Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
limit access to menu options
04-30-2013, 10:28 PM
Post: #1
limit access to menu options
I'm new to webERP and naturally have some questions. I've created a role called "Inventory" in Access Permission Maintenance, then a user for this role and limited access to just "Display Inventory" module in User Maintenance. But I'd like to further limit access so my inventory user can NOT see pages in this range:

• Inventory Valuation Report
...
• List Negative Stocks
• Stock Transfer Note[/align]

The webERP Manual is vague on this. Is there a doc I can read to find out can I restrict a user, for example, to just Inventory.Maintenance.View or Update Prices Based On Costs?

Thanks.

PS: In think I will love this product once I learn the tricks!
Find all posts by this user
Quote this message in a reply
05-01-2013, 07:02 AM
Post: #2
RE: limit access to menu options
Once you have restricted the role so only those scripts are allowed then when that user logs in, only those links will then be available.
The PHP checks to see if the user can access the function before displaying it now.

It is a bit tricky but you need to change the page security token on the scripts you wish the user to access and only give them access to that token.

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
05-01-2013, 06:20 PM
Post: #3
RE: limit access to menu options
I've read the Security Schema chapter in the manual, but it's no help. And searching the web proved equally fruitless. I think it would be useful to all if you could provide one example of how to do the tricky bit. Can you provide detail for how to prevent display of and disallow access to Inventory.Serial Item Research Tool for a given user?

webERP seems a very competent tool, but my experience is that user access must be restricted to those functions needed to prevent error and ease the burden of training.

Thanks,
Buz
Find all posts by this user
Quote this message in a reply
05-01-2013, 06:43 PM
Post: #4
RE: limit access to menu options
Make up a new security token (called $PageSecurity in the code) say number 100 and call it "Buz"

http://www.weberp.org/weberp/SecurityTokens.php

Now go to

http://www.weberp.org/weberp/PageSecurity.php

and change the script StockSerialItemResearch.php to Buz

Now add Buz to the roles that you want to have access to it - but not to the roles you don't want to have access with

http://www.weberp.org/weberp/WWW_Access.php

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
05-01-2013, 07:26 PM
Post: #5
RE: limit access to menu options
I just tried it, quickly before leaving, and I see: The security settings on your account do not permit you to access this function.
So I was a little too restrictive! But I'm glad to see how to do this. A bit tricky, as you say, but it can be done.

Thanks, Phil. I'm sure this advice will helpe many of us, especially those new to webERP.
Buz
Find all posts by this user
Quote this message in a reply
05-01-2013, 08:29 PM
Post: #6
RE: limit access to menu options
I made these changes in Setup.General Setup Options:

1. I added security token 100 and called it Buz in Maintain Security Tokens and verified the change.
2. In Page Security Settings I changed StockSerialItemResearch.php to Buz. Also added: InventoryValuation.php and InventoryQuantities.php and verified the change.
3. In Access Permission Maintenance, I created a new role called Inventory and assigned the Buz security token to that role. Verified.
4. In User Maintenance I created a new user called "inventory", set Security Role to inventory and set Display Inventory module to YES; all others to NO. Verified.

You did not advise that a new user should be created, but I presume that's OK.

When I login as "inventory" I get this message in upper left: Security Permissions Problem
and mid-screen: "The security settings on your account do not permit you to access this function"

Any advice on what needs to be changed?

Your help is invaluable. Thanks,
Buz
Find all posts by this user
Quote this message in a reply
05-01-2013, 08:38 PM
Post: #7
RE: limit access to menu options
Perhaps the user inventory cannot access index.php?? i.e. perhaps you have not allowed the role to access the main menu?

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
05-02-2013, 12:34 AM (This post was last modified: 05-02-2013 12:52 AM by Buz.)
Post: #8
RE: limit access to menu options
I did not know that access to the "Main Index Page" is required.
I added that and it now works as intended.
The solution is not intuitive, so it's good to have an expert available.

