> Further more, there is some confusion about where to relate employee
>>>>>>>>>>> to organization. I mean if you go to:
>>>>>>>>>>>
>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
>>>>>>>>>>>
>>>>>>>>>>> You will see four tabs with labels indicates similar functionality:
>>>>>>>>>>> -Roles
>>>>>>>>>>> -Link Party
>>>>>>>>>>> -Relationships
>>>>>>>>>>> -Segments
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What is the difference between these ? To add employee to Organization
>>>>>>>>>>> I need to use ..... ?
>>>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
>>>>>>>>>>> instead of referring me to the "BOOK" ;)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
>>>>>>>>>>>> there is not much documented in ofbiz about party.
>>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
>>>>>>>>>>>> partyrelationsips. Good diagram on pg 41
>>>>>>>>>>>> In this case you would have party relationship with the company that
>>>>>>>>>>>> supplies contractors
>>>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
>>>>>>>>>>>> between them
>>>>>>>>>>>> start with organizational party relationship then individual (person)
>>>>>>>>>>>> realtionships with organizations.
>>>>>>>>>>>>
>>>>>>>>>>>> example
>>>>>>>>>>>> the programmer would be a employee role with the recruitment company if
>>>>>>>>>>>> they contract, then the programmer would have a contractor relationship
>>>>>>>>>>>> with the Company.
>>>>>>>>>>>>
>>>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
>>>>>>>>>>>> at the different parties to see the relationships.
>>>>>>>>>>>>
>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
>>>>>>>>>>>>> Here's the scenario we have. Three Group parties:
>>>>>>>>>>>>> Programmers
>>>>>>>>>>>>> Recruiter
>>>>>>>>>>>>> Sales /marketing/Distributing
>>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
>>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
>>>>>>>>>>>>> In each company there's two employees that interact with the system.
>>>>>>>>>>>>> programmer1 , programmer2
>>>>>>>>>>>>> hr manager 1, hr manager2
>>>>>>>>>>>>> project manager1, project manager2
>>>>>>>>>>>>>
>>>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
>>>>>>>>>>>>> timesheet, project management ... etc.
>>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
>>>>>>>>>>>>> stopped there not knowing how to connect them.
>>>>>>>>>>>>>
>>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
>>>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
>>>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
>>>>>>>>>>>>> the Role of" .... etc.
>>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
>>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> What do I need to do after that ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
>>>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
>>>>>>>>>>>>> from someone with more experience in this area.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Pierre Smits
In reply to this post by Mansour
Hi Mansour,

See my inline comment regarding the issue with
https://demo-trunk-ofbiz-apache.org/projectmgr/control/main

With regards,

Pierre Smits

2011/7/24 Mansour Al Akeel <[hidden email]>

> BJ,
> thank you for all your help. I looked at the links you sent me, and they
> were usefull. I still don't understand why permissions are checked in
> the ftl and not the service layer. However this is not the issue I am
> stuck at now.
> I think I am still confused about permissions.
> I created an account on trunk demo to show what I am talking about.
>
> If you go to:
> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
>

I have created a patch that alleviates this problem, but it is not yet
incorporated in the trunk.
See jira for the patch.

https://issues.apache.org/jira/browse/OFBIZ-4206





> and try to login with mansour:ofbiz you will be greated with a screen
> saying:
>
> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
> [component://common/widget/CommonScreens.xml#GlobalDecorator]:
> java.lang.IllegalArgumentException: Error running Groovy script at location
> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
> org.ofbiz.service.ServiceAuthException: You have no access to the project#:
> 9000 (Error running Groovy script at location
> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
> org.ofbiz.service.ServiceAuthException: You have no access to the project#:
> 9000)
>
> This is fine, as the user "mansour" doesn't have persmission to view
> this project, but shouldn't this screen display the projects he is
> member of (if any).
>
> The second part is if you go to:
>
> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
>
> and hit find, the user can see all the tasks that he is not member of,
> and clicking on any of them, will open the details about that task.
>
> This user is in "PROJECTUSER"  security group, which has:
>
> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of
> project)
> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for
> the loginid.
> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing
> own timesheet
> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a
> project/phase/task the user is member of..
> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be
> limited by ROLE_VIEW)
>
> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> still this user can see others tasks.
>
> Am I doing something wrong here?
>
> I appreciate your help.
>
> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> > New Role Type (see chapter two of the Book)
> > lets you define a new role type to use.
> > it is best to link with the book to use the webtools
> >
> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> > you can also get the xml structure from the data and created a bunch of
> > them then load them via the web tools import. note: that service engine
> > and UI (widgets and ftls) need to changed if you want that role type to
> > have access.
> >
> > doing a google search for
> > ofbiz main role
> > http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >
> > I hope these tips help you research you answer more. and As I said
> > before parts of you question are already been answered.
> >
> >
> > This may clear up more on security and Role View all.
> > https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >
> >
> > Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> > > Hello BJ,
> > > and thank you for your reply.
> > >
> > > You can check the link here:
> > >
> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> > >
> > > It has
> > > "Add To Main Role" and "Add To Role : view all" Fields. and if you
> > > select soemthing like "Calendare" for the first one, you will get a
> > > third field "Add To Second Role". What is the difference between them ?
> > >
> > > I was confused with the security part, because was adding a user to a
> > > group, but still the user was not allowed to edit a project. I have to
> > > add the user as a resource for that project.
> > >
> > > What I understand now is, Party Roles has nothing to do with
> > > permissions, and the later has to be handled separately through the
> > > security group.
> > >
> > >
> > > Thank you.
> > >
> > >
> > > On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> > >> Yes I still have to go back and review. The book Deals only with Roles
> > >> related to Party. Security based on login is not in the Book.
> > >> The is covered in the Service Engine and Webapps, widgets
> > >>
> > >> It helps if you give complete URL to the places you talking about. It
> > >> saves time of the answerer and verify we are talking the same
> component.
> > >> The labels are in seperate files from actual code, so depending on who
> > >> put in the text for that label, it may not be clear as to its meaning.
> > >>
> > >> you can limit based on Roles, security groups and/or security roles
> > >> which is different from roles.
> > >> going through the widgets and Ftls will give you code examples of how
> > >> this is accomplished.
> > >>
> > >> The example component is good to review.
> > >>
> > >>
> > >> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> > >>> Ok, the "BOOK" explained things, and I know I have to read many parts
> > >>> again, especially while trying to match the readings with  the
> > >>> functionality offered by OFBiz.
> > >>>
> > >>> Now I have a question related to adding roles. In the "Add To Role"
> > >>> screen:
> > >>>
> > >>>
> > >>> Add To Main Role
> > >>> --> Role Type Id
> > >>>
> > >>> Add To Second Role
> > >>> --> Role Type Id
> > >>>
> > >>> Add To Role : view all
> > >>> --> Role Type Id
> > >>>
> > >>> What is the difference between "Main Role" and "Second Role" and how
> do
> > >>> I use them ?
> > >>> What is the "Add To Role" mean ?
> > >>>
> > >>> Back again to the senario in the first email, and after I modeled the
> > >>> Parties, how do I let each access only to the functionality they need
> to
> > >>> access ? For example, "Approver" to aprove timesheet and work effort.
> > >>> Project manager to Assing tasks, "Developer" to update tasks. Would
> this
> > >>> have to be separately using "Security Groups" ?
> > >>>
> > >>> Thank you.
> > >>>
> > >>>
> > >>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> > >>>> as both Adrian and I mentioned most of that would be described well
> in
> > >>>> the Data model book that ofbiz was modeled after, which is why not
> much
> > >>>> documentation is written specifically in ofbiz.
> > >>>>
> > >>>> There are emails in the archive that have covered different parts of
> > >>>> your question.
> > >>>>
> > >>>> Actually it has been a good time for the Documentation for over 6
> years,
> > >>>> problem is getting someone to volunteer to do it. We have added
> internal
> > >>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> > >>>>
> > >>>> Normally such Contributions have been from someone hiring someone to
> do
> > >>>> the documentation, because it takes a lot of time to volunteer and
> those
> > >>>> that have to make a living do not have such time free. Then that
> > >>>> documentation was volunteered to ofbiz community.
> > >>>>
> > >>>> I limit my volunteer time per subject on the mailing list to 15 min,
> > >>>> unless i have a vested interest in it. I have even stopped answering
> on
> > >>>> here because my time has become very limited. as an example this
> email
> > >>>> took over two hours to finish because of interruptions to do
> business.
> > >>>>
> > >>>> so maybe others that have the time will volunteer the information
> you
> > >>>> desire.
> > >>>>
> > >>>> Most find the charge for the "BOOK" a lot less than hiring someone,
> or
> > >>>> volunteering the time to document.
> > >>>>
> > >>>> That said, feel free once you understand to volunteer you time to
> > >>>> documented this the way you think it should be done.
> > >>>> BTW I have made this offer to others that presented the same
> proposal in
> > >>>> the past and they have not volunteer such documentation yet.
> > >>>>
> > >>>> I would suggest you draw an organizational chart then use the fields
> in
> > >>>> ofbiz to associated the chart to relationships. There is no "ONE"
> > >>>> organization chart.
> > >>>>
> > >>>> Demo employee shows two relationships as examples, in a normal
> Company
> > >>>> there may be many relationships. like the one that says the demo
> > >>>> employee is a employee.
> > >>>>
> > >>>> you would use roles and relationship
> > >>>>
> > >>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> > >>>>> BJ thank you.
> > >>>>>
> > >>>>> My question is related more to ofbiz usage. In the relationship
> page:
> > >>>>>
> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> > >>>>> you can see some fields that are not clear to me. To be more
> specific, We have:
> > >>>>> in the role of  |       is A    of Party        | in the role of
> > >>>>>
> > >>>>> There two relations for DemoEmployee. And each relation has two
> fields
> > >>>>> "in the Role Of".
> > >>>>> Further more, there is some confusion about where to relate
> employee
> > >>>>> to organization. I mean if you go to:
> > >>>>>
> > >>>>>
> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> > >>>>>
> > >>>>> You will see four tabs with labels indicates similar functionality:
> > >>>>> -Roles
> > >>>>> -Link Party
> > >>>>> -Relationships
> > >>>>> -Segments
> > >>>>>
> > >>>>>
> > >>>>> What is the difference between these ? To add employee to
> Organization
> > >>>>> I need to use ..... ?
> > >>>>> May be it's a good opportunity to discuss and document each of
> them,
> > >>>>> instead of referring me to the "BOOK" ;)
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]>
> wrote:
> > >>>>>> there is not much documented in ofbiz about party.
> > >>>>>> however if you read the Data model book Vol I you will see a lot
> about
> > >>>>>> partyrelationsips. Good diagram on pg 41
> > >>>>>> In this case you would have party relationship with the company
> that
> > >>>>>> supplies contractors
> > >>>>>> so you need to setup the roles of each party then setup the
> relationship
> > >>>>>> between them
> > >>>>>> start with organizational party relationship then individual
> (person)
> > >>>>>> realtionships with organizations.
> > >>>>>>
> > >>>>>> example
> > >>>>>> the programmer would be a employee role with the recruitment
> company if
> > >>>>>> they contract, then the programmer would have a contractor
> relationship
> > >>>>>> with the Company.
> > >>>>>>
> > >>>>>> the rest you can get from the demo data or you can look at the
> demo site
> > >>>>>> at the different parties to see the relationships.
> > >>>>>>
> > >>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> > >>>>>>> Hello all,
> > >>>>>>> I didn't use the parties component extensively, and don't know a
> lot about it.
> > >>>>>>> Here's the scenario we have. Three Group parties:
> > >>>>>>> Programmers
> > >>>>>>> Recruiter
> > >>>>>>> Sales /marketing/Distributing
> > >>>>>>> The distributor obtains the requirements and hires the
> Programmers
> > >>>>>>> through the "Recruitment" company. Billing is done by hour.
> > >>>>>>> In each company there's two employees that interact with the
> system.
> > >>>>>>> programmer1 , programmer2
> > >>>>>>> hr manager 1, hr manager2
> > >>>>>>> project manager1, project manager2
> > >>>>>>>
> > >>>>>>> We need to setup the system, to handle the requirements
> communication,
> > >>>>>>> timesheet, project management ... etc.
> > >>>>>>> I have created the three group parties, and 6 employees parties,
> and
> > >>>>>>> stopped there not knowing how to connect them.
> > >>>>>>>
> > >>>>>>> How to associate users (employee) with companies (Group Party) ?
> > >>>>>>> I tried to go to Relationships page and use  "Add other party
> > >>>>>>> relationship", but those fields are not clear to me. For example
>  "in
> > >>>>>>> the Role of" .... etc.
> > >>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter"
> ??
> > >>>>>>> How many accounts I need, knowing that the recruiter get a
> percentage ?
> > >>>>>>>
> > >>>>>>> What do I need to do after that ?
> > >>>>>>>
> > >>>>>>> Guessing is not very help full here as it relies on trial and
> error,
> > >>>>>>> and an error may not be initially visible. So I like to get an
> advice
> > >>>>>>> from someone with more experience in this area.
> > >>>>>>>
> > >>>>>>> Thank you.
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>
> > >
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
In reply to this post by BJ Freeman
BJ,
go to this page:
https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
login as whatever user you like, provided he has access to projectmgr
Hit [Find]
you will get a list of all the tasks in the system, even if you are not
a member of any project.
Click on any task, and you will be able to see the full info about it!

