ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mansour Al Akeel <mansour.alak...@gmail.com>
Subject Re: Creating parties
Date Mon, 25 Jul 2011 09:20:11 GMT
BJ,
go to this page:
https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
login as whatever user you like, provided he has access to projectmgr
Hit [Find]
you will get a list of all the tasks in the system, even if you are not
a member of any project.
Click on any task, and you will be able to see the full info about it!

This is the problem!



On Sun Jul 24,2011 05:12 pm, BJ Freeman wrote:
> OOTB look at the party group Dev and relationships and work your way
> down to developer1
> you need this to show up in project resources to be added as a resource.
> in projects pick Demo project3 and go to resources.
> you will see DemoEmployee3
> 
> log in as DemoEmployee3
> you will notice that only projects and my portals show
> click on proects
> ingore the error for now
> then click on using the project mgr menu select projects you will only
> see the one in which DemoEmployee3 is a resource.
> 
> once you figure out what you need to make this happen you will have
> solved you problem
> 
> 
> Mansour Al Akeel sent the following on 7/24/2011 2:04 PM:
> > BJ,
> > The party "Mansour" has only one role "Employee" related to
> > "Mansour INC" organization !
> > 
> > And I don't have any service added. It's just the same services
> > out-of-box.
> > 
> > Anyone knows how to deal with it ? 
> > 
> > 
> > On Sun Jul 24,2011 01:20 pm, BJ Freeman wrote:
> >> since access for user is through the UI there is no need to go to record
> >> level.
> >> Now if you have a service that accesses the records then the it is the
> >> service that should check.
> >>
> >>
> >> Mansour Al Akeel sent the following on 7/24/2011 1:12 PM:
> >>> BJ,
> >>> I am not sure if my question is clear. Yes, I have to have PROJECTMGR
> >>> permission to access this component. But the tasks are viewable to
> >>> anyone.
> >>>
> >>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>> This part explains what I need:
> >>>
> >>>
> >>> ====================================================
> >>> At record level
> >>>
> >>> Defining a path from the Party in question to the target/desired entity
through relationships. This is usually do-able and easy to do with a single view entity, and
if a query on that entity with the proper constraints returns any results then you know the
user/party has the permission.
> >>> See the catalog role limited permissions and how they are defined and used
in the ProductServices.xml file for an example.
> >>> Role limited (or based) permissions (aka Party Roles)
> >>>
> >>> The purpose of role-limited permissions is to tie a SecurityPermission to
record level security using the RoleType/PartyRole and related entities. In OFBiz this is
how record level permissions are done, i.e. somehow the user (through their Party record)
is associated with another record in the database and that specific relationship must exist
in order for the role-limited permission to take effect.
> >>> Good examples are in hasPermission methods in OrderServices class or how
ProductStoreRole, ContentAndRole, PartyRole, entities are used in Java code (and at large
ENTITY-NAME Role entities). See also checkStoreCustomerRole in ProductEvents class.
> >>> 	By the way, do not confuse Security Roles (below) with Party Roles - they
are entirely different.
> >>>
> >>>
> >>> Security Roles
> >>>
> >>> Security Roles provide a means to associate a user ID (userLoginId) with
a particular OFBiz element. This may seem the same as Security Permission, but it is slightly
different. For example: a user is assigned the ORDERMGR_VIEW permission, and is associated
to a particular facility (let's say XYZ Company) with the ORDERMGR_ROLE_UPDATE security role.
This combination would allow the user to view orders for all facilities, and update orders
for the XYZ Company facility only. They may be seen as limiting permissions.
> >>>
> >>> ===================================================
> >>>
> >>> Back again to my original question, to protect the tasks from being
> >>> seen by Parties (logins), that are NOT a resource of that paroject, do I
> >>> have to dig in the code and add the permissions check, or it's a matter
of configuration. To me it
> >>> makes more sense that a "party login" who is not a member of a project should
> >>> not be able to see work effort or task in that project.
> >>>
> >>>
> >>> On Sun Jul 24,2011 11:35 am, BJ Freeman wrote:
> >>>> permission usually refer to the Login of a party.
> >>>> if you look in the ofbiz-component.xml, base-permission="PROJECTMGR",
> >>>> your login must have this security level.
> >>>>
> >>>> Mansour Al Akeel sent the following on 7/24/2011 10:29 AM:
> >>>>> BJ,
> >>>>> thank you for all your help. I looked at the links you sent me,
and they
> >>>>> were usefull. I still don't understand why permissions are checked
in
> >>>>> the ftl and not the service layer. However this is not the issue
I am
> >>>>> stuck at now.
> >>>>> I think I am still confused about permissions.
> >>>>> I created an account on trunk demo to show what I am talking about.
