This document will show how security is implemented using role, group and function
including setting up the necessary scripts along with providing examples.
Table of Contents
In our example we only use the function to determine the rights of a user.
The default is to base on user rights on site and group, too (see getPortalAssignmentBaseCategoryList).
To override this default, we need to create a Python script named (to follow the
naming conventions) ERP5Type_getSecurityCategoryMapping¶ in portal_skins/custom
(or any other folder in the acquisition path) with this content:
## Script (Python) "ERP5Type_getSecurityCategoryMapping"
('ERP5Type_getSecurityCategoryFromAssignment', ['function'] ),
Next we want to restrict access on the Accounting Module. Call
accounting_module/Base_setDefaultSecurity to disable security acquisition
for the module and then go to portal_types/Accounting Transaction Module/manage_editRolesForm
(the Roles tab of the management interface of the Accounting Module Portal Type)
This will set the Assignor role to any person with an assignment specifying the
accountant function. Once every role definition is added, select Update Local Roles
from the actions tab to make sure, the new roles are applied.
Repeat this process for every portal type you need.
To verify things worked, try log in with one of the newly created persons
using the associated login/password pair and check whether accounting transactions
Note that if you already had data in your ERP5 instance, you also need to
reindex the ERP5 site after managing roles. Otherwise users will have access to
objects, but these won't display in listboxes as they are not represented in the catalog
in relation to the newly changed roles.
Roles are assigned on a per-type basis and not on a per-object basis. This allows
you to set generic rules across all kinds of objects and once they are set, you don't
have to change the security settings anymore.
This is the category the user must have to get access permission (like function/ceo)
This script tells ERP5 which base category will be used for setting the security policy.
You must return every base category list you want to use in the Base Category setting.
If you want to grant access based on the location-site OR on based on group and function,
you'll have something like that:
('ERP5Type_getSecurityCategoryFromAssignment', ['site'] ),
('ERP5Type_getSecurityCategoryFromAssignment', ['group','function'] ),
Denotes a list of base categories (space separated) that should correspond
to an entry returned by EP5Type_getSecurityCategoryMapping. When a user
creates an object, ERP5Security takes the Owner's assignments and sets permissions to
people with the same base category.
If you set a Base Category = group and Category = function/ceo,
then the permission will be attributed to the CEO of the Owner's assignment's
group. If you omit the Category, only the Owner's properties will be taken into
account. If you omit Base Category, the rule will only be based on the
specified category (in general, a function). Note that you also specify
a list of Base Categories and Category separated by spaces.