OOTB look at the party group Dev and relationships and work your way down to developer1 you need this to show up in project resources to be added as a resource. in projects pick Demo project3 and go to resources. you will see DemoEmployee3
log in as DemoEmployee3 you will notice that only projects and my portals show click on proects ingore the error for now then click on using the project mgr menu select projects you will only see the one in which DemoEmployee3 is a resource. once you figure out what you need to make this happen you will have solved you problem Mansour Al Akeel sent the following on 7/24/2011 2:04 PM: > BJ, > The party "Mansour" has only one role "Employee" related to > "Mansour INC" organization ! > > And I don't have any service added. It's just the same services > out-of-box. > > Anyone knows how to deal with it ? > > > On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote: >> since access for user is through the UI there is no need to go to record >> level. >> Now if you have a service that accesses the records then the it is the >> service that should check. >> >> >> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM: >>> BJ, >>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR >>> permission to access this component. But the tasks are viewable to >>> anyone. >>> >>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html >>> This part explains what I need: >>> >>> >>> ==================================================== >>> At record level >>> >>> Defining a path from the Party in question to the target/desired entity >>> through relationships. This is usually do-able and easy to do with a single >>> view entity, and if a query on that entity with the proper constraints >>> returns any results then you know the user/party has the permission. >>> See the catalog role limited permissions and how they are defined and used >>> in the ProductServices.xml file for an example. >>> Role limited (or based) permissions (aka Party Roles) >>> >>> The purpose of role-limited permissions is to tie a SecurityPermission to >>> record level security using the RoleType/PartyRole and related entities. In >>> OFBiz this is how record level permissions are done, i.e. somehow the user >>> (through their Party record) is associated with another record in the >>> database and that specific relationship must exist in order for the >>> role-limited permission to take effect. >>> Good examples are in hasPermission methods in OrderServices class or how >>> ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code >>> (and at large ENTITY-NAME Role entities). See also checkStoreCustomerRole >>> in ProductEvents class. >>> By the way, do not confuse Security Roles (below) with Party Roles - >>> they are entirely different. >>> >>> >>> Security Roles >>> >>> Security Roles provide a means to associate a user ID (userLoginId) with a >>> particular OFBiz element. This may seem the same as Security Permission, >>> but it is slightly different. For example: a user is assigned the >>> ORDERMGR_VIEW permission, and is associated to a particular facility (let's >>> say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role. This >>> combination would allow the user to view orders for all facilities, and >>> update orders for the XYZ Company facility only. They may be seen as >>> limiting permissions. >>> >>> =================================================== >>> >>> Back again to my original question, to protect the tasks from being >>> seen by Parties (logins), that are NOT a resource of that paroject, do I >>> have to dig in the code and add the permissions check, or it's a matter of >>> configuration. To me it >>> makes more sense that a "party login" who is not a member of a project >>> should >>> not be able to see work effort or task in that project. >>> >>> >>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote: >>>> permission usually refer to the Login of a party. >>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR", >>>> your login must have this security level. >>>> >>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM: >>>>> BJ, >>>>> thank you for all your help. I looked at the links you sent me, and they >>>>> were usefull. I still don't understand why permissions are checked in >>>>> the ftl and not the service