> >>>>>
> >>>>> If you go to:
> >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/main
> >>>>> and try to login with mansour:ofbiz you will be greated with a screen
> >>>>> saying:
> >>>>>
> >>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
[component://common/widget/CommonScreens.xml#GlobalDecorator]: java.lang.IllegalArgumentException:
Error running Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000 (Error running
Groovy script at location [component://projectmgr/webapp/projectmgr/WEB-INF/actions/ListCurrentProjects.groovy]:
org.ofbiz.service.ServiceAuthException: You have no access to the project#: 9000)
> >>>>>
> >>>>> This is fine, as the user "mansour" doesn't have persmission to
view
> >>>>> this project, but shouldn't this screen display the projects he
is
> >>>>> member of (if any).
> >>>>>
> >>>>> The second part is if you go to:
> >>>>>
> >>>>> https://demo-trunk.ofbiz.apache.org/projectmgr/control/FindTask
> >>>>>
> >>>>> and hit find, the user can see all the tasks that he is not member
of,
> >>>>> and clicking on any of them, will open the details about that task.
> >>>>>
> >>>>> This user is in "PROJECTUSER"  security group, which has:
> >>>>>
> >>>>> ROJECTMGR_ROLE_TASK_CREATE Be able to create a task (should be member
of project) 	
> >>>>> PROJECTMGR_ROLE_TIMESHEET_CREATE Be able to create a weekly timesheet
for the loginid. 
> >>>>> PROJECTMGR_ROLE_TIMESHEET_UPDATE Be able to update(report) on an
existing own timesheet 
> >>>>> PROJECTMGR_ROLE_VIEW All view operations in the Project Manager
for a project/phase/task the user is member of.. 	
> >>>>> PROJECTMGR_VIEW ALL View operations in the Project Manager(but can
be limited by ROLE_VIEW) 
> >>>>>
> >>>>> On my local machine, I removed that last one "PROJECTMGR_VIEW",
but
> >>>>> still this user can see others tasks.
> >>>>>
> >>>>> Am I doing something wrong here?
> >>>>>
> >>>>> I appreciate your help.
> >>>>>
> >>>>> On Sun Jul 17,2011 10:09 am, BJ Freeman wrote:
> >>>>>> New Role Type (see chapter two of the Book)
> >>>>>> lets you define a new role type to use.
> >>>>>> it is best to link with the book to use the webtools
> >>>>>> https://demo-trunk.ofbiz.apache.org/webtools/control/ViewRelations?entityName=RoleType
> >>>>>> you can also get the xml structure from the data and created
a bunch of
> >>>>>> them then load them via the web tools import. note: that service
engine
> >>>>>> and UI (widgets and ftls) need to changed if you want that role
type to
> >>>>>> have access.
> >>>>>>
> >>>>>> doing a google search for
> >>>>>> ofbiz main role
> >>>>>> http://ofbiz.135035.n4.nabble.com/Party-Main-Role-td1680393.html
> >>>>>>
> >>>>>> I hope these tips help you research you answer more. and As
I said
> >>>>>> before parts of you question are already been answered.
> >>>>>>
> >>>>>>
> >>>>>> This may clear up more on security and Role View all.
> >>>>>> https://cwiki.apache.org/OFBTECH/ofbiz-security.html
> >>>>>>
> >>>>>>
> >>>>>> Mansour Al Akeel sent the following on 7/17/2011 8:45 AM:
> >>>>>>> Hello BJ,
> >>>>>>> and thank you for your reply.
> >>>>>>>
> >>>>>>> You can check the link here:
> >>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewroles?partyId=DemoEmployee
> >>>>>>>
> >>>>>>> It has 
> >>>>>>> "Add To Main Role" and "Add To Role : view all" Fields.
and if you
> >>>>>>> select soemthing like "Calendare" for the first one, you
will get a
> >>>>>>> third field "Add To Second Role". What is the difference
between them ?
> >>>>>>>
> >>>>>>> I was confused with the security part, because was adding
a user to a
> >>>>>>> group, but still the user was not allowed to edit a project.
I have to
> >>>>>>> add the user as a resource for that project. 
> >>>>>>>
> >>>>>>> What I understand now is, Party Roles has nothing to do
with
> >>>>>>> permissions, and the later has to be handled separately
through the
> >>>>>>> security group.
> >>>>>>>
> >>>>>>>
> >>>>>>> Thank you.
> >>>>>>>
> >>>>>>>
> >>>>>>> On Sat Jul 16,2011 11:01 pm, BJ Freeman wrote:
> >>>>>>>> Yes I still have to go back and review. The book Deals
only with Roles
> >>>>>>>> related to Party. Security based on login is not in
the Book.
> >>>>>>>> The is covered in the Service Engine and Webapps, widgets
> >>>>>>>>
> >>>>>>>> It helps if you give complete URL to the places you
talking about. It
> >>>>>>>> saves time of the answerer and verify we are talking
the same component.
