since access for user is through the UI there is no need to go to record level. Now if you have a service that accesses the records then the it is the service that should check.
Mansour Al Akeel sent the following on 7/24/2011 1:12 PM: > BJ, > I am not sure if my question is clear. Yes, I have to have PROJECTMGR > permission to access this component. But the tasks are viewable to > anyone. > > https://cwiki.apache.org/OFBTECH/ofbiz-security.html > This part explains what I need: > > > ==================================================== > At record level > > Defining a path from the Party in question to the target/desired entity > through relationships. This is usually do-able and easy to do with a single > view entity, and if a query on that entity with the proper constraints > returns any results then you know the user/party has the permission. > See the catalog role limited permissions and how they are defined and used in > the ProductServices.xml file for an example. > Role limited (or based) permissions (aka Party Roles) > > The purpose of role-limited permissions is to tie a SecurityPermission to > record level security using the RoleType/PartyRole and related entities. In > OFBiz this is how record level permissions are done, i.e. somehow the user > (through their Party record) is associated with another record in the > database and that specific relationship must exist in order for the > role-limited permission to take effect. > Good examples are in hasPermission methods in OrderServices class or how > ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code > (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole in > ProductEvents class. > By the way, do not confuse Security Roles (below) with Party Roles - > they are entirely different. > > > Security Roles > > Security Roles provide a means to associate a user ID (userLoginId) with a > particular OFBiz element. This may seem the same as Security Permission, but > it is slightly different. For example: a user is assigned the ORDERMGR_VIEW > permission, and is associated to a particular facility (let's say XYZ > Company) with the ORDERMGR_ROLE_UPDATE security role. This combination would > allow the user to view orders for all facilities, and update orders for the > XYZ Company facility only. They may be seen as limiting permissions. > > =================================================== > > Back again to my original question, to protect the tasks from being > seen by Parties (logins), that are NOT a resource of that paroject, do I > have to dig in the code and add the permissions check, or it's a matter of > configuration. To me it > makes more sense that a "party login" who is not a member of a project should > not be able to see work effort or task in that project. > > > On Sun Jul 24,2011 11:35 am, BJ Freeman wrote: >> permission usually refer to the Login of a party. >> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR", >> your login must have this security level. >> >> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM: >>> BJ, >>> thank you for all your help. I looked at the links you sent me, and they >>> were usefull. I still don't understand why permissions are checked in >>> the ftl and not the service layer. However this is not the issue I am >>> stuck at now. >>> I think I am still confused about permissions. >>> I created an account on trunk demo to show what I am talking about. >>> >>> If you go to: >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main >>> and try to login with mansour:ofbiz you will be greated with a screen >>> saying: >>> >>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen >>> [component://common/widget/CommonScreens.xml#GlobalDecorator]: >>> java.lang.IllegalArgumentException: Error running Groovy script at location >>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: >>> org.ofbiz.service.ServiceAuthException: You have no access to the >>> project#: 9000 (Error running Groovy script at location >>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: >>> org.ofbiz.service.ServiceAuthException: You have no access to the >>> project#: 9000) >>> >>> This is fine, as the user "mansour" doesn't have persmission to view >>> this project, but shouldn't this screen display the projects he is >>> member of (if any). >>> >>> The second part is if you go to: >>> >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask >>> >>> and hit find, the user can see all the tasks that he is not member of, >>> and clicking on any of them, will open the details about that task. >>> >>> This user is in "PROJECTUSER" security group, which has: >>> >>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of >>> project) >>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for >>> the loginid. >>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing >>> own timesheet >>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a >>> project/phase/task the user is member of.. >>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be >>> limited by