layer. However this is not the issue I am >>>>> stuck at now. >>>>> I think I am still confused about permissions. >>>>> I created an account on trunk demo to show what I am talking about. >>>>> >>>>> If you go to: >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main >>>>> and try to login with mansour:ofbiz you will be greated with a screen >>>>> saying: >>>>> >>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen >>>>> [component://common/widget/CommonScreens.xml#GlobalDecorator]: >>>>> java.lang.IllegalArgumentException: Error running Groovy script at >>>>> location >>>>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: >>>>> org.ofbiz.service.ServiceAuthException: You have no access to the >>>>> project#: 9000 (Error running Groovy script at location >>>>> [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]: >>>>> org.ofbiz.service.ServiceAuthException: You have no access to the >>>>> project#: 9000) >>>>> >>>>> This is fine, as the user "mansour" doesn't have persmission to view >>>>> this project, but shouldn't this screen display the projects he is >>>>> member of (if any). >>>>> >>>>> The second part is if you go to: >>>>> >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask >>>>> >>>>> and hit find, the user can see all the tasks that he is not member of, >>>>> and clicking on any of them, will open the details about that task. >>>>> >>>>> This user is in "PROJECTUSER" security group, which has: >>>>> >>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member of >>>>> project) >>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet for >>>>> the loginid. >>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an existing >>>>> own timesheet >>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager for a >>>>> project/phase/task the user is member of.. >>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can be >>>>> limited by ROLE_VIEW) >>>>> >>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW", but >>>>> still this user can see others tasks. >>>>> >>>>> Am I doing something wrong here? >>>>> >>>>> I appreciate your help. >>>>> >>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote: >>>>>> New Role Type (see chapter two of the Book) >>>>>> lets you define a new role type to use. >>>>>> it is best to link with the book to use the webtools >>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType >>>>>> you can also get the xml structure from the data and created a bunch of >>>>>> them then load them via the web tools import. note: that service engine >>>>>> and UI (widgets and ftls) need to changed if you want that role type to >>>>>> have access. >>>>>> >>>>>> doing a google search for >>>>>> ofbiz main role >>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html >>>>>> >>>>>> I hope these tips help you research you answer more. and As I said >>>>>> before parts of you question are already been answered. >>>>>> >>>>>> >>>>>> This may clear up more on security and Role View all. >>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html >>>>>> >>>>>> >>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM: >>>>>>> Hello BJ, >>>>>>> and thank you for your reply. >>>>>>> >>>>>>> You can check the link here: >>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee >>>>>>> >>>>>>> It has >>>>>>> "Add To Main Role" and "Add To Role : view all" Fields. and if you >>>>>>> select soemthing like "Calendare" for the first one, you will get a >>>>>>> third field "Add To Second Role". What is the difference between them ? >>>>>>> >>>>>>> I was confused with the security part, because was adding a user to a >>>>>>> group, but still the user was not allowed to edit a project. I have to >>>>>>> add the user as a resource for that project. >>>>>>> >>>>>>> What I understand now is, Party Roles has nothing to do with >>>>>>> permissions, and the later has to be handled separately through the >>>>>>> security group. >>>>>>> >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> >>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote: >>>>>>>> Yes I still have to go back and review. The book Deals only with Roles >>>>>>>> related to Party. Security based on login is not in the Book. >>>>>>>> The is covered in the Service Engine and Webapps, widgets >>>>>>>> >>>>>>>> It helps if you give complete URL