In this article by Bayu Cahya Pamungkas, you will learn how ADempiere security works. You will be guided through managing user IDs and creating roles. While constructing a role, you will see the various attributes involved, such as access all orgs, maintain change log, and so on. Here, you will learn how to assign rights to access a window, identify a process, and give rights to it, how to register document access, and manage form access. Then, with an example, we will show you how to perform the access security rule for records, how to restrict access to tables, columns, reports, and export facilities. We will conclude this article by showing you the process of obscuring information in ADempiere.

In this article, we will introduce you to what we can do to implement ADempiere security in your organization. We will discuss how to:

• Set up Users
• Create Roles and give access rights to end-users
• Record Access security rules
• We will elaborate on these topics in the upcoming sections.

In a real ERP implementation, there are many people (such as the General Manager, Accounting Manager, Warehouse Manager, Accounting staff, warehouse staff, shipping staff, and so on) involved in operating the system. Because every individual has his or her own responsibilities in the organization, the system should help the organization manage the access rights to information and perform activities in the system.

Managing ADempiere user IDs

In our ADempiere implementation, we need to define a list of users in the system. A user could be the Accounting Manager, the Warehouse Manager, or any of the staff who need to access the system. Now, log in with user ID admin, using Sistematika Fashion, Ltd Admin as the role and * as the organization. We will register a new user ID with the help of the ADempiere administrator.

Creating a user ID in the system

In this example, we will create two additional user IDs. Open the Menu  System Admin | General Rules | Security | User window. On the User Contact tab, enter and save the following minimum requirement information:

An example of the first set of user ID data entered in the User window is shown in the following screenshot:

As these user IDs are not yet connected to any Role, they cannot currently access the ADempiere system.

There are other tabs listed in the User window (for example, User Roles, User Substitute, Org Assignment, and so on). For our purpose, there is no need to set up any data here.

Managing user ID access control

For a computer system's security, role-based access control is an approach to restricting system access to authorized users. ADempiere uses this role-based access control approach for its internal security implementation.

In the subsequent sections, we will introduce you to creating and configuring role-based access control in the ADempiere system.

Introduction to ADempiere roles

The ADempiere role is the place where we can define and configure the access rights for our authorized user ID. These access rights include access to:

• Organization
• Window
• Process
• Form
• Workflow
• Task
• Document Action

In our example, we will create two roles, which have the following behavior:

• The first role will have all access rights
• The second role will have restricted or limited rights

We will practice creating these sample roles and examine the impact of the security configuration.

Creating a new ADempiere role

Open the Menu  System Admin | General Rules | Security | Role window, and then enter and save the following minimum requirements information on the Role tab:

For the All Access role, select all of the checkboxes in the Allow Info in Role fields group.

An example for the information in the Role tab for All Access is shown in the following screenshot:

On saving the All Access role (which has the Manual checkbox deselected), the Window Access, Process Access, Form Access, Workflow Access, Task Access, and Document Action Access will be granted automatically, based on User Level selection. Check it out in all of the available tabs in this Role window. This role has almost identical access rights when compared to the default Sistematika Fashion, Ltd Admin role.

Attaching a user ID to a specific role

With our newly-created role, you need to assign a user ID to this role. Perform the following activities:

1. Assign user ID Daniel to the All Access role.
   Ensure that your active record in the Role tab of the Role window is All Access. Navigate to the User Assignment tab, and then click on the New button. Set the Organization to *, and the User/Contact field to Daniel, and then save this information.
2. Assign user ID Moses to the Restricted Access role.
   Ensure that your active record in the Role tab of Role window is Restricted Access. Navigate to the User Assignment tab, and then click on the New button. Set the Organization to *, and the User/Contact field to Moses, and then save this information.

With this configuration, user ID Daniel will be able to log in to the system and work in all of the available organizations. Organization assignment is automatically provided for the All Access role because, it has the Access all orgs checkbox selected.

Assigning organization access to a user ID

Unfortunately, although user ID Moses has already been assigned to the Restricted Access role, he will still not able to access and log in to the system. This is because the Restricted Access role has the Access all Orgs checkbox deselected.

With this configuration, we need to manually assign organization access to this role. For our example, we will assign the Shirt and Dress organization to this role.

Perform the following tasks:

• Be sure that your active record in the Role tab of Role window is Restricted Access. Navigate to the Org Access tab, set the Organization to Shirt, and then click on the Save button.
• While still on the Org Access tab, click on the New button, set the Organization to Dress, and finalize the task by clicking on the Save button.

The result is shown in the following screenshot:

Now, user ID Moses will be able to log in and access the system.

