Security
In One ERP the security is based on privileges granted on entities tied to a part of the organisation (the scope of the grant). Privileges can only be granted on roles and then users are mapped to one or many roles.
The available privileges are:
entity_get - the privilege to read an entity (also applied for FETCH queries that include the entity)
entity_insert - the privilege to create an entity
entity_update - the privilege to update an entity
entity_delete - the privilege to delete an entity
The available scopes:
All - the privilege is for all entities throughout the system
Organization - the privilege applies only for the entities within the organization of the user
BusinessUnit - the privilege applies only for the entities within the business unit of the user
Owner - the privilege applies only for the entities owned by the user
None - restricts the user from the privilege (this is the default value)
Note for entities in Parent-Child relationships
Child entities inherit the privileges from the Parent, except when used in a FETCH query in which case an entity_get
privilege is required.
Examples
You want to create a role named "Workers" for which all users belonging to it will have the privilege to read all the tasks in their business unit and the privilege to create, update and delete only the tasks owned by the user. Here is how to configure it:
Entity | Privilege | Scope | Descriere |
---|---|---|---|
task | entity_get | BusinessUnit | Can read all tasks in each user`s business unit. |
task | entity_insert | Owner | Can only create tasks owned by the respective user. |
task | entity_update | Owner | Can only update tasks owned by the respective user. |
task | entity_delete | Owner | Can only delete tasks owned by the respective user. |
If you wish to create a supervisor role with reading and deleting privileges for all entities and the possibility to assign entities to other users within its department, the security is configured as follows:
Daca se doreste ca rolul supervizor sa aiba drepturi de citire si stergere pentru toate entitatile si posibilitatea de a atribui entitati altor persoane din departamentul sau securitatea se configureaza astfel:
Entity | Privilege | Scope | Descriere |
---|---|---|---|
task | entity_get | BusinessUnit | Poate citi toate entitatile din departamentul sau. |
task | entity_delete | BusinessUnit | Poate sterge toate entitatile din departamentul sau. |
task | entity_update | BusinessUnit | Poate actualiza si/sau atribui altor utilizatori toate entitatile din departamentul sau. |