> >>>>>>>> The labels are in seperate files from actual code, so
depending on who
> >>>>>>>> put in the text for that label, it may not be clear
as to its meaning.
> >>>>>>>>
> >>>>>>>> you can limit based on Roles, security groups and/or
security roles
> >>>>>>>> which is different from roles.
> >>>>>>>> going through the widgets and Ftls will give you code
examples of how
> >>>>>>>> this is accomplished.
> >>>>>>>>
> >>>>>>>> The example component is good to review.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Mansour Al Akeel sent the following on 7/16/2011 8:29
PM:
> >>>>>>>>> Ok, the "BOOK" explained things, and I know I have
to read many parts
> >>>>>>>>> again, especially while trying to match the readings
with  the
> >>>>>>>>> functionality offered by OFBiz.
> >>>>>>>>>
> >>>>>>>>> Now I have a question related to adding roles. In
the "Add To Role"
> >>>>>>>>> screen:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Add To Main Role
> >>>>>>>>> --> Role Type Id 	
> >>>>>>>>>
> >>>>>>>>> Add To Second Role
> >>>>>>>>> --> Role Type Id
> >>>>>>>>>
> >>>>>>>>> Add To Role : view all
> >>>>>>>>> --> Role Type Id
> >>>>>>>>>
> >>>>>>>>> What is the difference between "Main Role" and "Second
Role" and how do
> >>>>>>>>> I use them ? 
> >>>>>>>>> What is the "Add To Role" mean ? 
> >>>>>>>>>
> >>>>>>>>> Back again to the senario in the first email, and
after I modeled the
> >>>>>>>>> Parties, how do I let each access only to the functionality
they need to
> >>>>>>>>> access ? For example, "Approver" to aprove timesheet
and work effort.
> >>>>>>>>> Project manager to Assing tasks, "Developer" to
update tasks. Would this
> >>>>>>>>> have to be separately using "Security Groups" ?

> >>>>>>>>>
> >>>>>>>>> Thank you.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon Jun 27,2011 09:29 am, BJ Freeman wrote:
> >>>>>>>>>> as both Adrian and I mentioned most of that
would be described well in
> >>>>>>>>>> the Data model book that ofbiz was modeled after,
which is why not much
> >>>>>>>>>> documentation is written specifically in ofbiz.
> >>>>>>>>>>
> >>>>>>>>>> There are emails in the archive that have covered
different parts of
> >>>>>>>>>> your question.
> >>>>>>>>>>
> >>>>>>>>>> Actually it has been a good time for the Documentation
for over 6 years,
> >>>>>>>>>> problem is getting someone to volunteer to do
it. We have added internal
> >>>>>>>>>> Help in ofbiz that needs to be filled out. ANY
VOLUNTEERS.
> >>>>>>>>>>
> >>>>>>>>>> Normally such Contributions have been from someone
hiring someone to do
> >>>>>>>>>> the documentation, because it takes a lot of
time to volunteer and those
> >>>>>>>>>> that have to make a living do not have such
time free. Then that
> >>>>>>>>>> documentation was volunteered to ofbiz community.
> >>>>>>>>>>
> >>>>>>>>>> I limit my volunteer time per subject on the
mailing list to 15 min,
> >>>>>>>>>> unless i have a vested interest in it. I have
even stopped answering on
> >>>>>>>>>> here because my time has become very limited.
as an example this email
> >>>>>>>>>> took over two hours to finish because of interruptions
to do business.
> >>>>>>>>>>
> >>>>>>>>>> so maybe others that have the time will volunteer
the information you
> >>>>>>>>>> desire.
> >>>>>>>>>>
> >>>>>>>>>> Most find the charge for the "BOOK" a lot less
than hiring someone, or
> >>>>>>>>>> volunteering the time to document.
> >>>>>>>>>>
> >>>>>>>>>> That said, feel free once you understand to
volunteer you time to
> >>>>>>>>>> documented this the way you think it should
be done.
> >>>>>>>>>> BTW I have made this offer to others that presented
the same proposal in
> >>>>>>>>>> the past and they have not volunteer such documentation
yet.
> >>>>>>>>>>
> >>>>>>>>>> I would suggest you draw an organizational chart
then use the fields in
> >>>>>>>>>> ofbiz to associated the chart to relationships.
There is no "ONE"
> >>>>>>>>>> organization chart.
> >>>>>>>>>>
> >>>>>>>>>> Demo employee shows two relationships as examples,
in a normal Company
> >>>>>>>>>> there may be many relationships. like the one
that says the demo
> >>>>>>>>>> employee is a employee.
