OFBiz › OFBiz - User

Party specific security control

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

5 messages Options

Sandeepray

Party specific security control

Hi,

I am very new to OFbiz (discovered it very recently). It is a treasure
trove. :-)

Have been dabbling with it for a brief while now and looking to learn more
about security and access control. I am trying to work out a
multi-organization hosted model scenario and as such would like to limit all
users to their party related data only. For example an order Entry for a
user 'User A' for Company 'A' should not be visible to 'userB' for
'CompanyB'. Exceptions could be if 'CompanyB' is the customer for the order,
in which case 'userB' should be able to see the same.

I played around with some examples but couldn't get this kind of control..
All orders created seem to be visible to ALL.

Going through some of the documentation I found some reference to control
based on Party.
http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration

The above link seems to suggest Category #2 (Party-driven) as a feature, but
can't figure out how it works..

Would really appreciate if anyone has any inputs.

Thanks
Sandeep
PS: Just started looking at SharedOFBiz to see if that throws up something.

Sandeepray

Re: Party specific security control

Hello,

Further to my previous note, looked at SharedOFBiz, but that too does not
seem like providing Party level security. Taking the travel company example
here is what I am looking to do.

Parent Company has a set of agents who are authorized to sell as 'Sales
Representative' and take orders. Parent Company should be able to see all of
these orders while each of the 'Sales Representative' should be able to
create, view and edit only their orders and not others.

With the default data set up (I created some Parties with Sales
Representative roles) all orders seem to be visible to everyone. Is there a
way to restrict it? If this is not supported OOTB, then I would very much
appreciate some design guidelines to implement this so that it can be
patched back to OFBiz if useful. I am very new to OFBiz and still not quite
familiar with all the moving pieces and therefore would really appreciate
some advice here

Thanks in advance
Sandeep

On 5/25/07, Sandeep Ray <[hidden email]> wrote:

>
> Hi,
>
> I am very new to OFbiz (discovered it very recently). It is a treasure
> trove. :-)
>
> Have been dabbling with it for a brief while now and looking to learn more
> about security and access control. I am trying to work out a
> multi-organization hosted model scenario and as such would like to limit all
> users to their party related data only. For example an order Entry for a
> user 'User A' for Company 'A' should not be visible to 'userB' for
> 'CompanyB'. Exceptions could be if 'CompanyB' is the customer for the order,
> in which case 'userB' should be able to see the same.
>
> I played around with some examples but couldn't get this kind of control..
> All orders created seem to be visible to ALL.
>
> Going through some of the documentation I found some reference to control
> based on Party.
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration
>
> The above link seems to suggest Category #2 (Party-driven) as a feature,
> but can't figure out how it works..
>
> Would really appreciate if anyone has any inputs.
>
> Thanks
> Sandeep
> PS: Just started looking at SharedOFBiz to see if that throws up
> something.
>

Vikrant.Rathore

RE: Party specific security control

In reply to this post by Sandeepray

Hi Sandeep,

Based on your description its not correct to assign sales representative role to every agent within an organization obviously that would mean they can have access to order processing within that organization.

First your design needs reconsideration:
1. Are these agents your employees. If yes then you need to assign them a Agent role and create a separate security groups.
2. If these agents are outside company, in turn this would mean they are an external entity for ofbiz. Since at the end of the day you will have some agent commission and inter company transaction which requires your system to calculate the money receivable or payable from a specific agent company.
In this case the security model would be different first you need to create an external party which would be agent company and then assign them a separate role.

There are many more scenarios which I do not have time to discuss here. It would be better you understand the ofbiz party and user management very well otherwise it would be hard for you to implement. The best way you can do it is read the data model reference book along with going through the demo security implementation which suits retail ecommerce and business very well.

Remember every company is different and every company has its own security model. The demo data just serve as a reference for you. So in this area there is no shortcut you need to dig deeper and go about configuring the security groups based on your organization.

Regards,
Vikrant
-----Original Message-----
From: Sandeep Ray [mailto:[hidden email]]
Sent: Friday, June 01, 2007 12:21 PM
To: [hidden email]
Subject: Re: Party specific security control

Hello,

Further to my previous note, looked at SharedOFBiz, but that too does not
seem like providing Party level security. Taking the travel company example
here is what I am looking to do.

Parent Company has a set of agents who are authorized to sell as 'Sales
Representative' and take orders. Parent Company should be able to see all of
these orders while each of the 'Sales Representative' should be able to
create, view and edit only their orders and not others.

With the default data set up (I created some Parties with Sales
Representative roles) all orders seem to be visible to everyone. Is there a
way to restrict it? If this is not supported OOTB, then I would very much
appreciate some design guidelines to implement this so that it can be
patched back to OFBiz if useful. I am very new to OFBiz and still not quite
familiar with all the moving pieces and therefore would really appreciate
some advice here

Thanks in advance
Sandeep

On 5/25/07, Sandeep Ray <[hidden email]> wrote:

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.5/826 - Release Date: 5/31/2007 4:51 PM

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.5/826 - Release Date: 5/31/2007 4:51 PM

Sandeepray

Re: Party specific security control

Hi Vikram,

Thanks for your inputs. I spent some more time getting familiar with the
security model, but still missing something. Unfortunately don't have access
to the Data Model book, so perhaps that is adding to the confusion.

Nevertheless had a specific question around your statement "In this case the
security model would be different first you need to create an external party
which would be agent company and then assign them a separate role."