This is the problem!



On Sun Jul 24,2011 05:12 pm, BJ Freeman wrote:

> OOTB look at the party group Dev and relationships and work your way
> down to developer1
> you need this to show up in project resources to be added as a resource.
> in projects pick Demo project3 and go to resources.
> you will see DemoEmployee3
>
> log in as DemoEmployee3
> you will notice that only projects and my portals show
> click on proects
> ingore the error for now
> then click on using the project mgr menu select projects you will only
> see the one in which DemoEmployee3 is a resource.
>
> once you figure out what you need to make this happen you will have
> solved you problem
>
>
> Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:
> > BJ,
> > The party "Mansour" has only one role "Employee" related to
> > "Mansour INC" organization !
> >
> > And I don't have any service added. It's just the same services
> > out-of-box.
> >
> > Anyone knows how to deal with it ?
> >
> >
> > On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
> >> since access for user is through the UI there is no need to go to record
> >> level.
> >> Now if you have a service that accesses the records then the it is the
> >> service that should check.
> >>
> >>
> >> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
> >>> BJ,
> >>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
> >>> permission to access this component. But the tasks are viewable to
> >>> anyone.
> >>>
> >>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>> This part explains what I need:
> >>>
> >>>
> >>> ====================================================
> >>> At record level
> >>>
> >>> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
> >>> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
> >>> Role limited (or based) permissions (aka Party Roles)
> >>>
> >>> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
> >>> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
> >>> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
> >>>
> >>>
> >>> Security Roles
> >>>
> >>> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
> >>>
> >>> ===================================================
> >>>
> >>> Back again to my original question, to protect the tasks from being
> >>> seen by Parties (logins), that are NOT a resource of that paroject, do I
> >>> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
> >>> makes more sense that a "party login" who is not a member of a project should
> >>> not be able to see work effort or task in that project.
> >>>
> >>>
> >>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
> >>>> permission usually refer to the Login of a party.
> >>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
> >>>> your login must have this security level.
> >>>>
> >>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
> >>>>> BJ,
> >>>>> thank you for all your help. I looked at the links you sent me, and they
> >>>>> were usefull. I still don't understand why permissions are checked in
> >>>>> the ftl and not the service layer. However this is not the issue I am
> >>>>> stuck at now.
> >>>>> I think I am still confused about permissions.
> >>>>> I created an account on trunk demo to show what I am talking about.
> >>>>>
> >>>>> If you go to:
> >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> >>>>> and try to login with mansour:ofbiz you will be greated with a screen
> >>>>> saying:
> >>>>>
> >>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
> >>>>>
> >>>>> This is fine, as the user "mansour" doesn't have persmission to view
> >>>>> this project, but shouldn't this screen display the projects he is
> >>>>> member of (if any).
> >>>>>
> >>>>> The second part is if you go to:
> >>>>>
> >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >>>>>
> >>>>> and hit find, the user can see all the tasks that he is not member of,
> >>>>> and clicking on any of them, will open the details about that task.
> >>>>>
> >>>>> This user is in "PROJECTUSER"  security group, which has:
> >>>>>
> >>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
> >>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
> >>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
> >>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
> >>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
> >>>>>
> >>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> >>>>> still this user can see others tasks.
> >>>>>
> >>>>> Am I doing something wrong here?
> >>>>>
> >>>>> I appreciate your help.
> >>>>>
> >>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> >>>>>> New Role Type (see chapter two of the Book)
> >>>>>> lets you define a new role type to use.
> >>>>>> it is best to link with the book to use the webtools
> >>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> >>>>>> you can also get the xml structure from the data and created a bunch of
> >>>>>> them then load them via the web tools import. note: that service engine
> >>>>>> and UI (widgets and ftls) need to changed if you want that role type to
> >>>>>> have access.
> >>>>>>
> >>>>>> doing a google search for
> >>>>>> ofbiz main role
> >>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >>>>>>
> >>>>>> I hope these tips help you research you answer more. and As I said
> >>>>>> before parts of you question are already been answered.
> >>>>>>
> >>>>>>
> >>>>>> This may clear up more on security and Role View all.
> >>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>>>>>
> >>>>>>
> >>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> >>>>>>> Hello BJ,
> >>>>>>> and thank you for your reply.
> >>>>>>>
> >>>>>>> You can check the link here:
> >>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> >>>>>>>
> >>>>>>> It has
> >>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
> >>>>>>> select soemthing like "Calendare" for the first one, you will get a
> >>>>>>> third field "Add To Second Role". What is the difference between them ?
> >>>>>>>
> >>>>>>> I was confused with the security part, because was adding a user to a
> >>>>>>> group, but still the user was not allowed to edit a project. I have to
> >>>>>>> add the user as a resource for that project.
> >>>>>>>
> >>>>>>> What I understand now is, Party Roles has nothing to do with
> >>>>>>> permissions, and the later has to be handled separately through the
> >>>>>>> security group.
> >>>>>>>
> >>>>>>>
> >>>>>>> Thank you.
> >>>>>>>
> >>>>>>>
> >>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> >>>>>>>> Yes I still have to go back and review. The book Deals only with Roles
> >>>>>>>> related to Party. Security based on login is not in the Book.
> >>>>>>>> The is covered in the Service Engine and Webapps, widgets
> >>>>>>>>
> >>>>>>>> It helps if you give complete URL to the places you talking about. It
> >>>>>>>> saves time of the answerer and verify we are talking the same component.
> >>>>>>>> The labels are in seperate files from actual code, so depending on who
> >>>>>>>> put in the text for that label, it may not be clear as to its meaning.
> >>>>>>>>
> >>>>>>>> you can limit based on Roles, security groups and/or security roles
> >>>>>>>> which is different from roles.
> >>>>>>>> going through the widgets and Ftls will give you code examples of how
> >>>>>>>> this is accomplished.
> >>>>>>>>
> >>>>>>>> The example component is good to review.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> >>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
> >>>>>>>>> again, especially while trying to match the readings with  the
> >>>>>>>>> functionality offered by OFBiz.
> >>>>>>>>>
> >>>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
> >>>>>>>>> screen:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Add To Main Role
> >>>>>>>>> --> Role Type Id
> >>>>>>>>>
> >>>>>>>>> Add To Second Role
> >>>>>>>>> --> Role Type Id
> >>>>>>>>>
> >>>>>>>>> Add To Role : view all
> >>>>>>>>> --> Role Type Id
> >>>>>>>>>
> >>>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
> >>>>>>>>> I use them ?
> >>>>>>>>> What is the "Add To Role" mean ?
> >>>>>>>>>
> >>>>>>>>> Back again to the senario in the first email, and after I modeled the
> >>>>>>>>> Parties, how do I let each access only to the functionality they need to
> >>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
> >>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
> >>>>>>>>> have to be separately using "Security Groups" ?
> >>>>>>>>>
> >>>>>>>>> Thank you.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> >>>>>>>>>> as both Adrian and I mentioned most of that would be described well in
> >>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
> >>>>>>>>>> documentation is written specifically in ofbiz.
> >>>>>>>>>>
> >>>>>>>>>> There are emails in the archive that have covered different parts of
> >>>>>>>>>> your question.
> >>>>>>>>>>
> >>>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
> >>>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
> >>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> >>>>>>>>>>
> >>>>>>>>>> Normally such Contributions have been from someone hiring someone to do
> >>>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
> >>>>>>>>>> that have to make a living do not have such time free. Then that
> >>>>>>>>>> documentation was volunteered to ofbiz community.
> >>>>>>>>>>
> >>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
> >>>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
> >>>>>>>>>> here because my time has become very limited. as an example this email
> >>>>>>>>>> took over two hours to finish because of interruptions to do business.
> >>>>>>>>>>
> >>>>>>>>>> so maybe others that have the time will volunteer the information you
> >>>>>>>>>> desire.
> >>>>>>>>>>
> >>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
> >>>>>>>>>> volunteering the time to document.
> >>>>>>>>>>
> >>>>>>>>>> That said, feel free once you understand to volunteer you time to
> >>>>>>>>>> documented this the way you think it should be done.
> >>>>>>>>>> BTW I have made this offer to others that presented the same proposal in
> >>>>>>>>>> the past and they have not volunteer such documentation yet.
> >>>>>>>>>>
> >>>>>>>>>> I would suggest you draw an organizational chart then use the fields in
> >>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
> >>>>>>>>>> organization chart.
> >>>>>>>>>>
> >>>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
> >>>>>>>>>> there may be many relationships. like the one that says the demo
> >>>>>>>>>> employee is a employee.
> >>>>>>>>>>
> >>>>>>>>>> you would use roles and relationship
> >>>>>>>>>>
> >>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> >>>>>>>>>>> BJ thank you.
> >>>>>>>>>>>
> >>>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
> >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> >>>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
> >>>>>>>>>>> in the role of  | is A of Party | in the role of
> >>>>>>>>>>>
> >>>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
> >>>>>>>>>>> "in the Role Of".
> >>>>>>>>>>> Further more, there is some confusion about where to relate employee
> >>>>>>>>>>> to organization. I mean if you go to:
> >>>>>>>>>>>
> >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> >>>>>>>>>>>
> >>>>>>>>>>> You will see four tabs with labels indicates similar functionality:
> >>>>>>>>>>> -Roles
> >>>>>>>>>>> -Link Party
> >>>>>>>>>>> -Relationships
> >>>>>>>>>>> -Segments
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> What is the difference between these ? To add employee to Organization
> >>>>>>>>>>> I need to use ..... ?
> >>>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
> >>>>>>>>>>> instead of referring me to the "BOOK" ;)
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
> >>>>>>>>>>>> there is not much documented in ofbiz about party.
> >>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
> >>>>>>>>>>>> partyrelationsips. Good diagram on pg 41
> >>>>>>>>>>>> In this case you would have party relationship with the company that
> >>>>>>>>>>>> supplies contractors
> >>>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
> >>>>>>>>>>>> between them
> >>>>>>>>>>>> start with organizational party relationship then individual (person)
> >>>>>>>>>>>> realtionships with organizations.
> >>>>>>>>>>>>
> >>>>>>>>>>>> example
> >>>>>>>>>>>> the programmer would be a employee role with the recruitment company if
> >>>>>>>>>>>> they contract, then the programmer would have a contractor relationship
> >>>>>>>>>>>> with the Company.
> >>>>>>>>>>>>
> >>>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
> >>>>>>>>>>>> at the different parties to see the relationships.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> >>>>>>>>>>>>> Hello all,
> >>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
> >>>>>>>>>>>>> Here's the scenario we have. Three Group parties:
> >>>>>>>>>>>>> Programmers
> >>>>>>>>>>>>> Recruiter
> >>>>>>>>>>>>> Sales /marketing/Distributing
> >>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
> >>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
> >>>>>>>>>>>>> In each company there's two employees that interact with the system.
> >>>>>>>>>>>>> programmer1 , programmer2
> >>>>>>>>>>>>> hr manager 1, hr manager2
> >>>>>>>>>>>>> project manager1, project manager2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
> >>>>>>>>>>>>> timesheet, project management ... etc.
> >>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
> >>>>>>>>>>>>> stopped there not knowing how to connect them.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
> >>>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
> >>>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
> >>>>>>>>>>>>> the Role of" .... etc.
> >>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
> >>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> What do I need to do after that ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
> >>>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
> >>>>>>>>>>>>> from someone with more experience in this area.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thank you.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>>
> >
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
In reply to this post by Pierre Smits
Pierre, thank you for contributing this patch.
It solves the first part of the issue.