ROLE_VIEW) >>> >>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but >>> still this user can see others tasks. >>> >>> Am I doing something wrong here? >>> >>> I appreciate your help. >>> >>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote: >>>> New Role Type (see chapter two of the Book) >>>> lets you define a new role type to use. >>>> it is best to link with the book to use the webtools >>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType >>>> you can also get the xml structure from the data and created a bunch of >>>> them then load them via the web tools import. note: that service engine >>>> and UI (widgets and ftls) need to changed if you want that role type to >>>> have access. >>>> >>>> doing a google search for >>>> ofbiz main role >>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html >>>> >>>> I hope these tips help you research you answer more. and As I said >>>> before parts of you question are already been answered. >>>> >>>> >>>> This may clear up more on security and Role View all. >>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html >>>> >>>> >>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM: >>>>> Hello BJ, >>>>> and thank you for your reply. >>>>> >>>>> You can check the link here: >>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee >>>>> >>>>> It has >>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you >>>>> select soemthing like "Calendare" for the first one, you will get a >>>>> third field "Add To Second Role". What is the difference between them ? >>>>> >>>>> I was confused with the security part, because was adding a user to a >>>>> group, but still the user was not allowed to edit a project. I have to >>>>> add the user as a resource for that project. >>>>> >>>>> What I understand now is, Party Roles has nothing to do with >>>>> permissions, and the later has to be handled separately through the >>>>> security group. >>>>> >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote: >>>>>> Yes I still have to go back and review. The book Deals only with Roles >>>>>> related to Party. Security based on login is not in the Book. >>>>>> The is covered in the Service Engine and Webapps, widgets >>>>>> >>>>>> It helps if you give complete URL to the places you talking about. It >>>>>> saves time of the answerer and verify we are talking the same component. >>>>>> The labels are in seperate files from actual code, so depending on who >>>>>> put in the text for that label, it may not be clear as to its meaning. >>>>>> >>>>>> you can limit based on Roles, security groups and/or security roles >>>>>> which is different from roles. >>>>>> going through the widgets and Ftls will give you code examples of how >>>>>> this is accomplished. >>>>>> >>>>>> The example component is good to review. >>>>>> >>>>>> >>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM: >>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts >>>>>>> again, especially while trying to match the readings with the >>>>>>> functionality offered by OFBiz. >>>>>>> >>>>>>> Now I have a question related to adding roles. In the "Add To Role" >>>>>>> screen: >>>>>>> >>>>>>> >>>>>>> Add To Main Role >>>>>>> --> Role Type Id >>>>>>> >>>>>>> Add To Second Role >>>>>>> --> Role Type Id >>>>>>> >>>>>>> Add To Role : view all >>>>>>> --> Role Type Id >>>>>>> >>>>>>> What is the difference between "Main Role" and "Second Role" and how do >>>>>>> I use them ? >>>>>>> What is the "Add To Role" mean ? >>>>>>> >>>>>>> Back again to the senario in the first email, and after I modeled the >>>>>>> Parties, how do I let each access only to the functionality they need to >>>>>>> access ? For example, "Approver" to aprove timesheet and work effort. >>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would this >>>>>>> have to be separately using "Security Groups" ? >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> >>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote: >>>>>>>> as both Adrian and I mentioned most of that would be described well in >>>>>>>> the Data model book that ofbiz was modeled after, which is why not much >>>>>>>> documentation is written specifically in ofbiz. >>>>>>>> >>>>>>>> There are emails in the archive that have covered different parts of >>>>>>>> your question. >>>>>>>> >>>>>>>> Actually it has been a good time for the Documentation for over 6 >>>>>>>> years, >>>>>>>> problem is getting someone to volunteer to do it. We have added >>>>>>>> internal >>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS. >>>>>>>> >>>>>>>> Normally such Contributions have been from someone hiring someone to do >>>>>>>> the documentation, because it takes a lot of time to volunteer and >>>>>>>> those >>>>>>>> that have to make a living do not have such time free. Then that >>>>>>>> documentation was volunteered to ofbiz community. >>>>>>>> >>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min, >>>>>>>> unless i have a vested interest in it. I have even stopped answering on >>>>>>>> here because my time has become very limited. as an example this email >>>>>>>> took over