How does one create an external party? I checked out options like Customer,
Prospect but those didn't help. I also checked out the role for the
'externaluser' id that is present in the Demo data. However, this user too
with a role of 'supplier' seems to be able to view order created but not
related to the supplier. For eg DemoCustCompany order. Note that I didn't
make any changes to the demo data and used ofbiz-shared.

Checked out the description given at
http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration .
Specifically reproduce a portion

"Category #1 (UserLogin-driven) doesn't know about anything except the
UserLogin, the permissions checked for different screens, services, etc, and
the SecurityGroup structure that maps between them.

Category #2 (Party-driven) can be combined with #1, usually with special
"role limited" permissions that when checked require not just the
permission, but some relationship between the Party and whatever records are
concerned by the screen, service, or whatever.

It should be possible (in theory, I haven't tested it...) to use the
Category #1 security without the party component, but #2 is very dependent
on the Party data model and whatever data model relates to it for the
required relationships.
This is the general design. What exists OOTB in OFBiz has various examples
of both, but no attempt has been made to create a comprehensive or at least
"generically complete" set of security settings in either style #1 or #2. "

The above makes me think that there is already some implementation of party
level security in the application as an example (Category#2). Unfortunately,
I am unable to locate the same. Any pointer would be very useful.

Thanks in advance
Sandeep

On 6/1/07, [hidden email] <
[hidden email]> wrote:

>
> Hi Sandeep,
>
> Based on your description its not correct to assign sales representative
> role to every agent within an organization obviously that would mean they
> can have access to order processing within that organization.
>
> First your design needs reconsideration:
> 1. Are these agents your employees. If yes then you need to assign them a
> Agent role and create a separate security groups.
> 2. If these agents are outside company, in turn this would mean they are
> an external entity for ofbiz. Since at the end of the day you will have some
> agent commission and inter company transaction which requires your system to
> calculate the money receivable or payable from a specific agent company.
> In this case the security model would be different first you need to
> create an external party which would be agent company and then assign them a
> separate role.
>
> There are many more scenarios which I do not have time to discuss here. It
> would be better you understand the ofbiz party and user management very well
> otherwise it would be hard for you to implement. The best way you can do it
> is read the data model reference book along with going through the demo
> security implementation which suits retail ecommerce and business very well.
>
> Remember every company is different and every company has its own security
> model. The demo data just serve as a reference for you. So in this area
> there is no shortcut you need to dig deeper and go about configuring the
> security groups based on your organization.
>
> Regards,
> Vikrant
> -----Original Message-----
> From: Sandeep Ray [mailto:[hidden email]]
> Sent: Friday, June 01, 2007 12:21 PM
> To: [hidden email]
> Subject: Re: Party specific security control
>
> Hello,
>
> Further to my previous note, looked at SharedOFBiz, but that too does not
> seem like providing Party level security. Taking the travel company
> example
> here is what I am looking to do.
>
> Parent Company has a set of agents who are authorized to sell as 'Sales
> Representative' and take orders. Parent Company should be able to see all
> of
> these orders while each of the 'Sales Representative' should be able to
> create, view and edit only their orders and not others.
>
> With the default data set up (I created some Parties with Sales
> Representative roles) all orders seem to be visible to everyone. Is there
> a
> way to restrict it? If this is not supported OOTB, then I would very much
> appreciate some design guidelines to implement this so that it can be
> patched back to OFBiz if useful. I am very new to OFBiz and still not
> quite
> familiar with all the moving pieces and therefore would really appreciate
> some advice here
>
> Thanks in advance
> Sandeep
>
>
> On 5/25/07, Sandeep Ray <[hidden email]> wrote:
> >
> > Hi,
> >
> > I am very new to OFbiz (discovered it very recently). It is a treasure
> > trove. :-)
> >
> > Have been dabbling with it for a brief while now and looking to learn
> more
> > about security and access control. I am trying to work out a
> > multi-organization hosted model scenario and as such would like to limit
> all
> > users to their party related data only. For example an order Entry for a
> > user 'User A' for Company 'A' should not be visible to 'userB' for
> > 'CompanyB'. Exceptions could be if 'CompanyB' is the customer for the
> order,
> > in which case 'userB' should be able to see the same.
> >
> > I played around with some examples but couldn't get this kind of
> control..
> > All orders created seem to be visible to ALL.
> >
> > Going through some of the documentation I found some reference to
> control
> > based on Party.
> > http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration
> >
> > The above link seems to suggest Category #2 (Party-driven) as a feature,
> > but can't figure out how it works..
> >
> > Would really appreciate if anyone has any inputs.
> >
> > Thanks
> > Sandeep
> > PS: Just started looking at SharedOFBiz to see if that throws up
> > something.
> >
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.472 / Virus Database: 269.8.5/826 - Release Date: 5/31/2007
> 4:51 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.472 / Virus Database: 269.8.5/826 - Release Date: 5/31/2007
> 4:51 PM
>
>

Guangyan Zhang

unsubscribe

_________________________________________________________________
Need a break? Find your escape route with Live Search Maps.
http://maps.live.com/default.aspx?ss=Restaurants~Hotels~Amusement%20Park&cp=33.832922~-117.915659&style=r&lvl=13&tilt=-90&dir=0&alt=-1000&scene=1118863&encType=1&FORM=MGAC01