> >>>>>>>>>>
> >>>>>>>>>> you would use roles and relationship
> >>>>>>>>>>
> >>>>>>>>>> Mansour Al Akeel sent the following on 6/27/2011
4:28 AM:
> >>>>>>>>>>> BJ thank you.
> >>>>>>>>>>>
> >>>>>>>>>>> My question is related more to ofbiz usage.
In the relationship page:
> >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/EditPartyRelationships?partyId=DemoEmployee
> >>>>>>>>>>> you can see some fields that are not clear
to me. To be more specific, We have:
> >>>>>>>>>>> in the role of  |	is A 	of Party 	| in the
role of 	
> >>>>>>>>>>>
> >>>>>>>>>>> There two relations for DemoEmployee. And
each relation has two fields
> >>>>>>>>>>> "in the Role Of".
> >>>>>>>>>>> Further more, there is some confusion about
where to relate employee
> >>>>>>>>>>> to organization. I mean if you go to:
> >>>>>>>>>>>
> >>>>>>>>>>> https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoEmployee
> >>>>>>>>>>>
> >>>>>>>>>>> You will see four tabs with labels indicates
similar functionality:
> >>>>>>>>>>> -Roles
> >>>>>>>>>>> -Link Party
> >>>>>>>>>>> -Relationships
> >>>>>>>>>>> -Segments
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> What is the difference between these ? To
add employee to Organization
> >>>>>>>>>>> I need to use ..... ?
> >>>>>>>>>>> May be it's a good opportunity to discuss
and document each of them,
> >>>>>>>>>>> instead of referring me to the "BOOK" ;)
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Sun, Jun 26, 2011 at 9:10 PM, BJ Freeman
<bjfree@free-man.net> wrote:
> >>>>>>>>>>>> there is not much documented in ofbiz
about party.
> >>>>>>>>>>>> however if you read the Data model book
Vol I you will see a lot about
> >>>>>>>>>>>> partyrelationsips. Good diagram on pg
41
> >>>>>>>>>>>> In this case you would have party relationship
with the company that
> >>>>>>>>>>>> supplies contractors
> >>>>>>>>>>>> so you need to setup the roles of each
party then setup the relationship
> >>>>>>>>>>>> between them
> >>>>>>>>>>>> start with organizational party relationship
then individual (person)
> >>>>>>>>>>>> realtionships with organizations.
> >>>>>>>>>>>>
> >>>>>>>>>>>> example
> >>>>>>>>>>>> the programmer would be a employee role
with the recruitment company if
> >>>>>>>>>>>> they contract, then the programmer would
have a contractor relationship
> >>>>>>>>>>>> with the Company.
> >>>>>>>>>>>>
> >>>>>>>>>>>> the rest you can get from the demo data
or you can look at the demo site
> >>>>>>>>>>>> at the different parties to see the
relationships.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Mansour Al Akeel sent the following
on 6/26/2011 4:43 PM:
> >>>>>>>>>>>>> Hello all,
> >>>>>>>>>>>>> I didn't use the parties component
extensively, and don't know a lot about it.
> >>>>>>>>>>>>> Here's the scenario we have. Three
Group parties:
> >>>>>>>>>>>>> Programmers
> >>>>>>>>>>>>> Recruiter
> >>>>>>>>>>>>> Sales /marketing/Distributing
> >>>>>>>>>>>>> The distributor obtains the requirements
and hires the Programmers
> >>>>>>>>>>>>> through the "Recruitment" company.
Billing is done by hour.
> >>>>>>>>>>>>> In each company there's two employees
that interact with the system.
> >>>>>>>>>>>>> programmer1 , programmer2
> >>>>>>>>>>>>> hr manager 1, hr manager2
> >>>>>>>>>>>>> project manager1, project manager2
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> We need to setup the system, to
handle the requirements communication,
> >>>>>>>>>>>>> timesheet, project management ...
etc.
> >>>>>>>>>>>>> I have created the three group parties,
and 6 employees parties, and
> >>>>>>>>>>>>> stopped there not knowing how to
connect them.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> How to associate users (employee)
with companies (Group Party) ?
> >>>>>>>>>>>>> I tried to go to Relationships page
and use  "Add other party
> >>>>>>>>>>>>> relationship", but those fields
are not clear to me. For example  "in
> >>>>>>>>>>>>> the Role of" .... etc.
> >>>>>>>>>>>>> Let's say I need to put hr_manager1
as an employee of "Recruiter" ??
> >>>>>>>>>>>>> How many accounts I need, knowing
that the recruiter get a percentage ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> What do I need to do after that
?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Guessing is not very help full here
as it relies on trial and error,
> >>>>>>>>>>>>> and an error may not be initially
visible. So I like to get an advice
> >>>>>>>>>>>>> from someone with more experience
in this area.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thank you.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>
> >>>
> > 

Mime
View raw message