I think all this is pretty well explained in
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security :o)
Else please amend
Jacques
From: "Adrian Crum" <[email protected]>
To expand on what David said a little, you could have a SecurityGroup
called "SALES_REP" and another one called "SALES_CONSULTANT" - and apply
the necessary permissions to each group.
That's how I set up network permissions where I work - I create security
groups that are based on employee roles. I assign the necessary
permissions to the security group, and then assign the security group to
the appropriate employees.
-Adrian
David E Jones wrote:
The word "role" in the context of an organization doesn't necessarily
translate into a RoleType and PartyRole in OFBiz... or in other words
the work "role" is used for various different meanings. In OFBiz we try
to distinguish between a PartyRole that is used to describe how a Party
relates to other things in the system, and a SecurityGroup which defines
which users have which permissions.
The concept of a SecurityGroup was separated from the
Party/RoleType/PartyRole stuff for a few reasons. One of them was to
have a framework level security model that is separate the business
level elements in the base applications, including the party stuff. In
general framework components are not allowed to have a dependency on
applications components, and the webapp tools are in the framework and
RoleType/PartyRole in applications.
Backing up a bit, the client using the word "role" is part of a
requirement and a design needs to be created based on that requirement.
From the bit of this that I've read the closest concept in OFBiz to
this is actually SecurityGroup and NOT RoleType.
-David
On Dec 11, 2008, at 8:44 AM, Ray wrote:
It came about from a requirement driven around roles so that was the
suggested limiter. The example would be someone with a role of "Sales
Rep" who works in house answering calls, processing paperwork might
easily deal with 200 a day where as someone operating as "Sales
Consultant" in the field visiting clients personally might only deal
with 20 a day.
They both have security to access the same client view but the user
request was to limit them with a differing number of allowed accesses
based on their roles.
If that needs to be translated in to security groups for implementation
to fit in with OFBiz practices then fine, I'm not struck to it being
roles. This was thought to be a generally useful feature others might be
interested in hence we are trying to make it compatible for the
community.
Ray
David E Jones wrote:
Instead of attaching this to a Party RoleType, it would be better to
attach it to a SecurityPermission or SecurityGroup. Access to resources
like pages and such is governed by permissions in OFBiz, and roles are
used for record-level security (like which parties a user can
view/edit/etc as opposed to being able to use the view profile screen).
-David
