ERP 2.50:Developers Guide/How to define users roles privileges menus
Languages: |
Contents |
Objective
The configuration of an application requires thought and preparation. Before you design your menu structure and role security it is important to understand the requirements of the system you intend to build. The following open questions can help you do this:
- What are the tasks that need to be performed in the application under development?
- What object access is required to complete each of these tasks; window, table, organization, process, form, workflow and task?
- What are the privileges required to execute each of these tasks?
- What are the employee roles; sales clerk, system admin, buyer, forecaster, production manager, warehouse manager etc?
- How can the individual tasks be assigned to the employee roles?
- Who are the employees in your system?
- What roles do they need access to?
The definition of user, role, privilege and menu structure is like the chicken and the egg scenario; what comes first? There is no definitive answer here and perhaps the process is iterative. However, this guide starts with defining a role, as the roles are central to the whole configuration design. The guide assumes that you have designed and configured the organizations of your configuration separately to this section.
For your reference: configuration of users and roles is also discussed in detail in the configuration manual.
Create a Role
Once you have a plan the creation of users and roles is intuitive.
A good starting point is to define the roles in the organization and the privileges they require. Roles are really central to the whole configuration design as roles are mostly permanent while users are temporary. I.E. An example of a role may be sales clerk or warehouse manager, positions that will always be required, while the individual user who performs these roles may transfer to a different role I.E. Sales Clerk may become Sales Manager. To create a role navigate:
- Transfer to the admin role of your client.
- Navigate to General Setup > Security > Role.
- Create a new record. The mandatory data required for this record is:
- Name = the name of the role in the customer organization I.E Sales Clerk, Production Manager, Forcaster etc.
- Active = Select Option to ensure this role appears in the generated application. During development you may require the role only to appear when it is complete.
- User Level = This controls which organizations the role has access to. There are 4 options the most common are:
- Organization - the role only has access to organization specific data.
- Client and Organization - the role has access to organization specific data and client shared data.
- Manual = The controls if all existing privileges are automatically given to the role or if they are manually associated on a per need basis. Selecting this option for manual control is recommended.
- Save the record.
For more information see the AD_Role table description.
Assign a Privilege to a Role
You have now defined a role. The next stage is to assign privileges to that role.
This can be done directly using one of the element tabs or you can assign privileges indirectly by associating the role to a pre-existing menu using the 'Grant Access' button. The third option is to leave the 'Manual' checkbox unselected. This has the effect of assigning all exist privileges to your role. From production systems the only case in which manual is advised is for a super user.
Which way you assign privileges is entirely in your hands. The objective is to build a role which is efficient and effective. I.E. If the computer skill profile of the role user is basic, if speed of data retrieval/entry is important, if the number of functional tasks needed in the role is a < 6 then keep the navigation path of the role simple and use the direct approach to assigning privileges. These types of roles are targeting individual clerk level jobs that need to get done around the enterprise; sales clerk, packing, picking, shipping, manufacturing cells etc.
Each of these role can be individually customized for that particular job very easily. The trick is to ask the appropriated questions to the right people at a granular level during the customer interview process. In many cases this might mean interviewing the people who perform these roles while they are working to ensure your design is correct.
However, if the role is more complicated and the privileges assigned to it require some sort of categorization and organization then the indirect approach is better. Typically these roles require a higher level of computer skill and education; Managers, Analysts, Supervisors, Engineers, Administrators etc. Typically these types of employees are need to have access to many more privileges in some cases spread over several modules. To design these type of roles there is a pre-step; you will need to start by first of all building the menu structure appropriate to each role. Openbravo is shipped with several pre-built menu structures called Modules: Sales Management, Procurement Management, Warehouse Management, Production Management etc. You can modify these or start from scratch and build your own menus.
Once you have defined the menu return to your role definition screen associate the two elements. Select the ´Grant Access´ button. In the resulting dialog you can select both the Menu Modules you want to associate with your role and what type of access privileges the role needs. For example a Sales Manager will need access to all the Windows and Reports of the the 'Sales Management' module. While a Logistics Analyst will need access to all the the reports of the Sales, Procurement, Production and Warehouse modules.
For more information see also the AD_Role_OrgAccess table description.
Create your own Menu Modules
To customize each job in your application it is very advantageous to organize and structure the tasks required for a role. A good way to do this is to create a menu module and populate it with the elements required for that role according to the sequence of which each task in a process needs to occur.
To add a menu module you need to:
- Change the role to System Administrator.
- Navigate to General Setup > Application > Menu.
- Enter the name of your Menu Module.
- Select 'Active' (Default).
- Select 'Summary Level'.
- Save.
To populate your menu module with tasks (Windows, Reports, Processes...etc), for each task create a record:
- Change the role to System Administrator.
- Navigate to General Setup > Application > Menu.
- Enter the name of your Menu Item.
- Select 'Active' (Default).
- Clear 'Summary Level' (Default).
- Select 'Action' (Window, Report, Process...etc).
- Select element (ABC Activity window, Asset Delivery report, Create Invoice process...etc).
To structure the menu items into the menu module
- Select the Tree Icon from the content menu.
- You will see a window containing folders and leaf icon.
- Move the leaf icons you created into the folder you created.
- Order the leaf icons in the sequence in which they need to happen.
- Close.
For more information see the AD_Menu table description.
Create a User
A User is related to an individual, while a role is related to a set of tasks. To create a User follow this procedure:
- Transfer to the admin role of your client.
- Navigate to General Setup > Security > User.
- Select the Window.
- Create a new record (make sure you are not editing an existing user!!!):
- The Client field will show the name of your client by default.
- Select the Organization (This can be for access to one or all organizations in a client).
- First Name.
- Last Name.
- Name (Default).
- Select Active (Default).
- Username (The default is a concatenation of first and last name).
- Save the record.
- Enter the user Password (Remember this).
- Select OK.
For more information see also the AD_User table description.
Grant Role Access
For the User to be able to do their job they need to be granted access to privileges. This task can be accomplished by associating each user with a preexisting Role/s.
Staying in the User window:
- Select the 'User Roles' tab.
- Create a new record and select a role.
- Save the record.
- Add all roles this new user will be able to have/use (one line for each role).
For more information see also the AD_Role_OrgAccess table description.
The Result
Your new user and role configuration will be immediately activated. To check it is what you need:
- Logout and re-enter the application with your new user and the password.
- Select the user options window.
- Select role - You should see that your new user is granted access to the role/s you associated it with.
- Select OK.
- The Menu of the left panel of your interface should only display the modules and elements your current role has access to.
As you can see Openbravo ERP development have built a flexible system that should meet your user, role and menu requirements.
Languages: |
ERP 2.50:Developers Guide/How To Create a Manual Window | ERP 2.50:Developers Guide/How to create a dataset