to the places you talking about. It >>>>>>>> saves time of the answerer and verify we are talking the same >>>>>>>> component. >>>>>>>> The labels are in seperate files from actual code, so depending on who >>>>>>>> put in the text for that label, it may not be clear as to its meaning. >>>>>>>> >>>>>>>> you can limit based on Roles, security groups and/or security roles >>>>>>>> which is different from roles. >>>>>>>> going through the widgets and Ftls will give you code examples of how >>>>>>>> this is accomplished. >>>>>>>> >>>>>>>> The example component is good to review. >>>>>>>> >>>>>>>> >>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29 PM: >>>>>>>>> Ok, the "BOOK" explained things, and I know I have to read many parts >>>>>>>>> again, especially while trying to match the readings with the >>>>>>>>> functionality offered by OFBiz. >>>>>>>>> >>>>>>>>> Now I have a question related to adding roles. In the "Add To Role" >>>>>>>>> screen: >>>>>>>>> >>>>>>>>> >>>>>>>>> Add To Main Role >>>>>>>>> --> Role Type Id >>>>>>>>> >>>>>>>>> Add To Second Role >>>>>>>>> --> Role Type Id >>>>>>>>> >>>>>>>>> Add To Role : view all >>>>>>>>> --> Role Type Id >>>>>>>>> >>>>>>>>> What is the difference between "Main Role" and "Second Role" and how >>>>>>>>> do >>>>>>>>> I use them ? >>>>>>>>> What is the "Add To Role" mean ? >>>>>>>>> >>>>>>>>> Back again to the senario in the first email, and after I modeled the >>>>>>>>> Parties, how do I let each access only to the functionality they need >>>>>>>>> to >>>>>>>>> access ? For example, "Approver" to aprove timesheet and work effort. >>>>>>>>> Project manager to Assing tasks, "Developer" to update tasks. Would >>>>>>>>> this >>>>>>>>> have to be separately using "Security Groups" ? >>>>>>>>> >>>>>>>>> Thank you. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote: >>>>>>>>>> as both Adrian and I mentioned most of that would be described well >>>>>>>>>> in >>>>>>>>>> the Data model book that ofbiz was modeled after, which is why not >>>>>>>>>> much >>>>>>>>>> documentation is written specifically in ofbiz. >>>>>>>>>> >>>>>>>>>> There are emails in the archive that have covered different parts of >>>>>>>>>> your question. >>>>>>>>>> >>>>>>>>>> Actually it has been a good time for the Documentation for over 6 >>>>>>>>>> years, >>>>>>>>>> problem is getting someone to volunteer to do it. We have added >>>>>>>>>> internal >>>>>>>>>> Help in ofbiz that needs to be filled out. ANY VOLUNTEERS. >>>>>>>>>> >>>>>>>>>> Normally such Contributions have been from someone hiring someone to >>>>>>>>>> do >>>>>>>>>> the documentation, because it takes a lot of time to volunteer and >>>>>>>>>> those >>>>>>>>>> that have to make a living do not have such time free. Then that >>>>>>>>>> documentation was volunteered to ofbiz community. >>>>>>>>>> >>>>>>>>>> I limit my volunteer time per subject on the mailing list to 15 min, >>>>>>>>>> unless i have a vested interest in it. I have even stopped answering >>>>>>>>>> on >>>>>>>>>> here because my time has become very limited. as an example this >>>>>>>>>> email >>>>>>>>>> took over two hours to finish because of interruptions to do >>>>>>>>>> business. >>>>>>>>>> >>>>>>>>>> so maybe others that have the time will volunteer the information you >>>>>>>>>> desire. >>>>>>>>>> >>>>>>>>>> Most find the charge for the "BOOK" a lot less than hiring someone, >>>>>>>>>> or >>>>>>>>>> volunteering the time to document. >>>>>>>>>> >>>>>>>>>> That said, feel free once you understand to volunteer you time to >>>>>>>>>> documented this the way you think it should be done. >>>>>>>>>> BTW I have made this offer to others that presented the same >>>>>>>>>> proposal in >>>>>>>>>> the past and they have not volunteer such documentation yet. >>>>>>>>>> >>>>>>>>>> I would suggest you draw an organizational chart then use the fields >>>>>>>>>> in >>>>>>>>>> ofbiz to associated the chart to relationships. There is no "ONE" >>>>>>>>>> organization chart. >>>>>>>>>> >>>>>>>>>> Demo employee shows two relationships as examples, in a normal >>>>>>>>>> Company >>>>>>>>>> there may be many relationships. like the one that says the demo >>>>>>>>>> employee is a employee. >>>>>>>>>> >>>>>>>>>> you would use roles and relationship >>>>>>>>>> >>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011 