On 15-Jun-09, at 3:20 PM, David E Jones wrote:


On Jun 15, 2009, at 3:29 AM, Mridul Pathak wrote:

Hi David,

We have documentation on OFBiz wiki where various Actors and their roles have been defined. These are the Actors which are meant to use OFBiz backend applications. Each Actor has some specific role, and he executes a certain business process. For example, a buyer places purchase order, or a packer packs inventory into boxes for shipping. There are many such actors which have been defined, and in many cases the business process associated with them is also defined. They are standard to every organization, though some of them may vary slightly from organization to organization.

What I am actually thinking here is that we should be able to apply security on "Actor/Business Process" combination. Like for a buyer, we can have a specific security group, which allows only purchase order placement and nothing else. Or for packer, only those security permissions should be assigned which just allows him to pack inventory into boxes for shipping, that is to complete his business process, and he shouldn't be able to control other parts of the facility application.

These security groups may exist as seed data and can be used by any organization OOTB. Or, if it is not a good idea to keep them as seed data, they can still exist as demo data. Also, this effort can help us evaluating OFBiz Security Model, that how far on the business process level we can apply the security, and then we can go for improvements if found any.

Thank you. This is good, in fact it's very good and I think it is consistent with what we want to do in OFBiz.

If what I am proposing here makes sense, we can think about my last proposal as an initial start toward this effort. We can start with defining application specific security groups. So that if someone has permissions only for a Order Manager application, he won't be able to control other applications.

Isn't this the exact opposite of what you described above?

The reason I say that is that the base applications are organized according to general business concepts that make up the way the data is organized, and they have little to do with processes. In fact, because the base application are organized this way most business processes will actually need to go across the various base applications.

The existing security groups are probably close to the definitions of actors than a security group for each application would be. Because of that I think that doing so would actually be a step backwards, both in theory and in practicality.

I agree with you. The reason for this proposal was that sometimes organization may not want to use the complete backend functionality and are mostly concerned with their Ecommerce application, and also may not want to be very specific about Actor's and their roles. They may just want to have some administrators who will work on a set of backend applications, for example just Order Manager and Party Manager. Currently, FULLADMIN gives permission for all the applications. So idea here was to have granular application specific security groups, just in case if we want to assign someone complete permissions for only a set of applications. Though, with the way OFBiz applications are interrelated, I am not sure if this would work or not.

--
Mridul Pathak


-David


On 15-Jun-09, at 1:36 PM, David E Jones wrote:


That's an interesting idea... what are you thinking about _why_ would we want that?

-David


On Jun 15, 2009, at 2:00 AM, Mridul Pathak wrote:

I think we should have application specific security group not only for Accounting but for all other applications. And demo data for parties each having an application specific permissions will also be a good thing to have.

--
Thanks,
Mridul Pathak
HotWax Media Pvt. Ltd.
http://www.hotwaxmedia.com


On 15-Jun-09, at 12:26 PM, Sumit Pandit wrote:

Anil,

Thank you for your response.
Created a jira issue - https://issues.apache.org/jira/browse/OFBIZ-2606 and patch is uploaded with testing steps.

Thanks And Regards
Sumit Pandit

On Jun 15, 2009, at 9:57 AM, Anil Patel wrote:

Sumit,
Looks like good thing to do. Having this profile handy will give us opportunity to break out of habit of using admin/ofbiz user account for testing application. If you have time it will be good to create a Jira issue for it and contribute patch.

Regards
Anil Patel

On Jun 13, 2009, at 9:45 AM, Sumit Pandit wrote:

Hello Devs,

I would like to propose setup of a new SecurityGroup which is dedicated to OFBiz Accounting component only. It will assigned by all SecurityPermission which are required to handle variuos accounting operations. Purpose of this will be to be able to create a UserLogin, who will have restricted access to Accounting component only.

It will reflect to changes in following entities  -
create a new SecurityGroup and assign all associated SecurityPermission to it.
Create a new UserLogin and assign SecurityGroup to him.
Additional suggestion - Create a new PartyRole - "ACCOUNTANT", child of Role - "EMPLOYEE".

Thoughts?

Thanks And Regards
Sumit Pandit







Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to