Thanks, Phil.


To be clear, here's the full solution to the problem of limiting user access to selected menu items only:

1. I added security token 100 and called it Buz in Maintain Security Tokens and verified the change.
2. In Page Security Settings I changed StockSerialItemResearch.php to Buz. Also added: InventoryValuation.php and InventoryQuantities.php and verified the change.
3. In Access Permission Maintenance, I created a new role called Inventory and assigned the Buz security token to that role.
Make sure to also add "Main Index Page" to the role *the first in th e list).
4. In User Maintenance I created a new user called "inventory", set Security Role to inventory and set Display Inventory module to YES; all others to NO.

I'm sure others have done battle with this question. Thanks to Phil, this should help.
Find all posts by this user
Quote this message in a reply
05-03-2013, 10:07 AM (This post was last modified: 05-03-2013 10:09 AM by phil.)
Post: #9
RE: limit access to menu options
Edited extract of some useful stuff from Tim's hate blog:

Mostly quoted just excluding the unnecessary stuff!
Quote:There is a much simpler answer which doesn't involve setting up phantom security tokens, and other complexities. This is to go to each of the reports they want removed in the "Page Security Settings" option in the setup module, and from there just give it a security token of a higher level than the inventory user. For instance set it to "General Ledger Reports/Inquiries" which makes more sense for something like an Inventory Valuation report. Then the report will be gone from the users screen the next time they log in. It's as simple as that!

I thought it might be good to explain how it works.

Every user has a security role. These roles are meant to mirror their real life roles. So for instance we may have a role of an inventory clerk, and a role of an accountant. There can be any number of inventory clerks, and any number of accountants, all having the same role. As many roles as are wanted can be created.

Each role is given a number of security tokens. Each of these tokens permits the user with that role to perform different functions. There are a number of predefined tokens:


0 Main Index Page

1 Order Entry/Inquiries customer access only

2 Basic Reports and Inquiries with selection options

3 Credit notes and AR management

4 Purchasing data/PO Entry/Reorder Levels

5 Accounts Payable

6 Petty Cash

7 Bank Reconciliations

8 General ledger reports/inquiries

9 Supplier centre - Supplier access only

10 General Ledger Maintenance, stock valuation & Configuration

11 Inventory Management and Pricing

15 User Management and System Administration

When a user tries to access a function, the security token for that functionality is looked retrieved on login from a database table called scripts and it is stored in a session variable. This is compared with the array of security tokens that is owned by the role allotted to that user. If the token is in that array, the functionality can be accessed, if not, then access is denied.

This lookup is also performed when displaying the menus, and if the security token is not there, the menu option will not be displayed.

This system is simple elegant and flexible. It can be made as simple or as complex as an organisation requires. For instance a one person business only needs one security token, and one role, whereas a large business with hundreds of employees will have a very complex structure.

Thanks Tim for the vote of confidence in the design, I do accept it is a little complex but very powerful and flexible.

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
05-03-2013, 06:05 PM
Post: #10
RE: limit access to menu options
Who's Tim? And why does he have a "hate blog"? Where is it? I can't resist: I love a good hate blog!

It seems to me that Tim's solution will work for a small operation. If I move a report to the "General Ledger Reports/Inquiries" token and there is no user assigned to the role for that token ("Accountant"), then it works. But if I move an Inventory page in "Page Security Levels" to the "Accounts Payable" token in the "Accountant" role and a user with that role then logs in, won't he be surprised! Of course, I may not be understanding all the nuances here since I'm rather new to all this.

Phil's solution is a bit complex and awkward for a new user, but it's robust and self-documenting for a large organization. If I create "Inventory Items" and "Inventory Items" tokens, create roles and attach users to those roles, then I have a clear definition of roles. And these roles can be changed without sacrificing clarity.

If Phil designed/wrote this part of webERP, then my hat's off to him! But it'd be useful if someone clarified the Security Schema chapter of the manual for us mere mortals.

Buz
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)