[ https://issues.apache.org/jira/browse/OFBIZ-12371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17441222#comment-17441222 ]
Pierre Smits commented on OFBIZ-12371: -------------------------------------- Thank you for your questions, Michael. This is where the logic goes wrong in current situation: with current situation: # any Party (including external parties, like a customer, or a lead, etc.) can be selected as the party for the BudgetRole record # the selected party can be associated with any RoleType (including those nothing to have to do with the budget, e.g. COMPETITOR) Is such desirable, from an accounting domain's perspective? No, the user should only be permitted to: # select one of the RoleTypes that is related to budgets (these are defined in the seed data set), and # based on that selection only be allowed to select from the list of applicable PartyRole records that meet the criterium under 1. And why is it undesirable to allow otherwise? Because, budget information is confidential information: only selected parties (within the internal organisation) are allowed to create/edit Budget and related records and to review/approve/reject budgets. And only those identified to audit the books (workers from the CPA) would be regarded as potential reviewers. Department manager (and every person higher up in the hierarchy) are required to budget for stuff. More often than not, these parties don't do this online, but work with spreadsheets. And often they don't actually do this themselves, but delegate such task to a trusted delegate within the party. They review and approve/reject what their delegates has concocted. And when these managers approve of what their delegates has delivered, they send it to their appropriate counterpart in the accounting department (the administrator, or financial controller, or CFO). Who hands it down the line to someone who is allowed (the administration assistant) to create (and if need be edit) the Budget record (and related) in the accounting system (OFBiz accounting, here). The administration assistant, however, is not allowed to approve/reject budgets, so create/edit yes but approve/reject no. Nor is the administrative assistant often not allowed to determine who reviewers and/or approvers are. That prerogative is limited to those in HR (most often). Those workers there set the roles for department managers and higher-ups in the chain. Not the junior assistant (or temp or intern) that is just hired to put numbers in. Now what happens here is that there is no limit. Due to ensurePartyRole and it being called as an eca service associated with the createBudgetRole service even the undesirable party-role combinations with get persisted as PartyRole records automatically. Now, one could say: fool me shame on you (OFBiz in this case), fool me twice shame on me (the user in this case) and it won't happen again that an undesirable combination will be persisted as a PartyRole record. No need for the project to fix this. But from a trustworthy perspective (and those who judge this, CPAs most often as advisors of a business needing to implement a new ERP solution) it is not what we should have. IMO, he ensurePartyRole was created to facilitate not following a defined business process for a given domain (who can do what within that business domain, when and how) but rather laziness (not having to switch to party and create the PartyRole record there). As you described in your comment too. There is not even a limit on which user can persist PartyRoles (because run-as-user is set to 'system'). That makes establishing an audit trail difficult. Again: making OFBiz less desirable from the audit and operational cost perspective. It may be free, but comes at a higher operational cost: no closed-down procedures: more clean-up, more audit cost. > BudgetRole: improbable selection possible, PartyRole gets created > ----------------------------------------------------------------- > > Key: OFBIZ-12371 > URL: https://issues.apache.org/jira/browse/OFBIZ-12371 > Project: OFBiz > Issue Type: Bug > Components: accounting > Affects Versions: Trunk, 18.12.01 > Reporter: Pierre Smits > Assignee: Pierre Smits > Priority: Major > Labels: roles > > On the BudgetRole page (see > [https://demo-stable.ofbiz.apache.org/accounting/control/BudgetRoles?budgetId=DemoBudget001)] > an improbable combination of Party and Role can be set and submitted. > Leading to PartyRole record being created. > -- This message was sent by Atlassian Jira (v8.20.1#820001)