4:28 AM: >>>>>>>>>>> BJ thank you. >>>>>>>>>>> >>>>>>>>>>> My question is related more to ofbiz usage. In the relationship >>>>>>>>>>> page: >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee >>>>>>>>>>> you can see some fields that are not clear to me. To be more >>>>>>>>>>> specific, We have: >>>>>>>>>>> in the role of | is A of Party | in the role of >>>>>>>>>>> >>>>>>>>>>> There two relations for DemoEmployee. And each relation has two >>>>>>>>>>> fields >>>>>>>>>>> "in the Role Of". >>>>>>>>>>> Further more, there is some confusion about where to relate employee >>>>>>>>>>> to organization. I mean if you go to: >>>>>>>>>>> >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee >>>>>>>>>>> >>>>>>>>>>> You will see four tabs with labels indicates similar functionality: >>>>>>>>>>> -Roles >>>>>>>>>>> -Link Party >>>>>>>>>>> -Relationships >>>>>>>>>>> -Segments >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> What is the difference between these ? To add employee to >>>>>>>>>>> Organization >>>>>>>>>>> I need to use ..... ? >>>>>>>>>>> May be it's a good opportunity to discuss and document each of them, >>>>>>>>>>> instead of referring me to the "BOOK" ;) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman <bjf...@free-man.net> >>>>>>>>>>> wrote: >>>>>>>>>>>> there is not much documented in ofbiz about party. >>>>>>>>>>>> however if you read the Data model book Vol I you will see a lot >>>>>>>>>>>> about >>>>>>>>>>>> partyrelationsips. Good diagram on pg 41 >>>>>>>>>>>> In this case you would have party relationship with the company >>>>>>>>>>>> that >>>>>>>>>>>> supplies contractors >>>>>>>>>>>> so you need to setup the roles of each party then setup the >>>>>>>>>>>> relationship >>>>>>>>>>>> between them >>>>>>>>>>>> start with organizational party relationship then individual >>>>>>>>>>>> (person) >>>>>>>>>>>> realtionships with organizations. >>>>>>>>>>>> >>>>>>>>>>>> example >>>>>>>>>>>> the programmer would be a employee role with the recruitment >>>>>>>>>>>> company if >>>>>>>>>>>> they contract, then the programmer would have a contractor >>>>>>>>>>>> relationship >>>>>>>>>>>> with the Company. >>>>>>>>>>>> >>>>>>>>>>>> the rest you can get from the demo data or you can look at the >>>>>>>>>>>> demo site >>>>>>>>>>>> at the different parties to see the relationships. >>>>>>>>>>>> >>>>>>>>>>>> Mansour Al Akeel sent the following on 6/26/2011 4:43 PM: >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> I didn't use the parties component extensively, and don't know a >>>>>>>>>>>>> lot about it. >>>>>>>>>>>>> Here's the scenario we have. Three Group parties: >>>>>>>>>>>>> Programmers >>>>>>>>>>>>> Recruiter >>>>>>>>>>>>> Sales /marketing/Distributing >>>>>>>>>>>>> The distributor obtains the requirements and hires the Programmers >>>>>>>>>>>>> through the "Recruitment" company. Billing is done by hour. >>>>>>>>>>>>> In each company there's two employees that interact with the >>>>>>>>>>>>> system. >>>>>>>>>>>>> programmer1 , programmer2 >>>>>>>>>>>>> hr manager 1, hr manager2 >>>>>>>>>>>>> project manager1, project manager2 >>>>>>>>>>>>> >>>>>>>>>>>>> We need to setup the system, to handle the requirements >>>>>>>>>>>>> communication, >>>>>>>>>>>>> timesheet, project management ... etc. >>>>>>>>>>>>> I have created the three group parties, and 6 employees parties, >>>>>>>>>>>>> and >>>>>>>>>>>>> stopped there not knowing how to connect them. >>>>>>>>>>>>> >>>>>>>>>>>>> How to associate users (employee) with companies (Group Party) ? >>>>>>>>>>>>> I tried to go to Relationships page and use "Add other party >>>>>>>>>>>>> relationship", but those fields are not clear to me. For example >>>>>>>>>>>>> "in >>>>>>>>>>>>> the Role of" .... etc. >>>>>>>>>>>>> Let's say I need to put hr_manager1 as an employee of "Recruiter" >>>>>>>>>>>>> ?? >>>>>>>>>>>>> How many accounts I need, knowing that the recruiter get a >>>>>>>>>>>>> percentage ? >>>>>>>>>>>>> >>>>>>>>>>>>> What do I need to do after that ? >>>>>>>>>>>>> >>>>>>>>>>>>> Guessing is not very help full here as it relies on trial and >>>>>>>>>>>>> error, >>>>>>>>>>>>> and an error may not be initially visible. So I like to get an >>>>>>>>>>>>> advice >>>>>>>>>>>>> from someone with more experience in this area. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> >
