Implementing Security in ADempiere 3.4: Part 2

Exclusive offer: get 50% off this eBook here
ADempiere 3.4 ERP Solutions

ADempiere 3.4 ERP Solutions — Save 50%

Design, configure, and implement a robust enterprise resource planning system in your organization using ADempiere

£20.99    £10.50
by Bayu Cahya Pamungkas | December 2009 | Open Source

Read Part One of Implementing Security in ADempiere 3.4: Part 1 here.

Recording access security rules

Currently, with our configuration, there are two warehouses available in the Dress organization. These are:

  1. 1st Dress W/h
  2. 2nd Dress W/h

By default, all users that have access rights to the Dress organization will be free to access these warehouses.

Do we have a requirement that allows just user Moses to access 2nd Dress W/h only? Is that possible?

ADempiere has a feature to block users from accessing information in certain records. With this feature, the locking process is applied based on a Role, and not on a certain user ID.

Enabling Personal Lock

There are some prerequisite activities required in order to be able to block access to certain records. This activity defines which Role has the rights to block access.

In our example, we will give the default Sistematika Fashion, Ltd Admin role this right. Log in with user ID admin, select Sistematika Fashion, Ltd Admin as the role. Open the Role window, and access the Role tab. Point your active records to Sistematika Fashion, Ltd Admin, and then find and select the Personal Lock checkbox, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

On enabling the personal lock, if you are logged in as user ID admin have Sistematika Fashion, Ltd Admin as an active Role, on opening all of the ADempiere windows, there will be an additional special Private Record Lock toolbar available, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Blocking access to certain records

With the previous requirement, we will block the user ID (which connects with the Restricted Access role) from accessing the 1st Dress W/h warehouse.

This be done by using the following procedure:

  1. Open the Menu  Material Management | Material Management Rules | Warehouse & Locators window.
  2. In the Warehouse tab, find your 1st Dress W/h record. Press the Ctrl key, and then click on the Private Record Lock button at the same time.
  3. In the upcoming Record Access Dialog confirmation window, set the following information:
    • Set the Role field to Restricted Access (pick from the options available)
    • Select the Active checkbox
    • Select the Exclude checkbox

The following screenshot shows the completed window:

ADempiere 3.4 ERP Solutions

Finalize the process by clicking on the OK button.

Log in with user ID Moses and password 123456, using Restricted Access as the role, and Dress as the organization. Open the Purchase Order window, and try to create a new document. Take a closer look at the available options in the Warehouse field. Now, it will only list 2nd Dress W/h, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Restoring access to certain blocked records

There are two way to restore user rights to certain blocked records.

First, if you know the blocked records and the Role to which these records are blocked (in our case, 1st Dress W/h with Restricted Access), then you can open the Warehouse & Locators window, find your 1st Dress W/h record, press the Ctrl key, and then click on the Private Record Lock button. In the upcoming Record Access Dialog confirmation window, make sure that you set the Role to Restricted Access, and then click on the Delete record button.

The Delete record button is a green recycle button on the right-hand side of the Dependent Entities checkbox.

Second, you can open the Menu  System Admin | General Rules | Security | Role Data Access window. Select the role that needs to be maintained in the Role tab. In our case, this is the Restricted Access role.

Navigate to the Record Access tab. This tab will contain all of the record restriction configuration. This is a sample record format, which contains blocking information for certain records, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Click on the Record ID button, to check what kind of record information is currently blocked. On confirmation, you can press the F3 key to delete this record, and the access rights to this information will be restored.

Using Dependent Entities

With the previous record access lock activity, the user who was connected to the ADempiere system using Restricted Access role could not use the 1st Dress W/h as their target warehouse when working with a new document (such as, Purchase Order, Material Receipt, and so on). They will still be able to access any existing document that uses 1st Dress W/h as part of their warehouse information references.

If you need to hide or restrict access to any document that has 1st Dress W/h as part of its document information, you can select the Dependent Entities checkbox.