On Mon Jul 25,2011 08:31 am, Pierre Smits wrote:

> Hi Mansour,
>
> See my inline comment regarding the issue with
> https://demo-trunk-ofbiz-apache.org/projectmgr/control/main
>
> With regards,
>
> Pierre Smits
>
> 2011/7/24 Mansour Al Akeel <[hidden email]>
>
> > BJ,
> > thank you for all your help. I looked at the links you sent me, and they
> > were usefull. I still don't understand why permissions are checked in
> > the ftl and not the service layer. However this is not the issue I am
> > stuck at now.
> > I think I am still confused about permissions.
> > I created an account on trunk demo to show what I am talking about.
> >
> > If you go to:
> > https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> >
>
> I have created a patch that alleviates this problem, but it is not yet
> incorporated in the trunk.
> See jira for the patch.
>
> https://issues.apache.org/jira/browse/OFBIZ-4206
>
>
>
>
>
> > and try to login with mansour:ofbiz you will be greated with a screen
> > saying:
> >
> > org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
> > [component://common/widget/CommonScreens.xml#GlobalDecorator]:
> > java.lang.IllegalArgumentException: Error running Groovy script at location
> > [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
> > org.ofbiz.service.ServiceAuthException: You have no access to the project#:
> > 9000 (Error running Groovy script at location
> > [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
> > org.ofbiz.service.ServiceAuthException: You have no access to the project#:
> > 9000)
> >
> > This is fine, as the user "mansour" doesn't have persmission to view
> > this project, but shouldn't this screen display the projects he is
> > member of (if any).
> >
> > The second part is if you go to:
> >
> > https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >
> > and hit find, the user can see all the tasks that he is not member of,
> > and clicking on any of them, will open the details about that task.
> >
> > This user is in "PROJECTUSER"  security group, which has:
> >
> > ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of
> > project)
> > PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for
> > the loginid.
> > PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing
> > own timesheet
> > PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a
> > project/phase/task the user is member of..
> > PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be
> > limited by ROLE_VIEW)
> >
> > On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> > still this user can see others tasks.
> >
> > Am I doing something wrong here?
> >
> > I appreciate your help.
> >
> > On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> > > New Role Type (see chapter two of the Book)
> > > lets you define a new role type to use.
> > > it is best to link with the book to use the webtools
> > >
> > https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> > > you can also get the xml structure from the data and created a bunch of
> > > them then load them via the web tools import. note: that service engine
> > > and UI (widgets and ftls) need to changed if you want that role type to
> > > have access.
> > >
> > > doing a google search for
> > > ofbiz main role
> > > http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> > >
> > > I hope these tips help you research you answer more. and As I said
> > > before parts of you question are already been answered.
> > >
> > >
> > > This may clear up more on security and Role View all.
> > > https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> > >
> > >
> > > Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> > > > Hello BJ,
> > > > and thank you for your reply.
> > > >
> > > > You can check the link here:
> > > >
> > https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> > > >
> > > > It has
> > > > "Add To Main Role" and "Add To Role : view all" Fields. and if you
> > > > select soemthing like "Calendare" for the first one, you will get a
> > > > third field "Add To Second Role". What is the difference between them ?
> > > >
> > > > I was confused with the security part, because was adding a user to a
> > > > group, but still the user was not allowed to edit a project. I have to
> > > > add the user as a resource for that project.
> > > >
> > > > What I understand now is, Party Roles has nothing to do with
> > > > permissions, and the later has to be handled separately through the
> > > > security group.
> > > >
> > > >
> > > > Thank you.
> > > >
> > > >
> > > > On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> > > >> Yes I still have to go back and review. The book Deals only with Roles
> > > >> related to Party. Security based on login is not in the Book.
> > > >> The is covered in the Service Engine and Webapps, widgets
> > > >>
> > > >> It helps if you give complete URL to the places you talking about. It
> > > >> saves time of the answerer and verify we are talking the same
> > component.
> > > >> The labels are in seperate files from actual code, so depending on who
> > > >> put in the text for that label, it may not be clear as to its meaning.
> > > >>
> > > >> you can limit based on Roles, security groups and/or security roles
> > > >> which is different from roles.
> > > >> going through the widgets and Ftls will give you code examples of how
> > > >> this is accomplished.
> > > >>
> > > >> The example component is good to review.
> > > >>
> > > >>
> > > >> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> > > >>> Ok, the "BOOK" explained things, and I know I have to read many parts
> > > >>> again, especially while trying to match the readings with  the
> > > >>> functionality offered by OFBiz.
> > > >>>
> > > >>> Now I have a question related to adding roles. In the "Add To Role"
> > > >>> screen:
> > > >>>
> > > >>>
> > > >>> Add To Main Role
> > > >>> --> Role Type Id
> > > >>>
> > > >>> Add To Second Role
> > > >>> --> Role Type Id
> > > >>>
> > > >>> Add To Role : view all
> > > >>> --> Role Type Id
> > > >>>
> > > >>> What is the difference between "Main Role" and "Second Role" and how
> > do
> > > >>> I use them ?
> > > >>> What is the "Add To Role" mean ?
> > > >>>
> > > >>> Back again to the senario in the first email, and after I modeled the
> > > >>> Parties, how do I let each access only to the functionality they need
> > to
> > > >>> access ? For example, "Approver" to aprove timesheet and work effort.
> > > >>> Project manager to Assing tasks, "Developer" to update tasks. Would
> > this
> > > >>> have to be separately using "Security Groups" ?
> > > >>>
> > > >>> Thank you.
> > > >>>
> > > >>>
> > > >>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> > > >>>> as both Adrian and I mentioned most of that would be described well
> > in
> > > >>>> the Data model book that ofbiz was modeled after, which is why not
> > much
> > > >>>> documentation is written specifically in ofbiz.
> > > >>>>
> > > >>>> There are emails in the archive that have covered different parts of
> > > >>>> your question.
> > > >>>>
> > > >>>> Actually it has been a good time for the Documentation for over 6
> > years,
> > > >>>> problem is getting someone to volunteer to do it. We have added
> > internal
> > > >>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> > > >>>>
> > > >>>> Normally such Contributions have been from someone hiring someone to
> > do
> > > >>>> the documentation, because it takes a lot of time to volunteer and
> > those
> > > >>>> that have to make a living do not have such time free. Then that
> > > >>>> documentation was volunteered to ofbiz community.
> > > >>>>
> > > >>>> I limit my volunteer time per subject on the mailing list to 15 min,
> > > >>>> unless i have a vested interest in it. I have even stopped answering
> > on
> > > >>>> here because my time has become very limited. as an example this
> > email
> > > >>>> took over two hours to finish because of interruptions to do
> > business.
> > > >>>>
> > > >>>> so maybe others that have the time will volunteer the information
> > you
> > > >>>> desire.
> > > >>>>
> > > >>>> Most find the charge for the "BOOK" a lot less than hiring someone,
> > or
> > > >>>> volunteering the time to document.
> > > >>>>
> > > >>>> That said, feel free once you understand to volunteer you time to
> > > >>>> documented this the way you think it should be done.
> > > >>>> BTW I have made this offer to others that presented the same
> > proposal in
> > > >>>> the past and they have not volunteer such documentation yet.
> > > >>>>
> > > >>>> I would suggest you draw an organizational chart then use the fields
> > in
> > > >>>> ofbiz to associated the chart to relationships. There is no "ONE"
> > > >>>> organization chart.
> > > >>>>
> > > >>>> Demo employee shows two relationships as examples, in a normal
> > Company
> > > >>>> there may be many relationships. like the one that says the demo
> > > >>>> employee is a employee.
> > > >>>>
> > > >>>> you would use roles and relationship
> > > >>>>
> > > >>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> > > >>>>> BJ thank you.
> > > >>>>>
> > > >>>>> My question is related more to ofbiz usage. In the relationship
> > page:
> > > >>>>>
> > https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> > > >>>>> you can see some fields that are not clear to me. To be more
> > specific, We have:
> > > >>>>> in the role of  |       is A    of Party        | in the role of
> > > >>>>>
> > > >>>>> There two relations for DemoEmployee. And each relation has two
> > fields
> > > >>>>> "in the Role Of".
> > > >>>>> Further more, there is some confusion about where to relate
> > employee
> > > >>>>> to organization. I mean if you go to:
> > > >>>>>
> > > >>>>>
> > https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> > > >>>>>
> > > >>>>> You will see four tabs with labels indicates similar functionality:
> > > >>>>> -Roles
> > > >>>>> -Link Party
> > > >>>>> -Relationships
> > > >>>>> -Segments
> > > >>>>>
> > > >>>>>
> > > >>>>> What is the difference between these ? To add employee to
> > Organization
> > > >>>>> I need to use ..... ?
> > > >>>>> May be it's a good opportunity to discuss and document each of
> > them,
> > > >>>>> instead of referring me to the "BOOK" ;)
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]>
> > wrote:
> > > >>>>>> there is not much documented in ofbiz about party.
> > > >>>>>> however if you read the Data model book Vol I you will see a lot
> > about
> > > >>>>>> partyrelationsips. Good diagram on pg 41
> > > >>>>>> In this case you would have party relationship with the company
> > that
> > > >>>>>> supplies contractors
> > > >>>>>> so you need to setup the roles of each party then setup the
> > relationship
> > > >>>>>> between them
> > > >>>>>> start with organizational party relationship then individual
> > (person)
> > > >>>>>> realtionships with organizations.
> > > >>>>>>
> > > >>>>>> example
> > > >>>>>> the programmer would be a employee role with the recruitment
> > company if
> > > >>>>>> they contract, then the programmer would have a contractor
> > relationship
> > > >>>>>> with the Company.
> > > >>>>>>
> > > >>>>>> the rest you can get from the demo data or you can look at the
> > demo site
> > > >>>>>> at the different parties to see the relationships.
> > > >>>>>>
> > > >>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> > > >>>>>>> Hello all,
> > > >>>>>>> I didn't use the parties component extensively, and don't know a
> > lot about it.
> > > >>>>>>> Here's the scenario we have. Three Group parties:
> > > >>>>>>> Programmers
> > > >>>>>>> Recruiter
> > > >>>>>>> Sales /marketing/Distributing
> > > >>>>>>> The distributor obtains the requirements and hires the
> > Programmers
> > > >>>>>>> through the "Recruitment" company. Billing is done by hour.
> > > >>>>>>> In each company there's two employees that interact with the
> > system.
> > > >>>>>>> programmer1 , programmer2
> > > >>>>>>> hr manager 1, hr manager2
> > > >>>>>>> project manager1, project manager2
> > > >>>>>>>
> > > >>>>>>> We need to setup the system, to handle the requirements
> > communication,
> > > >>>>>>> timesheet, project management ... etc.
> > > >>>>>>> I have created the three group parties, and 6 employees parties,
> > and
> > > >>>>>>> stopped there not knowing how to connect them.
> > > >>>>>>>
> > > >>>>>>> How to associate users (employee) with companies (Group Party) ?
> > > >>>>>>> I tried to go to Relationships page and use  "Add other party
> > > >>>>>>> relationship", but those fields are not clear to me. For example
> >  "in
> > > >>>>>>> the Role of" .... etc.
> > > >>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter"
> > ??
> > > >>>>>>> How many accounts I need, knowing that the recruiter get a
> > percentage ?
> > > >>>>>>>
> > > >>>>>>> What do I need to do after that ?
> > > >>>>>>>
> > > >>>>>>> Guessing is not very help full here as it relies on trial and
> > error,
> > > >>>>>>> and an error may not be initially visible. So I like to get an
> > advice
> > > >>>>>>> from someone with more experience in this area.
> > > >>>>>>>
> > > >>>>>>> Thank you.
> > > >>>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>
> > > >
> >
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

BJ Freeman
In reply to this post by Mansour
I think you miss understand my intent.
I showed you steps the achieve what you want.
by studying that you can come up with what it takes to accomnplish what
you want fixed.
if someone else wants to take over from here, feel free.

Mansour Al Akeel sent the following on 7/25/2011 2:20 AM:

> BJ,
> go to this page:
> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> login as whatever user you like, provided he has access to projectmgr
> Hit [Find]
> you will get a list of all the tasks in the system, even if you are not
> a member of any project.
> Click on any task, and you will be able to see the full info about it!
>
> This is the problem!
>
>
>
> On Sun Jul 24,2011 05:12 pm, BJ Freeman wrote:
>> OOTB look at the party group Dev and relationships and work your way
>> down to developer1
>> you need this to show up in project resources to be added as a resource.
>> in projects pick Demo project3 and go to resources.
>> you will see DemoEmployee3
>>
>> log in as DemoEmployee3
>> you will notice that only projects and my portals show
>> click on proects
>> ingore the error for now
>> then click on using the project mgr menu select projects you will only
>> see the one in which DemoEmployee3 is a resource.
>>
>> once you figure out what you need to make this happen you will have
>> solved you problem
>>
>>
>> Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:
>>> BJ,
>>> The party "Mansour" has only one role "Employee" related to
>>> "Mansour INC" organization !
>>>
>>> And I don't have any service added. It's just the same services
>>> out-of-box.
>>>
>>> Anyone knows how to deal with it ?
>>>
>>>
>>> On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
>>>> since access for user is through the UI there is no need to go to record
>>>> level.
>>>> Now if you have a service that accesses the records then the it is the
>>>> service that should check.
>>>>
>>>>
>>>> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
>>>>> BJ,
>>>>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
>>>>> permission to access this component. But the tasks are viewable to
>>>>> anyone.
>>>>>
>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>> This part explains what I need:
>>>>>
>>>>>
>>>>> ====================================================
>>>>> At record level
>>>>>
>>>>> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
>>>>> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
>>>>> Role limited (or based) permissions (aka Party Roles)
>>>>>
>>>>> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
>>>>> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
>>>>> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
>>>>>
>>>>>
>>>>> Security Roles
>>>>>
>>>>> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
>>>>>
>>>>> ===================================================
>>>>>
>>>>> Back again to my original question, to protect the tasks from being
>>>>> seen by Parties (logins), that are NOT a resource of that paroject, do I
>>>>> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
>>>>> makes more sense that a "party login" who is not a member of a project should
>>>>> not be able to see work effort or task in that project.
>>>>>
>>>>>
>>>>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
>>>>>> permission usually refer to the Login of a party.
>>>>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
>>>>>> your login must have this security level.
>>>>>>
>>>>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
>>>>>>> BJ,
>>>>>>> thank you for all your help. I looked at the links you sent me, and they
>>>>>>> were usefull. I still don't understand why permissions are checked in
>>>>>>> the ftl and not the service layer. However this is not the issue I am
>>>>>>> stuck at now.
>>>>>>> I think I am still confused about permissions.
>>>>>>> I created an account on trunk demo to show what I am talking about.
>>>>>>>
>>>>>>> If you go to:
>>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
>>>>>>> and try to login with mansour:ofbiz you will be greated with a screen
>>>>>>> saying:
>>>>>>>
>>>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
>>>>>>>
>>>>>>> This is fine, as the user "mansour" doesn't have persmission to view
>>>>>>> this project, but shouldn't this screen display the projects he is
>>>>>>> member of (if any).
>>>>>>>
>>>>>>> The second part is if you go to:
>>>>>>>
>>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
>>>>>>>
>>>>>>> and hit find, the user can see all the tasks that he is not member of,
>>>>>>> and clicking on any of them, will open the details about that task.
>>>>>>>
>>>>>>> This user is in "PROJECTUSER"  security group, which has:
>>>>>>>
>>>>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
>>>>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
>>>>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
>>>>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
>>>>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
>>>>>>>
>>>>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
>>>>>>> still this user can see others tasks.
>>>>>>>
>>>>>>> Am I doing something wrong here?
>>>>>>>
>>>>>>> I appreciate your help.
>>>>>>>
>>>>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
>>>>>>>> New Role Type (see chapter two of the Book)
>>>>>>>> lets you define a new role type to use.
>>>>>>>> it is best to link with the book to use the webtools
>>>>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
>>>>>>>> you can also get the xml structure from the data and created a bunch of
>>>>>>>> them then load them via the web tools import. note: that service engine
>>>>>>>> and UI (widgets and ftls) need to changed if you want that role type to
>>>>>>>> have access.
>>>>>>>>
>>>>>>>> doing a google search for
>>>>>>>> ofbiz main role
>>>>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
>>>>>>>>
>>>>>>>> I hope these tips help you research you answer more. and As I said
>>>>>>>> before parts of you question are already been answered.
>>>>>>>>
>>>>>>>>
>>>>>>>> This may clear up more on security and Role View all.
>>>>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>>>>>
>>>>>>>>
>>>>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
>>>>>>>>> Hello BJ,
>>>>>>>>> and thank you for your reply.
>>>>>>>>>
>>>>>>>>> You can check the link here:
>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
>>>>>>>>>
>>>>>>>>> It has
>>>>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
>>>>>>>>> select soemthing like "Calendare" for the first one, you will get a
>>>>>>>>> third field "Add To Second Role". What is the difference between them ?
>>>>>>>>>
>>>>>>>>> I was confused with the security part, because was adding a user to a
>>>>>>>>> group, but still the user was not allowed to edit a project. I have to
>>>>>>>>> add the user as a resource for that project.
>>>>>>>>>
>>>>>>>>> What I understand now is, Party Roles has nothing to do with
>>>>>>>>> permissions, and the later has to be handled separately through the
>>>>>>>>> security group.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
>>>>>>>>>> Yes I still have to go back and review. The book Deals only with Roles
>>>>>>>>>> related to Party. Security based on login is not in the Book.
>>>>>>>>>> The is covered in the Service Engine and Webapps, widgets
>>>>>>>>>>
>>>>>>>>>> It helps if you give complete URL to the places you talking about. It
>>>>>>>>>> saves time of the answerer and verify we are talking the same component.
>>>>>>>>>> The labels are in seperate files from actual code, so depending on who
>>>>>>>>>> put in the text for that label, it may not be clear as to its meaning.
>>>>>>>>>>
>>>>>>>>>> you can limit based on Roles, security groups and/or security roles
>>>>>>>>>> which is different from roles.
>>>>>>>>>> going through the widgets and Ftls will give you code examples of how
>>>>>>>>>> this is accomplished.
>>>>>>>>>>
>>>>>>>>>> The example component is good to review.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
>>>>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
>>>>>>>>>>> again, especially while trying to match the readings with  the
>>>>>>>>>>> functionality offered by OFBiz.
>>>>>>>>>>>
>>>>>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
>>>>>>>>>>> screen:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Add To Main Role
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> Add To Second Role
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> Add To Role : view all
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
>>>>>>>>>>> I use them ?
>>>>>>>>>>> What is the "Add To Role" mean ?
>>>>>>>>>>>
>>>>>>>>>>> Back again to the senario in the first email, and after I modeled the
>>>>>>>>>>> Parties, how do I let each access only to the functionality they need to
>>>>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
>>>>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
>>>>>>>>>>> have to be separately using "Security Groups" ?
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
>>>>>>>>>>>> as both Adrian and I mentioned most of that would be described well in
>>>>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
>>>>>>>>>>>> documentation is written specifically in ofbiz.
>>>>>>>>>>>>
>>>>>>>>>>>> There are emails in the archive that have covered different parts of
>>>>>>>>>>>> your question.
>>>>>>>>>>>>
>>>>>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
>>>>>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
>>>>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
>>>>>>>>>>>>
>>>>>>>>>>>> Normally such Contributions have been from someone hiring someone to do
>>>>>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
>>>>>>>>>>>> that have to make a living do not have such time free. Then that
>>>>>>>>>>>> documentation was volunteered to ofbiz community.
>>>>>>>>>>>>
>>>>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
>>>>>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
>>>>>>>>>>>> here because my time has become very limited. as an example this email
>>>>>>>>>>>> took over two hours to finish because of interruptions to do business.
>>>>>>>>>>>>
>>>>>>>>>>>> so maybe others that have the time will volunteer the information you
>>>>>>>>>>>> desire.
>>>>>>>>>>>>
>>>>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
>>>>>>>>>>>> volunteering the time to document.
>>>>>>>>>>>>
>>>>>>>>>>>> That said, feel free once you understand to volunteer you time to
>>>>>>>>>>>> documented this the way you think it should be done.
>>>>>>>>>>>> BTW I have made this offer to others that presented the same proposal in
>>>>>>>>>>>> the past and they have not volunteer such documentation yet.
>>>>>>>>>>>>
>>>>>>>>>>>> I would suggest you draw an organizational chart then use the fields in
>>>>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
>>>>>>>>>>>> organization chart.
>>>>>>>>>>>>
>>>>>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
>>>>>>>>>>>> there may be many relationships. like the one that says the demo
>>>>>>>>>>>> employee is a employee.
>>>>>>>>>>>>
>>>>>>>>>>>> you would use roles and relationship
>>>>>>>>>>>>
>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
>>>>>>>>>>>>> BJ thank you.
>>>>>>>>>>>>>
>>>>>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
>>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
>>>>>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
>>>>>>>>>>>>> in the role of  | is A of Party | in the role of
>>>>>>>>>>>>>
>>>>>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
>>>>>>>>>>>>> "in the Role Of".
>>>>>>>>>>>>> Further more, there is some confusion about where to relate employee
>>>>>>>>>>>>> to organization. I mean if you go to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
>>>>>>>>>>>>>
>>>>>>>>>>>>> You will see four tabs with labels indicates similar functionality:
>>>>>>>>>>>>> -Roles
>>>>>>>>>>>>> -Link Party
>>>>>>>>>>>>> -Relationships
>>>>>>>>>>>>> -Segments
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> What is the difference between these ? To add employee to Organization
>>>>>>>>>>>>> I need to use ..... ?
>>>>>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
>>>>>>>>>>>>> instead of referring me to the "BOOK" ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
>>>>>>>>>>>>>> there is not much documented in ofbiz about party.
>>>>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
>>>>>>>>>>>>>> partyrelationsips. Good diagram on pg 41
>>>>>>>>>>>>>> In this case you would have party relationship with the company that
>>>>>>>>>>>>>> supplies contractors
>>>>>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
>>>>>>>>>>>>>> between them
>>>>>>>>>>>>>> start with organizational party relationship then individual (person)
>>>>>>>>>>>>>> realtionships with organizations.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> example
>>>>>>>>>>>>>> the programmer would be a employee role with the recruitment company if
>>>>>>>>>>>>>> they contract, then the programmer would have a contractor relationship
>>>>>>>>>>>>>> with the Company.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
>>>>>>>>>>>>>> at the different parties to see the relationships.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
>>>>>>>>>>>>>>> Here's the scenario we have. Three Group parties:
>>>>>>>>>>>>>>> Programmers
>>>>>>>>>>>>>>> Recruiter
>>>>>>>>>>>>>>> Sales /marketing/Distributing
>>>>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
>>>>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
>>>>>>>>>>>>>>> In each company there's two employees that interact with the system.
>>>>>>>>>>>>>>> programmer1 , programmer2
>>>>>>>>>>>>>>> hr manager 1, hr manager2
>>>>>>>>>>>>>>> project manager1, project manager2
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
>>>>>>>>>>>>>>> timesheet, project management ... etc.
>>>>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
>>>>>>>>>>>>>>> stopped there not knowing how to connect them.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
>>>>>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
>>>>>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
>>>>>>>>>>>>>>> the Role of" .... etc.
>>>>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
>>>>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What do I need to do after that ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
>>>>>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
>>>>>>>>>>>>>>> from someone with more experience in this area.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

David E. Jones-2
In reply to this post by Mansour

Mansour,

You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.

In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:

1. adding the permission-related constraints to the FindTask query
2. changing the view task screen to check the same constraint(s) for the individual task

-David


On Jul 25, 2011, at 3:20 AM, Mansour Al Akeel wrote:

> BJ,
> go to this page:
> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> login as whatever user you like, provided he has access to projectmgr
> Hit [Find]
> you will get a list of all the tasks in the system, even if you are not
> a member of any project.
> Click on any task, and you will be able to see the full info about it!
>
> This is the problem!
>
>
>
> On Sun Jul 24,2011 05:12 pm, BJ Freeman wrote:
>> OOTB look at the party group Dev and relationships and work your way
>> down to developer1
>> you need this to show up in project resources to be added as a resource.
>> in projects pick Demo project3 and go to resources.
>> you will see DemoEmployee3
>>
>> log in as DemoEmployee3
>> you will notice that only projects and my portals show
>> click on proects
>> ingore the error for now
>> then click on using the project mgr menu select projects you will only
>> see the one in which DemoEmployee3 is a resource.
>>
>> once you figure out what you need to make this happen you will have
>> solved you problem
>>
>>
>> Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:
>>> BJ,
>>> The party "Mansour" has only one role "Employee" related to
>>> "Mansour INC" organization !
>>>
>>> And I don't have any service added. It's just the same services
>>> out-of-box.
>>>
>>> Anyone knows how to deal with it ?
>>>
>>>
>>> On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
>>>> since access for user is through the UI there is no need to go to record
>>>> level.
>>>> Now if you have a service that accesses the records then the it is the
>>>> service that should check.
>>>>
>>>>
>>>> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
>>>>> BJ,
>>>>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
>>>>> permission to access this component. But the tasks are viewable to
>>>>> anyone.
>>>>>
>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>> This part explains what I need:
>>>>>
>>>>>
>>>>> ====================================================
>>>>> At record level
>>>>>
>>>>> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
>>>>> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
>>>>> Role limited (or based) permissions (aka Party Roles)
>>>>>
>>>>> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
>>>>> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
>>>>> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
>>>>>
>>>>>
>>>>> Security Roles
>>>>>
>>>>> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
>>>>>
>>>>> ===================================================
>>>>>
>>>>> Back again to my original question, to protect the tasks from being
>>>>> seen by Parties (logins), that are NOT a resource of that paroject, do I
>>>>> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
>>>>> makes more sense that a "party login" who is not a member of a project should
>>>>> not be able to see work effort or task in that project.
>>>>>
>>>>>
>>>>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
>>>>>> permission usually refer to the Login of a party.
>>>>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
>>>>>> your login must have this security level.
>>>>>>
>>>>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
>>>>>>> BJ,
>>>>>>> thank you for all your help. I looked at the links you sent me, and they
>>>>>>> were usefull. I still don't understand why permissions are checked in
>>>>>>> the ftl and not the service layer. However this is not the issue I am
>>>>>>> stuck at now.
>>>>>>> I think I am still confused about permissions.
>>>>>>> I created an account on trunk demo to show what I am talking about.
>>>>>>>
>>>>>>> If you go to:
>>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
>>>>>>> and try to login with mansour:ofbiz you will be greated with a screen
>>>>>>> saying:
>>>>>>>
>>>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
>>>>>>>
>>>>>>> This is fine, as the user "mansour" doesn't have persmission to view
>>>>>>> this project, but shouldn't this screen display the projects he is
>>>>>>> member of (if any).
>>>>>>>
>>>>>>> The second part is if you go to:
>>>>>>>
>>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
>>>>>>>
>>>>>>> and hit find, the user can see all the tasks that he is not member of,
>>>>>>> and clicking on any of them, will open the details about that task.
>>>>>>>
>>>>>>> This user is in "PROJECTUSER"  security group, which has:
>>>>>>>
>>>>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
>>>>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
>>>>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
>>>>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
>>>>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
>>>>>>>
>>>>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
>>>>>>> still this user can see others tasks.
>>>>>>>
>>>>>>> Am I doing something wrong here?
>>>>>>>
>>>>>>> I appreciate your help.
>>>>>>>
>>>>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
>>>>>>>> New Role Type (see chapter two of the Book)
>>>>>>>> lets you define a new role type to use.
>>>>>>>> it is best to link with the book to use the webtools
>>>>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
>>>>>>>> you can also get the xml structure from the data and created a bunch of
>>>>>>>> them then load them via the web tools import. note: that service engine
>>>>>>>> and UI (widgets and ftls) need to changed if you want that role type to
>>>>>>>> have access.
>>>>>>>>
>>>>>>>> doing a google search for
>>>>>>>> ofbiz main role
>>>>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
>>>>>>>>
>>>>>>>> I hope these tips help you research you answer more. and As I said
>>>>>>>> before parts of you question are already been answered.
>>>>>>>>
>>>>>>>>
>>>>>>>> This may clear up more on security and Role View all.
>>>>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
>>>>>>>>
>>>>>>>>
>>>>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
>>>>>>>>> Hello BJ,
>>>>>>>>> and thank you for your reply.
>>>>>>>>>
>>>>>>>>> You can check the link here:
>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
>>>>>>>>>
>>>>>>>>> It has
>>>>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
>>>>>>>>> select soemthing like "Calendare" for the first one, you will get a
>>>>>>>>> third field "Add To Second Role". What is the difference between them ?
>>>>>>>>>
>>>>>>>>> I was confused with the security part, because was adding a user to a
>>>>>>>>> group, but still the user was not allowed to edit a project. I have to
>>>>>>>>> add the user as a resource for that project.
>>>>>>>>>
>>>>>>>>> What I understand now is, Party Roles has nothing to do with
>>>>>>>>> permissions, and the later has to be handled separately through the
>>>>>>>>> security group.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
>>>>>>>>>> Yes I still have to go back and review. The book Deals only with Roles
>>>>>>>>>> related to Party. Security based on login is not in the Book.
>>>>>>>>>> The is covered in the Service Engine and Webapps, widgets
>>>>>>>>>>
>>>>>>>>>> It helps if you give complete URL to the places you talking about. It
>>>>>>>>>> saves time of the answerer and verify we are talking the same component.
>>>>>>>>>> The labels are in seperate files from actual code, so depending on who
>>>>>>>>>> put in the text for that label, it may not be clear as to its meaning.
>>>>>>>>>>
>>>>>>>>>> you can limit based on Roles, security groups and/or security roles
>>>>>>>>>> which is different from roles.
>>>>>>>>>> going through the widgets and Ftls will give you code examples of how
>>>>>>>>>> this is accomplished.
>>>>>>>>>>
>>>>>>>>>> The example component is good to review.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
>>>>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
>>>>>>>>>>> again, especially while trying to match the readings with  the
>>>>>>>>>>> functionality offered by OFBiz.
>>>>>>>>>>>
>>>>>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
>>>>>>>>>>> screen:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Add To Main Role
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> Add To Second Role
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> Add To Role : view all
>>>>>>>>>>> --> Role Type Id
>>>>>>>>>>>
>>>>>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
>>>>>>>>>>> I use them ?
>>>>>>>>>>> What is the "Add To Role" mean ?
>>>>>>>>>>>
>>>>>>>>>>> Back again to the senario in the first email, and after I modeled the
>>>>>>>>>>> Parties, how do I let each access only to the functionality they need to
>>>>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
>>>>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
>>>>>>>>>>> have to be separately using "Security Groups" ?
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
>>>>>>>>>>>> as both Adrian and I mentioned most of that would be described well in
>>>>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
>>>>>>>>>>>> documentation is written specifically in ofbiz.
>>>>>>>>>>>>
>>>>>>>>>>>> There are emails in the archive that have covered different parts of
>>>>>>>>>>>> your question.
>>>>>>>>>>>>
>>>>>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
>>>>>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
>>>>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
>>>>>>>>>>>>
>>>>>>>>>>>> Normally such Contributions have been from someone hiring someone to do
>>>>>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
>>>>>>>>>>>> that have to make a living do not have such time free. Then that
>>>>>>>>>>>> documentation was volunteered to ofbiz community.
>>>>>>>>>>>>
>>>>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
>>>>>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
>>>>>>>>>>>> here because my time has become very limited. as an example this email
>>>>>>>>>>>> took over two hours to finish because of interruptions to do business.
>>>>>>>>>>>>
>>>>>>>>>>>> so maybe others that have the time will volunteer the information you
>>>>>>>>>>>> desire.
>>>>>>>>>>>>
>>>>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
>>>>>>>>>>>> volunteering the time to document.
>>>>>>>>>>>>
>>>>>>>>>>>> That said, feel free once you understand to volunteer you time to
>>>>>>>>>>>> documented this the way you think it should be done.
>>>>>>>>>>>> BTW I have made this offer to others that presented the same proposal in
>>>>>>>>>>>> the past and they have not volunteer such documentation yet.
>>>>>>>>>>>>
>>>>>>>>>>>> I would suggest you draw an organizational chart then use the fields in
>>>>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
>>>>>>>>>>>> organization chart.
>>>>>>>>>>>>
>>>>>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
>>>>>>>>>>>> there may be many relationships. like the one that says the demo
>>>>>>>>>>>> employee is a employee.
>>>>>>>>>>>>
>>>>>>>>>>>> you would use roles and relationship
>>>>>>>>>>>>
>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
>>>>>>>>>>>>> BJ thank you.
>>>>>>>>>>>>>
>>>>>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
>>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
>>>>>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
>>>>>>>>>>>>> in the role of  | is A of Party | in the role of
>>>>>>>>>>>>>
>>>>>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
>>>>>>>>>>>>> "in the Role Of".
>>>>>>>>>>>>> Further more, there is some confusion about where to relate employee
>>>>>>>>>>>>> to organization. I mean if you go to:
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
>>>>>>>>>>>>>
>>>>>>>>>>>>> You will see four tabs with labels indicates similar functionality:
>>>>>>>>>>>>> -Roles
>>>>>>>>>>>>> -Link Party
>>>>>>>>>>>>> -Relationships
>>>>>>>>>>>>> -Segments
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> What is the difference between these ? To add employee to Organization
>>>>>>>>>>>>> I need to use ..... ?
>>>>>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
>>>>>>>>>>>>> instead of referring me to the "BOOK" ;)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
>>>>>>>>>>>>>> there is not much documented in ofbiz about party.
>>>>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
>>>>>>>>>>>>>> partyrelationsips. Good diagram on pg 41
>>>>>>>>>>>>>> In this case you would have party relationship with the company that
>>>>>>>>>>>>>> supplies contractors
>>>>>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
>>>>>>>>>>>>>> between them
>>>>>>>>>>>>>> start with organizational party relationship then individual (person)
>>>>>>>>>>>>>> realtionships with organizations.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> example
>>>>>>>>>>>>>> the programmer would be a employee role with the recruitment company if
>>>>>>>>>>>>>> they contract, then the programmer would have a contractor relationship
>>>>>>>>>>>>>> with the Company.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
>>>>>>>>>>>>>> at the different parties to see the relationships.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
>>>>>>>>>>>>>>> Here's the scenario we have. Three Group parties:
>>>>>>>>>>>>>>> Programmers
>>>>>>>>>>>>>>> Recruiter
>>>>>>>>>>>>>>> Sales /marketing/Distributing
>>>>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
>>>>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
>>>>>>>>>>>>>>> In each company there's two employees that interact with the system.
>>>>>>>>>>>>>>> programmer1 , programmer2
>>>>>>>>>>>>>>> hr manager 1, hr manager2
>>>>>>>>>>>>>>> project manager1, project manager2
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
>>>>>>>>>>>>>>> timesheet, project management ... etc.
>>>>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
>>>>>>>>>>>>>>> stopped there not knowing how to connect them.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
>>>>>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
>>>>>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
>>>>>>>>>>>>>>> the Role of" .... etc.
>>>>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
>>>>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> What do I need to do after that ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
>>>>>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
>>>>>>>>>>>>>>> from someone with more experience in this area.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thank you.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>

Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
Thank you David.
This is what I wanted to know. If it's a configuration issue or
something has to change in the code. It looks that I need to do both.
Please see my comments.