Working with the Access all Orgs option

If the Access all Orgs option is selected, your user ID will be able to access all of the organizations available in the client. If this option is deselected, you have two options for assigning organization access to a certain user ID:

• Select the Use User Org Access checkbox. This option will appear if you deselect the Access all Orgs option. You need to register the organization access through the Org Access tab in the User window.
• If the Use User Org Access checkbox is deselected, you can register an organization through the Org Access tab in the Role window.

Working with the Maintain Change Log option

To see the history of the data changes, launch another ADempiere client, log in with user ID Daniel, password 123456, using All Access as a role, and Shirt as organization. As this feature is enabled for all of the available ADempiere windows, we can practice by working in the Product window. Open this window and find the Standard product. For this product, perform the following activities:

• Change the UPC/EAN field to UPC-STD, and click on the Save button
• Once again, change the UPC/EAN field to UPC-STD001, and click on the Save button

Now, click on Record Info in this window. This will show you the information shown in the following screenshot:

Working with the Show accounting option

With this option selected (along with having the Show Accounting Tabs option in Tools  Preference| selected), you will be able to read, modify, and execute processes related to accounting. If this option is deselected, you will not be able to:

• Access accounting facts/GL journal entries in any of the ADempiere documents such as MM Receipt, AR Invoice, and so on. The Posted or Not Posted button will not available in all of the documents.
• Access windows related to accounting (such as Accounting Fact Details, Account Combination, Account Element, GL Journal window, and so on).
• Access accounting configuration (such as the Accounting tab of Product, Business Partner, Cashbook, Bank window, and so on).

The last two types of access are basically configurable. When registering the tab as part of constructing the window in the Window, Tab & Field window, the tab has Accounting Tab attributes. With these attributes, you can define whether or not this tab will show information related to Accounting.

To unveil this configuration, launch another ADempiere client, and log in with user ID System, password System, and the role System Administrator. Open the Menu  Application Dictionary | Window|, Tab & Field window. In the upcoming Lookup Record window (search dialog window), enter Accounting Fact Details in the Name field and click on the OK button. In the Accounting Fact Details record, navigate to the Tab tab. You will see that the Accounting Tab checkbox is selected, as shown in the following screenshot:

With this configuration, and while the Show Accounting checkbox is deselected for your role, you will not be able to access this tab. Because this is the only tab available in the Accounting Fact Details window, you cannot access the window. Try to access this window by using user ID user and Sistematika Fashion, Ltd User as the role. The system will display a message such as With your current role and settings, you cannot view this information. Now, log off from user ID System.

Working with the Can Report option

As a default, the Can Report option is selected. With this option, you can generate a report by clicking on the Report button for any window that has the reports feature. If this option is deselected, you cannot generate a report for these windows.

If the Can Report option is deselected, the user ID that is connected using this role will get the following error message while creating reports:

Working with the Can Export option

After print previewing our reports using the Print preview or Print button, if the Can Export option is selected, we will be able to export our reports into various file formats (such as, XLS, PDF, and so on).

If this option is deselected, the Export button will not be available. Therefore, you cannot export your reports.

Accessing Info Window

ADempiere provides us with real-time information to assess product, business partner, account information, and so on. You will be able to control the availability of this information by selecting or deselecting the corresponding Info window in the Role tab of the Role window, as shown in the following screenshot:

For example, if you deselect the Allow Info BPartner checkbox, the Business Partner Info will disappear from the View menu.

Assigning Window Access

As described in the Assigning organization access to user ID section, user ID Moses will be able to log in, select Restricted Access as a Role and Shirt as the Organization to work in this environment. He can then start working with the available window.

"Available window? There is no window available in the main menu. I can not see any window after logging in!"

Yes, there is no window available while accessing the system by using the Restricted Access role. We have not yet registered the list of windows in the Window Access tab. In our example, we will register two windows for this role: Purchase Order and Material Receipt. This user ID then will have the rights to perform activities in both of these windows.

Ensure that you are in the Restricted Access record in the Role tab of the Role window. Navigate to the Window Access tab, and then enter and save the following information:

ADempiere 3.4 ERP Solutions

Design, configure, and implement a robust enterprise resource planning system in your organization using ADempiere

Published: December 2009
eBook Price: $32.99
Book Price: $54.99
See more

close

Select your format and quantity:

Book 01234567891011121314151617181920

eBook 01234567891011121314151617181920

Launch another ADempiere client, and log in with the user ID Moses and use 123456 as the password. Set Restricted Access as the role, and Shirt as the organization. With a successful log in, you will see a menu such as the one shown in the following screenshot:

For the subsequent section, we need to enter sample Purchase Order data.

