Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Out-of-the-Box Security - Needs Work?
12-05-2017, 12:32 AM (This post was last modified: 12-06-2017 06:22 AM by VortecCPI.)
Post: #1
Out-of-the-Box Security - Needs Work?
I just noticed the out-of-the-box security settings for Contract are associated with the Petty Cash Security Token. We are not using Contracts so I have not checked this and it was just a sort of curiosity question.

   

Same for Sales Graph and Select Contract:

   
   

Does this seem right and, if not, should it be changed in the trunk?

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 05:11 AM
Post: #2
RE: Out-of-the-Box Security - Contract
Good point Paul - agree probably needs it's own

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 05:14 AM (This post was last modified: 12-05-2017 06:09 AM by VortecCPI.)
Post: #3
RE: Out-of-the-Box Security - Contract
Thanks Phil - Just wanted to be sure I understood what I was seeing.
A few other observations:

   

   

   


Perhaps somebody with much more webERP knowledge than I possess at this point can go through the ACL quickly as a sanity check? It almost seems as if a PKey-FKey relationship has gone sideways.... Checking older versions...

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 07:01 AM (This post was last modified: 12-05-2017 07:03 AM by VortecCPI.)
Post: #4
RE: Out-of-the-Box Security - Contract
I added script.description to the TD title attribute to better see what is going on in PageSecurity.php:

<td title="' . $myrow['description'] . '">' . $myrow['script'] . '</td>

   

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 08:49 AM
Post: #5
RE: Out-of-the-Box Security - Contract
Although the defaults should be better I would always recommend in any implementation that a lot of time is given over to full planning of the security profile. It is very flexible and gives fine grain control over who can do what, but only if it is properly planned.

In my experience every organisation is different and requires a different security profile.

Tim
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 09:19 AM (This post was last modified: 12-05-2017 10:06 AM by VortecCPI.)
Post: #6
RE: Out-of-the-Box Security - Contract
(12-05-2017 08:49 AM)falkoner Wrote:  Although the defaults should be better I would always recommend in any implementation that a lot of time is given over to full planning of the security profile. It is very flexible and gives fine grain control over who can do what, but only if it is properly planned.

In my experience every organisation is different and requires a different security profile.

Tim

Tim,

I do not, and can not disagree with the end user working out the final ACL on his or her own. However... I have never worked with an application, OS or not, that did not come with suitable out-of-the-box ACL setup/settings. If the webERP ACL is incomplete or has errors it should be either repaired or removed. Since the demo data is very useful for what-if scenarios and training I believe it should be repaired. Of course that is just my opinion!
The FrontAccounting fork has in interesting take on a more-simplified ACL, at least from the user's perspective.
I made a spreadsheet of a join of PageSecurity and Tokens and the more I look at it the more I believe something got shifted around at some point. There are many entries that are very obviously mismatched.

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 07:20 PM
Post: #7
RE: Out-of-the-Box Security - Contract
Hi Paul, I don't disagree that we need the defaults sorting out. I think many if not most of these errors you are finding are old and have just been carried forward.

The page security setting used to be hard coded into each script, and then were moved into the database mush later on. Taking one of the scripts you have found Z_CreateChartDetails.php it can be seen here (https://sourceforge.net/p/web-erp/code/3...tails.php) that it was given a security token of 9 right back in May 2004. It is probable that back then token 9 had a completely different meaning than it now does - indeed the meaning of any of the tokens can be changed. Then here (https://sourceforge.net/p/web-erp/code/4454/#diff-17) that security token gets carried over into the database table.

What is required is somebody to go through the entire table and put in sane tokens for each script. Maybe your spreadsheet is good starting point for this exercise?

Tim
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 09:39 PM (This post was last modified: 12-05-2017 09:52 PM by VortecCPI.)
Post: #8
RE: Out-of-the-Box Security - Contract
If I was intimately familiar with webERP I would do it without hesitation. However, I am NOT so I am not the person to be doing such a thing. i feel I would just make it worse because I would have to make many assumptions and that is not what we (or our users) need.

When I developed the ACL for the last ECi M1 implementation it took many days to unravel and document the entire system and we ended up with a more-complete schema definition and understanding than ECi had. In fact, we uncovered many errors in their ACL and related documentation during the process.

It would seem to me one of our expert contributors could go through this in a very small amount of time and get it to 99%-100% the first time around.

I will share my spreadsheet... Cells highlighted red are in question but I gave up after I kept finding more and more so it is incomplete...


.xls  Security Schema r0.xls (Size: 97 KB / Downloads: 1)

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 09:44 PM
Post: #9
RE: Out-of-the-Box Security - Contract
Sharing your spreadsheet so someone could go through it was what I meant Smile
Visit this user's website Find all posts by this user
Quote this message in a reply
12-05-2017, 09:50 PM
Post: #10
RE: Out-of-the-Box Security - Contract
(12-05-2017 09:44 PM)falkoner Wrote:  Sharing your spreadsheet so someone could go through it was what I meant Smile

Done... See post above...

Any help is greatly appreciated!

https://www.linkedin.com/in/eclipsepaulbecker
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)