On Mon Jul 25,2011 07:40 am, David E Jones wrote:

>
> Mansour,
>
> You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.
>
> In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:
>
> 1. adding the permission-related constraints to the FindTask query
> 2. changing the view task screen to check the same constraint(s) for the individual task
>

Would this still prevent access to individual tasks through the URL ?
I think this would only hide the tasks in the search results.



> -David
>
>
> On Jul 25, 2011, at 3:20 AM, Mansour Al Akeel wrote:
>
> > BJ,
> > go to this page:
> > https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> > login as whatever user you like, provided he has access to projectmgr
> > Hit [Find]
> > you will get a list of all the tasks in the system, even if you are not
> > a member of any project.
> > Click on any task, and you will be able to see the full info about it!
> >
> > This is the problem!
> >
> >
> >
> > On Sun Jul 24,2011 05:12 pm, BJ Freeman wrote:
> >> OOTB look at the party group Dev and relationships and work your way
> >> down to developer1
> >> you need this to show up in project resources to be added as a resource.
> >> in projects pick Demo project3 and go to resources.
> >> you will see DemoEmployee3
> >>
> >> log in as DemoEmployee3
> >> you will notice that only projects and my portals show
> >> click on proects
> >> ingore the error for now
> >> then click on using the project mgr menu select projects you will only
> >> see the one in which DemoEmployee3 is a resource.
> >>
> >> once you figure out what you need to make this happen you will have
> >> solved you problem
> >>
> >>
> >> Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:
> >>> BJ,
> >>> The party "Mansour" has only one role "Employee" related to
> >>> "Mansour INC" organization !
> >>>
> >>> And I don't have any service added. It's just the same services
> >>> out-of-box.
> >>>
> >>> Anyone knows how to deal with it ?
> >>>
> >>>
> >>> On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
> >>>> since access for user is through the UI there is no need to go to record
> >>>> level.
> >>>> Now if you have a service that accesses the records then the it is the
> >>>> service that should check.
> >>>>
> >>>>
> >>>> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
> >>>>> BJ,
> >>>>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
> >>>>> permission to access this component. But the tasks are viewable to
> >>>>> anyone.
> >>>>>
> >>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>>>> This part explains what I need:
> >>>>>
> >>>>>
> >>>>> ====================================================
> >>>>> At record level
> >>>>>
> >>>>> Defining a path from the Party in question to the target/desired entity through relationships. This is usually do-able and easy to do with a single view entity, and if a query on that entity with the proper constraints returns any results then you know the user/party has the permission.
> >>>>> See the catalog role limited permissions and how they are defined and used in the ProductServices.xml file for an example.
> >>>>> Role limited (or based) permissions (aka Party Roles)
> >>>>>
> >>>>> The purpose of role-limited permissions is to tie a SecurityPermission to record level security using the RoleType/PartyRole and related entities. In OFBiz this is how record level permissions are done, i.e. somehow the user (through their Party record) is associated with another record in the database and that specific relationship must exist in order for the role-limited permission to take effect.
> >>>>> Good examples are in hasPermission methods in OrderServices class or how ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
> >>>>> By the way, do not confuse Security Roles (below) with Party Roles - they are entirely different.
> >>>>>
> >>>>>
> >>>>> Security Roles
> >>>>>
> >>>>> Security Roles provide a means to associate a user ID (userLoginId) with a particular OFBiz element. This may seem the same as Security Permission, but it is slightly different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would allow the user to view orders for all facilities, and update orders for the XYZ Company facility only. They may be seen as limiting permissions.
> >>>>>
> >>>>> ===================================================
> >>>>>
> >>>>> Back again to my original question, to protect the tasks from being
> >>>>> seen by Parties (logins), that are NOT a resource of that paroject, do I
> >>>>> have to dig in the code and add the permissions check, or it's a matter of configuration. To me it
> >>>>> makes more sense that a "party login" who is not a member of a project should
> >>>>> not be able to see work effort or task in that project.
> >>>>>
> >>>>>
> >>>>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
> >>>>>> permission usually refer to the Login of a party.
> >>>>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
> >>>>>> your login must have this security level.
> >>>>>>
> >>>>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
> >>>>>>> BJ,
> >>>>>>> thank you for all your help. I looked at the links you sent me, and they
> >>>>>>> were usefull. I still don't understand why permissions are checked in
> >>>>>>> the ftl and not the service layer. However this is not the issue I am
> >>>>>>> stuck at now.
> >>>>>>> I think I am still confused about permissions.
> >>>>>>> I created an account on trunk demo to show what I am talking about.
> >>>>>>>
> >>>>>>> If you go to:
> >>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> >>>>>>> and try to login with mansour:ofbiz you will be greated with a screen
> >>>>>>> saying:
> >>>>>>>
> >>>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException: Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
> >>>>>>>
> >>>>>>> This is fine, as the user "mansour" doesn't have persmission to view
> >>>>>>> this project, but shouldn't this screen display the projects he is
> >>>>>>> member of (if any).
> >>>>>>>
> >>>>>>> The second part is if you go to:
> >>>>>>>
> >>>>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >>>>>>>
> >>>>>>> and hit find, the user can see all the tasks that he is not member of,
> >>>>>>> and clicking on any of them, will open the details about that task.
> >>>>>>>
> >>>>>>> This user is in "PROJECTUSER"  security group, which has:
> >>>>>>>
> >>>>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of project)
> >>>>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for the loginid.
> >>>>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing own timesheet
> >>>>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a project/phase/task the user is member of..
> >>>>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be limited by ROLE_VIEW)
> >>>>>>>
> >>>>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but
> >>>>>>> still this user can see others tasks.
> >>>>>>>
> >>>>>>> Am I doing something wrong here?
> >>>>>>>
> >>>>>>> I appreciate your help.
> >>>>>>>
> >>>>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> >>>>>>>> New Role Type (see chapter two of the Book)
> >>>>>>>> lets you define a new role type to use.
> >>>>>>>> it is best to link with the book to use the webtools
> >>>>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> >>>>>>>> you can also get the xml structure from the data and created a bunch of
> >>>>>>>> them then load them via the web tools import. note: that service engine
> >>>>>>>> and UI (widgets and ftls) need to changed if you want that role type to
> >>>>>>>> have access.
> >>>>>>>>
> >>>>>>>> doing a google search for
> >>>>>>>> ofbiz main role
> >>>>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >>>>>>>>
> >>>>>>>> I hope these tips help you research you answer more. and As I said
> >>>>>>>> before parts of you question are already been answered.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> This may clear up more on security and Role View all.
> >>>>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> >>>>>>>>> Hello BJ,
> >>>>>>>>> and thank you for your reply.
> >>>>>>>>>
> >>>>>>>>> You can check the link here:
> >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> >>>>>>>>>
> >>>>>>>>> It has
> >>>>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you
> >>>>>>>>> select soemthing like "Calendare" for the first one, you will get a
> >>>>>>>>> third field "Add To Second Role". What is the difference between them ?
> >>>>>>>>>
> >>>>>>>>> I was confused with the security part, because was adding a user to a
> >>>>>>>>> group, but still the user was not allowed to edit a project. I have to
> >>>>>>>>> add the user as a resource for that project.
> >>>>>>>>>
> >>>>>>>>> What I understand now is, Party Roles has nothing to do with
> >>>>>>>>> permissions, and the later has to be handled separately through the