two hours to finish because of interruptions to do business. >>>>>>>> >>>>>>>> so maybe others that have the time will volunteer the information you >>>>>>>> desire. >>>>>>>> >>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, or >>>>>>>> volunteering the time to document. >>>>>>>> >>>>>>>> That said, feel free once you understand to volunteer you time to >>>>>>>> documented this the way you think it should be done. >>>>>>>> BTW I have made this offer to others that presented the same proposal >>>>>>>> in >>>>>>>> the past and they have not volunteer such documentation yet. >>>>>>>> >>>>>>>> I would suggest you draw an organizational chart then use the fields in >>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE" >>>>>>>> organization chart. >>>>>>>> >>>>>>>> Demo employee shows two relationships as examples, in a normal Company >>>>>>>> there may be many relationships. like the one that says the demo >>>>>>>> employee is a employee. >>>>>>>> >>>>>>>> you would use roles and relationship >>>>>>>> >>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM: >>>>>>>>> BJ thank you. >>>>>>>>> >>>>>>>>> My question is related more to ofbiz usage. In the relationship page: >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee >>>>>>>>> you can see some fields that are not clear to me. To be more >>>>>>>>> specific, We have: >>>>>>>>> in the role of | is A of Party | in the role of >>>>>>>>> >>>>>>>>> There two relations for DemoEmployee. And each relation has two fields >>>>>>>>> "in the Role Of". >>>>>>>>> Further more, there is some confusion about where to relate employee >>>>>>>>> to organization. I mean if you go to: >>>>>>>>> >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee >>>>>>>>> >>>>>>>>> You will see four tabs with labels indicates similar functionality: >>>>>>>>> -Roles >>>>>>>>> -Link Party >>>>>>>>> -Relationships >>>>>>>>> -Segments >>>>>>>>> >>>>>>>>> >>>>>>>>> What is the difference between these ? To add employee to Organization >>>>>>>>> I need to use ..... ? >>>>>>>>> May be it's a good opportunity to discuss and document each of them, >>>>>>>>> instead of referring me to the "BOOK" ;) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <bjf...@free-man.net> >>>>>>>>> wrote: >>>>>>>>>> there is not much documented in ofbiz about party. >>>>>>>>>> however if you read the Data model book Vol I you will see a lot >>>>>>>>>> about >>>>>>>>>> partyrelationsips. Good diagram on pg 41 >>>>>>>>>> In this case you would have party relationship with the company that >>>>>>>>>> supplies contractors >>>>>>>>>> so you need to setup the roles of each party then setup the >>>>>>>>>> relationship >>>>>>>>>> between them >>>>>>>>>> start with organizational party relationship then individual (person) >>>>>>>>>> realtionships with organizations. >>>>>>>>>> >>>>>>>>>> example >>>>>>>>>> the programmer would be a employee role with the recruitment company >>>>>>>>>> if >>>>>>>>>> they contract, then the programmer would have a contractor >>>>>>>>>> relationship >>>>>>>>>> with the Company. >>>>>>>>>> >>>>>>>>>> the rest you can get from the demo data or you can look at the demo >>>>>>>>>> site >>>>>>>>>> at the different parties to see the relationships. >>>>>>>>>> >>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM: >>>>>>>>>>> Hello all, >>>>>>>>>>> I didn't use the parties component extensively, and don't know a >>>>>>>>>>> lot about it. >>>>>>>>>>> Here's the scenario we have. Three Group parties: >>>>>>>>>>> Programmers >>>>>>>>>>> Recruiter >>>>>>>>>>> Sales /marketing/Distributing >>>>>>>>>>> The distributor obtains the requirements and hires the Programmers >>>>>>>>>>> through the "Recruitment" company. Billing is done by hour. >>>>>>>>>>> In each company there's two employees that interact with the system. >>>>>>>>>>> programmer1 , programmer2 >>>>>>>>>>> hr manager 1, hr manager2 >>>>>>>>>>> project manager1, project manager2 >>>>>>>>>>> >>>>>>>>>>> We need to setup the system, to handle the requirements >>>>>>>>>>> communication, >>>>>>>>>>> timesheet, project management ... etc. >>>>>>>>>>> I have created the three group parties, and 6 employees parties, and >>>>>>>>>>> stopped there not knowing how to connect them. >>>>>>>>>>> >>>>>>>>>>> How to associate users (employee) with companies (Group Party) ? >>>>>>>>>>> I tried to go to Relationships page and use "Add other party >>>>>>>>>>> relationship", but those fields are not clear to me. For example >>>>>>>>>>> "in >>>>>>>>>>> the Role of" .... etc. >>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" ?? >>>>>>>>>>> How many accounts I need, knowing that the recruiter get a >>>>>>>>>>> percentage ? >>>>>>>>>>> >>>>>>>>>>> What do I need to do after that ? >>>>>>>>>>> >>>>>>>>>>> Guessing is not very help full here as it relies on trial and error, >>>>>>>>>>> and an error may not be initially visible. So I like to get an >>>>>>>>>>> advice >>>>>>>>>>> from someone with more experience in this area. >>>>>>>>>>> >>>>>>>>>>> Thank you. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> >
