limit Invoice access by logged user (or the Invoice Sales Rep)

Hello,

I have the following requirement:
At our company, Invoices are always assigned to a sales_rep executive, and
in Ofbiz we do this by creating an InvoiceRole (roleTypeId SALES_REP)
between each Invoice and its corresponding sales rep.

Now, we need to limit the access of each sales rep only to his own
Invoices. Can be this done within the included Ofbiz functionality?

As far as I know (don't know much of inner part of ofbiz yet), we need some
customization. I am thinking of modifying each invoice screen (or screen's
forms) to limit the invoice list based on the logged in user, which has to
be some kind of admin or a sales rep. In the latter case, the filter should
only include invoices belonging to this sales rep.

I am also thinking in a hierarchical schemma, were sales_rep supervisors
have access to all their supervised sales_rep.

Any better idea? Am I pointing in the right direction?

I know that we can limit access to accounting with security groups, but I
think that security groups is not the way to go, as I believe they are
thought to restrict by kinds of operations, but not by (sub)groups of
elements meeting certain conditions.

Thanks!!

--
Gabriel Oberreuter
Mobile: +56 9 85299198

Hi Gabriel,

We had a requirement once where security needed to be on row / record
level, and OFBiz does supports this on the widget level.

Your solution is not hard, you will probably need to define a few view
entities with constraints on roletype of logged in user. You will also
limit what shows up on the screen with hasrolepermission tags.

This section might help:
https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Security+Permissions#OFBizSecurityPermissions-Atrecordlevel,byusingRolelimitedpermissionsorrelatedmeans

HTH

Taher Alkhateeb
On Aug 26, 2015 3:04 AM, "Gabriel Oberreuter" <[hidden email]> wrote:

Thanks Taher,

I will have a look at the document, and decide later how to implement this. Once implemented, I will post my impressions in this thread.

Gabriel

quick and dirty would be to have roleTypeId SALES_REP-1 through every how many you have.this lets you manage each and tranfer a sales reps data by just adding to another roleTypeId SALES_REP-X when one leaves


     On Tuesday, August 25, 2015 5:04 PM, Gabriel Oberreuter <[hidden email]> wrote:
   

 Hello,

I have the following requirement:
At our company, Invoices are always assigned to a sales_rep executive, and
in Ofbiz we do this by creating an InvoiceRole (roleTypeId SALES_REP)
between each Invoice and its corresponding sales rep.

Now, we need to limit the access of each sales rep only to his own
Invoices. Can be this done within the included Ofbiz functionality?

As far as I know (don't know much of inner part of ofbiz yet), we need some
customization. I am thinking of modifying each invoice screen (or screen's
forms) to limit the invoice list based on the logged in user, which has to
be some kind of admin or a sales rep. In the latter case, the filter should
only include invoices belonging to this sales rep.

I am also thinking in a hierarchical schemma, were sales_rep supervisors
have access to all their supervised sales_rep.

Any better idea? Am I pointing in the right direction?

I know that we can limit access to accounting with security groups, but I
think that security groups is not the way to go, as I believe they are
thought to restrict by kinds of operations, but not by (sub)groups of
elements meeting certain conditions.

Thanks!!

--
Gabriel Oberreuter
Mobile: +56 9 85299198


   

As an update to this topic:

We got it working, doing the following:

Each Invoice has an association using entity InvoiceRole with a Sales Rep. At our company, were each sales rep gets a commision for every Inovice he generates, when migrating invoices from our existing system to Ofbiz, we generate these InvoiceRoles.

Invoice: Our Company -> Sales Rep = BILL_FROM_VENDOR
Invoice: Sales Rep -> Our Company = SALES_REP

Then, we are modifying the Accounting component to use groovy at all places to process the find requests. This way, in groovy we can filter by this association.

We use a mix of InvoiceRole with SecurityPermission of the logged user to generate a hierarchy: if the logged user has the right permissions, no filter is applied (an adminitrator, for example). If the logged user has permission as a Sales Rep only, we must filter all invoices that do not "belong" to him. Another thing we are implementing is that Sales Reps have supervisors, or bosses, that can access not all invoices but all the ones of the people they supervise.

It is not that easy at first, but thanks to the patterns Ofbiz follows it is not difficult either.

Thanks again.