> >>>>>>>>> security group.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thank you.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> >>>>>>>>>> Yes I still have to go back and review. The book Deals only with Roles
> >>>>>>>>>> related to Party. Security based on login is not in the Book.
> >>>>>>>>>> The is covered in the Service Engine and Webapps, widgets
> >>>>>>>>>>
> >>>>>>>>>> It helps if you give complete URL to the places you talking about. It
> >>>>>>>>>> saves time of the answerer and verify we are talking the same component.
> >>>>>>>>>> The labels are in seperate files from actual code, so depending on who
> >>>>>>>>>> put in the text for that label, it may not be clear as to its meaning.
> >>>>>>>>>>
> >>>>>>>>>> you can limit based on Roles, security groups and/or security roles
> >>>>>>>>>> which is different from roles.
> >>>>>>>>>> going through the widgets and Ftls will give you code examples of how
> >>>>>>>>>> this is accomplished.
> >>>>>>>>>>
> >>>>>>>>>> The example component is good to review.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM:
> >>>>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts
> >>>>>>>>>>> again, especially while trying to match the readings with  the
> >>>>>>>>>>> functionality offered by OFBiz.
> >>>>>>>>>>>
> >>>>>>>>>>> Now I have a question related to adding roles. In the "Add To Role"
> >>>>>>>>>>> screen:
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Add To Main Role
> >>>>>>>>>>> --> Role Type Id
> >>>>>>>>>>>
> >>>>>>>>>>> Add To Second Role
> >>>>>>>>>>> --> Role Type Id
> >>>>>>>>>>>
> >>>>>>>>>>> Add To Role : view all
> >>>>>>>>>>> --> Role Type Id
> >>>>>>>>>>>
> >>>>>>>>>>> What is the difference between "Main Role" and "Second Role" and how do
> >>>>>>>>>>> I use them ?
> >>>>>>>>>>> What is the "Add To Role" mean ?
> >>>>>>>>>>>
> >>>>>>>>>>> Back again to the senario in the first email, and after I modeled the
> >>>>>>>>>>> Parties, how do I let each access only to the functionality they need to
> >>>>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort.
> >>>>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this
> >>>>>>>>>>> have to be separately using "Security Groups" ?
> >>>>>>>>>>>
> >>>>>>>>>>> Thank you.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> >>>>>>>>>>>> as both Adrian and I mentioned most of that would be described well in
> >>>>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not much
> >>>>>>>>>>>> documentation is written specifically in ofbiz.
> >>>>>>>>>>>>
> >>>>>>>>>>>> There are emails in the archive that have covered different parts of
> >>>>>>>>>>>> your question.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Actually it has been a good time for the Documentation for over 6 years,
> >>>>>>>>>>>> problem is getting someone to volunteer to do it. We have added internal
> >>>>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Normally such Contributions have been from someone hiring someone to do
> >>>>>>>>>>>> the documentation, because it takes a lot of time to volunteer and those
> >>>>>>>>>>>> that have to make a living do not have such time free. Then that
> >>>>>>>>>>>> documentation was volunteered to ofbiz community.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min,
> >>>>>>>>>>>> unless i have a vested interest in it. I have even stopped answering on
> >>>>>>>>>>>> here because my time has become very limited. as an example this email
> >>>>>>>>>>>> took over two hours to finish because of interruptions to do business.
> >>>>>>>>>>>>
> >>>>>>>>>>>> so maybe others that have the time will volunteer the information you
> >>>>>>>>>>>> desire.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or
> >>>>>>>>>>>> volunteering the time to document.
> >>>>>>>>>>>>
> >>>>>>>>>>>> That said, feel free once you understand to volunteer you time to
> >>>>>>>>>>>> documented this the way you think it should be done.
> >>>>>>>>>>>> BTW I have made this offer to others that presented the same proposal in
> >>>>>>>>>>>> the past and they have not volunteer such documentation yet.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I would suggest you draw an organizational chart then use the fields in
> >>>>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE"
> >>>>>>>>>>>> organization chart.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Demo employee shows two relationships as examples, in a normal Company
> >>>>>>>>>>>> there may be many relationships. like the one that says the demo
> >>>>>>>>>>>> employee is a employee.
> >>>>>>>>>>>>
> >>>>>>>>>>>> you would use roles and relationship
> >>>>>>>>>>>>
> >>>>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM:
> >>>>>>>>>>>>> BJ thank you.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> My question is related more to ofbiz usage. In the relationship page:
> >>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> >>>>>>>>>>>>> you can see some fields that are not clear to me. To be more specific, We have:
> >>>>>>>>>>>>> in the role of  | is A of Party | in the role of
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> There two relations for DemoEmployee. And each relation has two fields
> >>>>>>>>>>>>> "in the Role Of".
> >>>>>>>>>>>>> Further more, there is some confusion about where to relate employee
> >>>>>>>>>>>>> to organization. I mean if you go to:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> You will see four tabs with labels indicates similar functionality:
> >>>>>>>>>>>>> -Roles
> >>>>>>>>>>>>> -Link Party
> >>>>>>>>>>>>> -Relationships
> >>>>>>>>>>>>> -Segments
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> What is the difference between these ? To add employee to Organization
> >>>>>>>>>>>>> I need to use ..... ?
> >>>>>>>>>>>>> May be it's a good opportunity to discuss and document each of them,
> >>>>>>>>>>>>> instead of referring me to the "BOOK" ;)
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <[hidden email]> wrote:
> >>>>>>>>>>>>>> there is not much documented in ofbiz about party.
> >>>>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot about
> >>>>>>>>>>>>>> partyrelationsips. Good diagram on pg 41
> >>>>>>>>>>>>>> In this case you would have party relationship with the company that
> >>>>>>>>>>>>>> supplies contractors
> >>>>>>>>>>>>>> so you need to setup the roles of each party then setup the relationship
> >>>>>>>>>>>>>> between them
> >>>>>>>>>>>>>> start with organizational party relationship then individual (person)
> >>>>>>>>>>>>>> realtionships with organizations.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> example
> >>>>>>>>>>>>>> the programmer would be a employee role with the recruitment company if
> >>>>>>>>>>>>>> they contract, then the programmer would have a contractor relationship
> >>>>>>>>>>>>>> with the Company.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> the rest you can get from the demo data or you can look at the demo site
> >>>>>>>>>>>>>> at the different parties to see the relationships.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM:
> >>>>>>>>>>>>>>> Hello all,
> >>>>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a lot about it.
> >>>>>>>>>>>>>>> Here's the scenario we have. Three Group parties:
> >>>>>>>>>>>>>>> Programmers
> >>>>>>>>>>>>>>> Recruiter
> >>>>>>>>>>>>>>> Sales /marketing/Distributing
> >>>>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers
> >>>>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour.
> >>>>>>>>>>>>>>> In each company there's two employees that interact with the system.
> >>>>>>>>>>>>>>> programmer1 , programmer2
> >>>>>>>>>>>>>>> hr manager 1, hr manager2
> >>>>>>>>>>>>>>> project manager1, project manager2
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> We need to setup the system, to handle the requirements communication,
> >>>>>>>>>>>>>>> timesheet, project management ... etc.
> >>>>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, and
> >>>>>>>>>>>>>>> stopped there not knowing how to connect them.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ?
> >>>>>>>>>>>>>>> I tried to go to Relationships page and use  "Add other party
> >>>>>>>>>>>>>>> relationship", but those fields are not clear to me. For example  "in
> >>>>>>>>>>>>>>> the Role of" .... etc.
> >>>>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ??
> >>>>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a percentage ?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> What do I need to do after that ?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and error,
> >>>>>>>>>>>>>>> and an error may not be initially visible. So I like to get an advice
> >>>>>>>>>>>>>>> from someone with more experience in this area.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thank you.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

