[jira] Created: (OFBIZ-118) Roles and Security for Display of data.

Roles and Security for Display of data.
---------------------------------------

                 Key: OFBIZ-118
                 URL: http://issues.apache.org/jira/browse/OFBIZ-118
             Project: OFBiz (The Open for Business Project)
          Issue Type: Improvement
          Components: accounting, content, ecommerce, humanres, manufacturing, marketing, order, party, product, workeffort
    Affects Versions: SVN trunk
            Reporter: BJ Freeman


There is a need to be able to block viewing info except that info that may pertain to that login (partyID)
The is not taking into consideration Admin or Managers levels.

for instance you have employees who should not be able to see each others profiles, payroll information, and/or time sheets, as a few examples.

another area, if an communication event is set to private, no one but the party ID associated with the email address should be able to see them.



So this is a discussion about how to best implement this.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12423898 ]
           
Adrian Crum commented on OFBIZ-118:
-----------------------------------

We implemented something along those lines here. Different roles within our company are allowed to view only parties who are in certain other roles. Example: Employee in role PurchasingAgent can only view parties/party groups who are in the role of Supplier. Same goes for employee in role SalesPerson can only view parties/party groups that have the role Dealer or Consumer.

We had to use custom data entry screens and a small java service to implement this.

In addition, we implemented a concept called an Organization Context. The idea is similar to popular accounting packages that have you log in to a company. Once logged in, you only see the data for that company. In our implementation, the user logs into an Organization Context and the data presentation is narrowed down even further. So, the employee in the role PurchasingAgent can only view parties/party groups who are in the role of Supplier AND only those Suppliers who are members of the Organization Context the user logged into.

Having something along those lines built into OFBiz would be great, but I see where each deployment would have its own set of rules. I'm not sure how much of it can be accomodated "out of the box."


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12424304 ]
           
BJ Freeman commented on OFBIZ-118:
----------------------------------

Adrian
If I remember the wigets had not fully developed and you did some things in the bsh files.
The ecommerce profile widget has security for login.
what I would like to see is this plus a check if Admin rights.
if Admin rights then override the login.

That way Admins can see all,

a further enhancement.
Lets take the profile as an example.
currently in ecommerces it is setup so only the login can view.
in Party it can be seen by anyone.
By making a change to it so if admin is viewing, then the admin can see any profile.
Now companies have their own way of who has what permission or role.
and ofbiz allows the consultant to create these.
if say we think in in organization structure, and make groups that would  fit different structures, then have a single group for the widget, these other structures can be added by the organization.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12427338 ]
           
Si Chen commented on OFBIZ-118:
-------------------------------

For the applications such as facility manager or catalog manager, you can use or add a _Role entity and then check permissions related to that Role.  This would not be overly difficult.

The financials application already works kind of like this--only one organization is active during a session.  The issue with financials and crm though is what is the Role associated with a Party?  It's PartyRelationship, so we added and use the securityGroupId in PartyRelationship.  There is a security method in CRMSFA which actually uses PartyRelationship.securityGroupId to determine security.  It was not contributed back to OFBiz originally because David had some concerns about it, but if it's something everybody wants, we can put this method back into the party manager.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12449475 ]
           
Eriks Dobelis commented on OFBIZ-118:
-------------------------------------

See my patch on OFBIZ-455 it tries to implement selection of active organization party. It implements what was called above as selection of Organizational Context.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12449521 ]
           
Adrian Crum commented on OFBIZ-118:
-----------------------------------

Si,

Thank you for your comments. For some reason I didn't read your comment when you first posted it, so I apologize for the delayed response.

The system I developed here uses existing entities plus a custom user settings entity. By using Party Role and Party Relationship, I was able to construct a set of fine-grained controls. Most of the development work was done in the UI - checking the user's organization context, their relationship to the parties being accessed, etc. Anyone else who wants to implement something similar would have to put the same amount of  work into the UI - because every deployment will have it's own set of rules.

I'm thinking it would be helpful to end users like me to have a generic set of services that will accomodate our type of deployment. In other words, there would be no need to add anything to the existing apps to limit access, but rather have a set of services that can be called to implement custom security checks on an installation-by-installation basis. Those services may be unused by OFBiz out-of-the-box.

Does that make sense?

If there is any interest in our implementation, I would be happy to discuss it further.

I'll try to answer your question with our implementation:

An OFBiz user has a role of OFBIZ_USER. The user is linked to a party group that has the role ORGANIZATION_CONTEXT using a PartyRelationship. The relationship type is CONTEXT_MEMBER. The user can log into only those Organizational Contexts that have this relationship to the user. The PartyId of the user's currently selected Organization Context  is stored in a user settings entity. As the user interacts with the applications, checks are performed to see if the data being requested is somehow linked to the Organization Context the user logged into.

It seems we have traveled parallel paths on this subject. Much of the work you have contributed along these lines is very similar to what I have implemented here. I think this is a feature that could be implemented fairly easily - considering the amount of work you and I have already invested in it.



--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ http://issues.apache.org/jira/browse/OFBIZ-118?page=comments#action_12449782 ]
           
Adrian Crum commented on OFBIZ-118:
-----------------------------------

BJ,

I think what you are trying to achieve is available in the current OFBiz security component. You would only need to modify the Party Manager to restrict access to certain data.

In our deployment, various party roles have their own data entry screens. So, instead of one Party manager application, we have a Customer screen, a Supplier screen, a Dealer screen, and so forth. Each screen has a set of security permissions tied to it. Users are granted access to each screen depending upon their role in the company. Only admins have access to the Party Manager  - regular users never see it.

The Organization Context idea I mentioned doesn't really address your original question, so I'll move the discussion of it to OFBIZ-455.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Howe updated OFBIZ-118:
-----------------------------

    Description:
There is a need to be able to block viewing info except that info that may pertain to that login (partyID)
The is not taking into consideration Admin or Managers levels.

for instance you have employees who should not be able to see each others profiles, payroll information, and/or time sheets, as a few examples.

another area, if an communication event is set to private, no one but the party ID associated with the email address should be able to see them.



So this is a discussion about how to best implement this.

  was:
There is a need to be able to block viewing info except that info that may pertain to that login (partyID)
The is not taking into consideration Admin or Managers levels.

for instance you have employees who should not be able to see each others profiles, payroll information, and/or time sheets, as a few examples.

another area, if an communication event is set to private, no one but the party ID associated with the email address should be able to see them.



So this is a discussion about how to best implement this.



Are the concerns for this issue sufficiently addressed inside OFBIZ-609 and related?

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12463922 ]

Adrian Crum commented on OFBIZ-118:
-----------------------------------

OFBIZ-455 and OFBIZ-609 should adequately address this issue.


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464004 ]

Jacopo Cappellato commented on OFBIZ-118:
-----------------------------------------

Do you think that we can close this issue?


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira