BJ, The party "Mansour" has only one role "Employee" related to "Mansour INC" organization !
And I don't have any service added. It's just the same services out-of-box. Anyone knows how to deal with it ? On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote: > since access for user is through the UI there is no need to go to record > level. > Now if you have a service that accesses the records then the it is the > service that should check. > > > Mansour Al Akeel sent the following on 7/24/2011 1:12 PM: > > BJ, > > I am not sure if my question is clear. Yes, I have to have PROJECTMGR > > permission to access this component. But the tasks are viewable to > > anyone. > > > > https://cwiki.apache.org/OFBTECH/ofbiz-security.html > > This part explains what I need: > > > > > > ==================================================== > > At record level > > > > Defining a path from the Party in question to the target/desired entity > > through relationships. This is usually do-able and easy to do with a single > > view entity, and if a query on that entity with the proper constraints > > returns any results then you know the user/party has the permission. > > See the catalog role limited permissions and how they are defined and used > > in the ProductServices.xml file for an example. > > Role limited (or based) permissions (aka Party Roles) > > > > The purpose of role-limited permissions is to tie a SecurityPermission to > > record level security using the RoleType/PartyRole and related entities. In > > OFBiz this is how record level permissions are done, i.e. somehow the user > > (through their Party record) is associated with another record in the > > database and that specific relationship must exist in order for the > > role-limited permission to take effect. > > Good examples are in hasPermission methods in OrderServices class or how > > ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code > > (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole > > in ProductEvents class. > > By the way, do not confuse Security Roles (below) with Party Roles - > > they are entirely different. > > > > > > Security Roles > > > > Security Roles provide a means to associate a user ID (userLoginId) with a > > particular OFBiz element. This may seem the same as Security Permission, > > but it is slightly different. For example: a user is assigned the > > ORDERMGR_VIEW permission, and is associated to a particular facility (let's > > say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This > > combination would allow the user to view orders for all facilities, and > > update orders for the XYZ Company facility only. They may be seen as > > limiting permissions. > > > > =================================================== > > > > Back again to my original question, to protect the tasks from being > > seen by Parties (logins), that are NOT a resource of that paroject, do I > > have to dig in the code and add the permissions check, or it's a matter of > > configuration. To me it > > makes more sense that a "party login" who is not a member of a project > > should > > not be able to see work effort or task in that project. > > > > > > On Sun Jul 24,2011 11:35 am, BJ Freeman wrote: > >> permission usually refer to the Login of a party. > >> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR", > >> your login must have this security level. > >> > >> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM: > >>> BJ, > >>> thank you for all your help. I looked at the links you sent me, and they > >>> were usefull. I still don't understand why permissions are checked in > >>> the ftl and not the service layer. However this is not the issue I am > >>> stuck at now. > >>> I think I am still confused about permissions. > >>> I created an account on trunk demo to show what I am talking about. > >>> > >>> If you go to: > >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main > >>> and try to login with mansour:ofbiz you will be greated with a screen > >>> saying: > >>> > >>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen > >>> [component://common/widget/CommonScreens.xml#GlobalDecorator]: > >>> java.lang.IllegalArgumentException: Error running Groovy script at > >>> location > >>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: > >>> org.ofbiz.service.ServiceAuthException: You have no access to the > >>> project#: 9000 (Error running Groovy script at location > >>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: > >>> org.ofbiz.service.ServiceAuthException: You have no access to the > >>> project#: 9000) > >>> > >>> This is fine, as the user "mansour" doesn't have persmission to view > >>> this project, but shouldn't this screen display the projects he is > >>> member of (if any). > >>> > >>> The second part is if you go to: > >>> > >>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask > >>> > >>> and hit find, the user can see all the tasks that he is not member of, > >>> and clicking on any of them, will open the details about that task. > >>> > >>> This user is in "PROJECTUSER" security group, which has: > >>> > >>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of > >>> project) > >>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for > >>> the loginid. > >>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing > >>> own timesheet > >>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a > >>> project/phase/task the user is member of.. > >>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be > >>> limited by ROLE_VIEW) > >>> > >>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but > >>> still this user can see others tasks. > >>> > >>> Am I doing something wrong here? > >>> > >>> I appreciate your help. > >>> > >>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote: > >>>> New Role Type (see chapter two of the Book) > >>>> lets you define a new role type to use. > >>>> it is best to link with the book to use the webtools > >>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType > >>>> you can also get the xml structure from the data and created a bunch of > >>>> them then load them via the web tools import. note: that service engine > >>>> and UI (widgets and ftls) need to changed if you want that role type to > >>>> have access. > >>>> > >>>> doing a google search for > >>>> ofbiz main role > >>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html > >>>> > >>>> I hope these tips help you research you answer more. and As I said > >>>> before parts of you question are already been answered. > >>>> > >>>> > >>>> This may clear up more on security and Role View all. > >>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html > >>>> > >>>> > >>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM: > >>>>> Hello BJ, > >>>>> and thank you for your reply. > >>>>> > >>>>> You can check the link here: > >>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee > >>>>> > >>>>> It has > >>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you > >>>>> select soemthing like "Calendare" for the first one, you will get a > >>>>> third field "Add To Second Role". What is the difference between them ? > >>>>> > >>>>> I was confused with the security part, because was adding a user to a > >>>>> group, but still the user was not allowed to edit a project. I have to > >>>>> add the user as a resource for that project. > >>>>> > >>>>> What I understand now is, Party Roles has nothing to do with > >>>>> permissions, and the later has to be handled separately through the > >>>>> security group. > >>>>> > >>>>> > >>>>> Thank you. > >>>>> > >>>>> > >>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote: > >>>>>> Yes I still have to go back and review. The book Deals only with Roles > >>>>>> related to Party. Security based on login is not in the Book. > >>>>>> The is covered in the Service Engine and Webapps, widgets > >>>>>> > >>>>>> It helps if you give complete URL to the places you talking about. It > >>>>>> saves time of the answerer and verify we are talking the same > >>>>>> component. > >>>>>> The labels are in seperate files from actual code, so depending on who > >>>>>> put in the text for that label, it may not be clear as to its meaning. > >>>>>> > >>>>>> you can limit based on Roles, security groups and/or security roles > >>>>>> which is different from roles. > >>>>>> going through the widgets and Ftls will give you code examples of how > >>>>>> this is accomplished. > >>>>>> > >>>>>> The example component is good to review. > >>>>>> > >>>>>> > >>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM: > >>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts > >>>>>>> again, especially while trying to match the readings with the > >>>>>>> functionality offered by OFBiz. > >>>>>>> > >>>>>>> Now I have a question related to adding roles. In the "Add To Role" > >>>>>>> screen: > >>>>>>> > >>>>>>> > >>>>>>> Add To Main Role > >>>>>>> --> Role Type Id > >>>>>>> > >>>>>>> Add To Second Role > >>>>>>> --> Role Type Id > >>>>>>> > >>>>>>> Add To Role : view all > >>>>>>> --> Role Type Id > >>>>>>> > >>>>>>> What is the difference between "Main Role" and "Second Role" and how > >>>>>>> do > >>>>>>> I use them ? > >>>>>>> What is the "Add To Role" mean ? > >>>>>>> > >>>>>>> Back again to the senario in the first email, and after I modeled the > >>>>>>> Parties, how do I let each access only to the functionality they need > >>>>>>> to > >>>>>>> access ? For example, "Approver" to aprove timesheet and work effort. > >>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would > >>>>>>> this > >>>>>>> have to be separately using "Security Groups" ? > >>>>>>> > >>>>>>> Thank you. > >>>>>>> > >>>>>>> > >>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote: > >>>>>>>> as both Adrian and I mentioned most of that would be described well > >>>>>>>> in > >>>>>>>> the Data model book that ofbiz was modeled after, which is why not > >>>>>>>> much > >>>>>>>> documentation is written specifically in ofbiz. > >>>>>>>> > >>>>>>>> There are emails in the archive that have covered different parts of > >>>>>>>> your question. > >>>>>>>> > >>>>>>>> Actually it has been a good time for the Documentation for over 6 > >>>>>>>> years, > >>>>>>>> problem is getting someone to volunteer to do it. We have added > >>>>>>>> internal > >>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS. > >>>>>>>> > >>>>>>>> Normally such Contributions have been from someone hiring someone to > >>>>>>>> do > >>>>>>>> the documentation, because it takes a lot of time to volunteer and > >>>>>>>> those > >>>>>>>> that have to make a living do not have such time free. Then that > >>>>>>>> documentation was volunteered to ofbiz community. > >>>>>>>> > >>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min, > >>>>>>>> unless i have a vested interest in it. I have even stopped answering > >>>>>>>> on > >>>>>>>> here because my time has become very limited. as an example this > >>>>>>>> email > >>>>>>>> took over two hours to finish because of interruptions to do > >>>>>>>> business. > >>>>>>>> > >>>>>>>> so maybe others that have the time will volunteer the information you > >>>>>>>> desire. > >>>>>>>> > >>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, > >>>>>>>> or > >>>>>>>> volunteering the time to document. > >>>>>>>> > >>>>>>>> That said, feel free once you understand to volunteer you time to > >>>>>>>> documented this the way you think it should be done. > >>>>>>>> BTW I have made this offer to others that presented the same > >>>>>>>> proposal in > >>>>>>>> the past and they have not volunteer such documentation yet. > >>>>>>>> > >>>>>>>> I would suggest you draw an organizational chart then use the fields > >>>>>>>> in > >>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE" > >>>>>>>> organization chart. > >>>>>>>> > >>>>>>>> Demo employee shows two relationships as examples, in a normal > >>>>>>>> Company > >>>>>>>> there may be many relationships. like the one that says the demo > >>>>>>>> employee is a employee. > >>>>>>>> > >>>>>>>> you would use roles and relationship > >>>>>>>> > >>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM: > >>>>>>>>> BJ thank you. > >>>>>>>>> > >>>>>>>>> My question is related more to ofbiz usage. In the relationship > >>>>>>>>> page: > >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee > >>>>>>>>> you can see some fields that are not clear to me. To be more > >>>>>>>>> specific, We have: > >>>>>>>>> in the role of | is A of Party | in the role of > >>>>>>>>> > >>>>>>>>> There two relations for DemoEmployee. And each relation has two > >>>>>>>>> fields > >>>>>>>>> "in the Role Of". > >>>>>>>>> Further more, there is some confusion about where to relate employee > >>>>>>>>> to organization. I mean if you go to: > >>>>>>>>> > >>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee > >>>>>>>>> > >>>>>>>>> You will see four tabs with labels indicates similar functionality: > >>>>>>>>> -Roles > >>>>>>>>> -Link Party > >>>>>>>>> -Relationships > >>>>>>>>> -Segments > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> What is the difference between these ? To add employee to > >>>>>>>>> Organization > >>>>>>>>> I need to use ..... ? > >>>>>>>>> May be it's a good opportunity to discuss and document each of them, > >>>>>>>>> instead of referring me to the "BOOK" ;) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <bjf...@free-man.net> > >>>>>>>>> wrote: > >>>>>>>>>> there is not much documented in ofbiz about party. > >>>>>>>>>> however if you read the Data model book Vol I you will see a lot > >>>>>>>>>> about > >>>>>>>>>> partyrelationsips. Good diagram on pg 41 > >>>>>>>>>> In this case you would have party relationship with the company > >>>>>>>>>> that > >>>>>>>>>> supplies contractors > >>>>>>>>>> so you need to setup the roles of each party then setup the > >>>>>>>>>> relationship > >>>>>>>>>> between them > >>>>>>>>>> start with organizational party relationship then individual > >>>>>>>>>> (person) > >>>>>>>>>> realtionships with organizations. > >>>>>>>>>> > >>>>>>>>>> example > >>>>>>>>>> the programmer would be a employee role with the recruitment > >>>>>>>>>> company if > >>>>>>>>>> they contract, then the programmer would have a contractor > >>>>>>>>>> relationship > >>>>>>>>>> with the Company. > >>>>>>>>>> > >>>>>>>>>> the rest you can get from the demo data or you can look at the > >>>>>>>>>> demo site > >>>>>>>>>> at the different parties to see the relationships. > >>>>>>>>>> > >>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM: > >>>>>>>>>>> Hello all, > >>>>>>>>>>> I didn't use the parties component extensively, and don't know a > >>>>>>>>>>> lot about it. > >>>>>>>>>>> Here's the scenario we have. Three Group parties: > >>>>>>>>>>> Programmers > >>>>>>>>>>> Recruiter > >>>>>>>>>>> Sales /marketing/Distributing > >>>>>>>>>>> The distributor obtains the requirements and hires the Programmers > >>>>>>>>>>> through the "Recruitment" company. Billing is done by hour. > >>>>>>>>>>> In each company there's two employees that interact with the > >>>>>>>>>>> system. > >>>>>>>>>>> programmer1 , programmer2 > >>>>>>>>>>> hr manager 1, hr manager2 > >>>>>>>>>>> project manager1, project manager2 > >>>>>>>>>>> > >>>>>>>>>>> We need to setup the system, to handle the requirements > >>>>>>>>>>> communication, > >>>>>>>>>>> timesheet, project management ... etc. > >>>>>>>>>>> I have created the three group parties, and 6 employees parties, > >>>>>>>>>>> and > >>>>>>>>>>> stopped there not knowing how to connect them. > >>>>>>>>>>> > >>>>>>>>>>> How to associate users (employee) with companies (Group Party) ? > >>>>>>>>>>> I tried to go to Relationships page and use "Add other party > >>>>>>>>>>> relationship", but those fields are not clear to me. For example > >>>>>>>>>>> "in > >>>>>>>>>>> the Role of" .... etc. > >>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" > >>>>>>>>>>> ?? > >>>>>>>>>>> How many accounts I need, knowing that the recruiter get a > >>>>>>>>>>> percentage ? > >>>>>>>>>>> > >>>>>>>>>>> What do I need to do after that ? > >>>>>>>>>>> > >>>>>>>>>>> Guessing is not very help full here as it relies on trial and > >>>>>>>>>>> error, > >>>>>>>>>>> and an error may not be initially visible. So I like to get an > >>>>>>>>>>> advice > >>>>>>>>>>> from someone with more experience in this area. > >>>>>>>>>>> > >>>>>>>>>>> Thank you. > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>> > >>> > >