David E. Jones-2

On Jul 25, 2011, at 9:50 AM, Mansour Al Akeel wrote:

> Thank you David.
> This is what I wanted to know. If it's a configuration issue or
> something has to change in the code. It looks that I need to do both.
> Please see my comments.
>
> On Mon Jul 25,2011 07:40 am, David E Jones wrote:
>>
>> Mansour,
>>
>> You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.
>>
>> In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:
>>
>> 1. adding the permission-related constraints to the FindTask query
>> 2. changing the view task screen to check the same constraint(s) for the individual task
>>
>
> Would this still prevent access to individual tasks through the URL ?
> I think this would only hide the tasks in the search results.

Item #2 that I mentioned above is meant to take care of that.

-David

Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
David,
thank you for your help. I will try it later on tonight. I still don't
understand how would modifying a "View" screen, prevent accessing the
task using the URL, but I will try your advice first, and will let you know
how it went.

Thank you.


On Mon Jul 25,2011 09:53 am, David E Jones wrote:

>
> On Jul 25, 2011, at 9:50 AM, Mansour Al Akeel wrote:
>
> > Thank you David.
> > This is what I wanted to know. If it's a configuration issue or
> > something has to change in the code. It looks that I need to do both.
> > Please see my comments.
> >
> > On Mon Jul 25,2011 07:40 am, David E Jones wrote:
> >>
> >> Mansour,
> >>
> >> You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.
> >>
> >> In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:
> >>
> >> 1. adding the permission-related constraints to the FindTask query
> >> 2. changing the view task screen to check the same constraint(s) for the individual task
> >>
> >
> > Would this still prevent access to individual tasks through the URL ?
> > I think this would only hide the tasks in the search results.
>
> Item #2 that I mentioned above is meant to take care of that.
>
> -David
>
Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

David E. Jones-2

In OFBiz there is no external security configuration so each screen and service is responsible for checking its own security constraints.

You'll see examples all over in service defs, and in screen defs (especially in decorators to have the same permission for a set of screens, ie look in the CommonScreens.xml files).

-David


On Jul 25, 2011, at 11:19 AM, Mansour Al Akeel wrote:

> David,
> thank you for your help. I will try it later on tonight. I still don't
> understand how would modifying a "View" screen, prevent accessing the
> task using the URL, but I will try your advice first, and will let you know
> how it went.
>
> Thank you.
>
>
> On Mon Jul 25,2011 09:53 am, David E Jones wrote:
>>
>> On Jul 25, 2011, at 9:50 AM, Mansour Al Akeel wrote:
>>
>>> Thank you David.
>>> This is what I wanted to know. If it's a configuration issue or
>>> something has to change in the code. It looks that I need to do both.
>>> Please see my comments.
>>>
>>> On Mon Jul 25,2011 07:40 am, David E Jones wrote:
>>>>
>>>> Mansour,
>>>>
>>>> You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.
>>>>
>>>> In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:
>>>>
>>>> 1. adding the permission-related constraints to the FindTask query
>>>> 2. changing the view task screen to check the same constraint(s) for the individual task
>>>>
>>>
>>> Would this still prevent access to individual tasks through the URL ?
>>> I think this would only hide the tasks in the search results.
>>
>> Item #2 that I mentioned above is meant to take care of that.
>>
>> -David
>>

Reply | Threaded
Open this post in threaded view
|

Re: Creating parties

Mansour
David,
Thank you a lot. I misunderstood some parts, and now it all make sense
to me.
I believe hiding task from parties that are not members of the project,
should be the default behavior. If you agree with me, I will create a
JIRA issue, and submitt a patch when available.

Appreciate your help.


On Mon Jul 25,2011 11:57 am, David E Jones wrote:

>
> In OFBiz there is no external security configuration so each screen and service is responsible for checking its own security constraints.
>
> You'll see examples all over in service defs, and in screen defs (especially in decorators to have the same permission for a set of screens, ie look in the CommonScreens.xml files).
>
> -David
>
>
> On Jul 25, 2011, at 11:19 AM, Mansour Al Akeel wrote:
>
> > David,
> > thank you for your help. I will try it later on tonight. I still don't
> > understand how would modifying a "View" screen, prevent accessing the
> > task using the URL, but I will try your advice first, and will let you know
> > how it went.
> >
> > Thank you.
> >
> >
> > On Mon Jul 25,2011 09:53 am, David E Jones wrote:
> >>
> >> On Jul 25, 2011, at 9:50 AM, Mansour Al Akeel wrote:
> >>
> >>> Thank you David.
> >>> This is what I wanted to know. If it's a configuration issue or
> >>> something has to change in the code. It looks that I need to do both.
> >>> Please see my comments.
> >>>
> >>> On Mon Jul 25,2011 07:40 am, David E Jones wrote:
> >>>>
> >>>> Mansour,
> >>>>
> >>>> You could look at the data preparation code for that screen (typically in the screen.actions element of the screen definition) to see if it does any sort of "permission-esque" filtering. Chances are it does not and the search criteria used are the only criteria passed included in the database query.
> >>>>
> >>>> In other words, it sounds like you're looking for a feature that does not exist. It could certainly be implemented by:
> >>>>
> >>>> 1. adding the permission-related constraints to the FindTask query
> >>>> 2. changing the view task screen to check the same constraint(s) for the individual task
> >>>>
> >>>
> >>> Would this still prevent access to individual tasks through the URL ?
> >>> I think this would only hide the tasks in the search results.
> >>
> >> Item #2 that I mentioned above is meant to take care of that.
> >>
> >> -David
> >>
>
12