Open the Purchase Order window, and in the Purchase Order tab, and then enter and save the following information:

1. Set the Target Document Type field to Purchase Order
2. Set the Business Partner field to Hempel China Limited
3. Set the Price List field to Purchase PL
4. Set the Company Agent field to user

Leave the other fields unchanged. Navigate to the PO Line tab, and then enter and save the following information:

1. Set the Product field to S Fabric
2. Set the Quantity field to 100

Leave the other fields unchanged. Now, click on the Print preview button. It will perform nothing!

Identifying Process Access

Do you mean that user ID Moses, when connected using the Restricted Access role cannot make a print of this document?

With the existing Restricted Access role configuration, the role does not have access rights to perform a purchase document print or print preview.

On launching your ADempiere client by using Run_Adempiere.bat when working with the Microsoft Windows operating system, there will be a small DOS prompt window created by default. This will contain a message such as the one shown in the following screenshot:

The system tells us that we Cannot access Process 110 with role: Restricted Access.

What is process 110?

To answer this question, we need to access the internal ADempiere configuration. Use the following procedure:

1. Launch another ADempiere client, and log in with the user ID System, password System, and System Administrator as the role.
2. Open the Menu  Application Dictionary | Report & Process| window.
3. In the upcoming Lookup Record (search dialog) window, navigate to the Advanced tab, and set the Column to Process (ID), the Operator to =, and the Query Value to 110, as shown in the following screenshot:
   

   

   Click on the OK button.

4. After performing the above activities, you will be directed to a process having an identity of 110, which is a record that has Rpt_C_Order as its Search Key and Order Print as its process Name, as shown in the following screenshot:
   

   

5. Now, log out from this ADempiere client

With this information, we can register this process to the Restricted Access role.

Registering Process Access

In the available ADempiere client, log in with the user ID admin and Sistematika Fashion, Ltd Admin as the role, and then open your Role window. In the Role tab, ensure that your active record is Restricted Access.

Navigate to the Process Access tab, and then enter and save the following information:

The second piece of information is to allow a user ID that is connected with the Restricted Access role, to print or print preview the document in the Material Receipt window.

Now, re-login with the user ID Moses and password 123456. Open the Purchase Order window and you can then print or print preview a document in this window.

Next, you can try to Complete this document. Again, it does nothing! No problem, we will show you how to allow user ID Moses to complete this document, in the subsequent sections.

Introduction to Document Action Access

In all of the ADempiere documents, such as Purchase Order, MM Receipt, AR Receipt, AP Payment, and so on, we can perform some actions for them. The standard actions available in the ADempiere system are listed (in alphabetical order) below:

With all of these available actions, we can select two of the most commonly used actions in the ADempiere document, namely:

• Prepare
• Complete

These two document actions are used as a standard action when determining a document workflow. The Prepare action is used in the (DocPrepare) node, whereas Complete is used in the (DocComplete) node.

Registering Document Action Access

Here, we need to assign both Prepare and Complete document access for both the Purchase Order and MM Receipt documents to the Restricted Access role. With the available ADempiere client that is connected to user ID admin, and using Sistematika Fashion, Ltd Admin as the role, you can open your Role window. In the Role tab, ensure that your active record is Restricted Access.

Navigate to the Document Action Access tab, and then enter and save the following information:

Now, re-login with user ID Moses and password 123456, and then open the Purchase Order window. Go to the newly-created purchase order document. When attempting to Complete this document, the option for Document Action will be as shown in the following screenshot:

Select Complete from the list, and then click on the OK button to finalize this activity.

Managing Form Access

If we need to grant the Restricted Access role to perform the import data activity, we could grant the Import File Loader form to this role. Using the existing user ID admin and the Sistematika Fashion, Ltd Admin role, you can open your Role window. On the Role tab, ensure that your active record is Restricted Access.

Navigate to the Form Access tab, and then enter and save the following information:

1. Set the Organization field to *.
2. Set the Special Form field to Import File Loader.
3. Select the Read Write checkbox.

On re-logging in with user ID Moses and password 123456, the list of available menus should be as shown in the following screenshot:

Related to the Import File Loader window, you need to add an access right to a certain import window (for example, Import Product, Import Inventory, and so on) to this role. You can access the Window Access tab and register this window there.

>> Continue Reading Implementing Security in ADempiere 3.4: Part 2

If you have read this article you may be interested to view :

• Device Management in Zenoss Core Network and System Monitoring: Part 1
• Business Rules Management, BPM, and SOA
• Business Process Orchestration for SOA
• Implementing Security in ADempiere 3.4: Part 2

ADempiere 3.4 ERP Solutions

Design, configure, and implement a robust enterprise resource planning system in your organization using ADempiere

Published: December 2009
eBook Price: $32.99
Book Price: $54.99
See more

close

Select your format and quantity:

Book 01234567891011121314151617181920

eBook 01234567891011121314151617181920

About the Author :

Books From Packt