Working with Role Data Access in detail

In the Menu  System Admin | General Rules | Security | Role Data Access window, we can define an access right on both the ADempiere database table and column, which is registered in the ADempiere Application Dictionary. We will elaborate on a sample use of this data access in the subsequent sections.

Restricting Table access

Suppose that you need to grant access to a role that can only read or view the Material Receipt window and cannot add or alter any information in this window. With User ID admin and using Sistematika Fashion, Ltd Admin as the role, you need to perform the following steps:

  1. Find the document's target table. You can get this information by opening the Material Receipt window and clicking on Record Info. In this case, the table name is M_InOut.
  2. Open the Role Data Access window, set your target role (for example, Restricted Access) in the Role tab, and then navigate to the Table Access tab. Enter and then save the following information:
    • Set the Table field to M_InOut (on the screen, it will show as M_InOut_Shipment/Receipt)
    • Select the Exclude checkbox
    • Set the Access Type field to Accessing
    • Select the Read Only checkbox

With this configuration, if the user is connected to the ADempiere system using the Restricted Access role, on opening their Material Receipt window they will have read-only access and will not be able to alter or add any information.

Restricting Report access

In this section, the option was to be able to create a report, and unfortunately, this configuration applies to all of the available windows.

With the combination of the Can Report option and restricting report access, we have the option to give report access by first authorizing access to all of the available reports, and then restricting access to certain selected reports.

We will use this approach. Here, we will show you an example wherein a user ID connected using the Restricted Access role will not be able to access only the Material Receipt report. For this requirement, using user ID admin and Sistematika Fashion, Ltd Admin as the role you need to:

  1. Access the Role tab in the Role Data Access window. Ensure that your active record is Restricted Access.
  2. On the Role tab, select the Can Report option.
  3. Navigate to the Table Access tab, add and then enter and save the following information:
    • Set the Table field to M_InOut (on the screen, it will show M_InOut_Shipment/Receipt)
    • Select the Exclude checkbox
    • Set the Access Type field to Reporting
    • Deselect the Can Report checkbox (this option will be available if the Access Type is set to Reporting)

ADempiere 3.4 ERP Solutions

Restricting Export access

So far, if user ID Moses is connected using the Restricted Access role, he can process a report, print preview, or print the Purchase Order data.

"Okay, this role has rights to create a report, print preview, or print Purchase Order data through the Purchase Order window. For security reasons, could we ensure that the user ID connected to the system using the Restricted Access role cannot export this report?"                          

Yes, this is possible with ADempiere. You can achieve this by carrying out the following steps:

  1. Access the Role tab in the Role Data Access window. Ensure that your active record is Restricted Access.
  2. In the Role tab, select the Can Export option.
  3. Navigate to the Table Access tab, and then enter and save the following information:
    • Set the Table field to C_Order (on the screen, it will show as C_Order_Order)
    • Select the Exclude checkbox
    • Set the Access Type field to Exporting
    • Deselect the Can Export checkbox (this option will be available if the Access Type is set to Exporting)

If the user is connected to the ADempiere system using the Restricted Access role, when making a report and print previewing the document in the Purchase Order window, the Export button will not be available.

ADempiere 3.4 ERP Solutions Design, configure, and implement a robust enterprise resource planning system in your organization using ADempiere
Published: December 2009
eBook Price: £20.99
Book Price: £33.99
See more
Select your format and quantity:

Restricting Column Access

Well, what we need is just to make sure that this role cannot alter the Purchase Order's Date Ordered only. We need anyone who is connected with this role to use a default Date Ordered.

If this configuration should be applied to the Restricted Access role, you can do this by carrying out the following procedure:

  1. Identify the table name of the targeted column with the Record Info.
  2. Open the Role Data Access window, set your targeted role in the Role tab, and then go to the Column Access tab. Enter and then save the following information:
    • Set the Table field to C_Order (on the screen, it will show as C_Order_Order
    • Set the Column field to DateOrdered (on the screen, it will show as DateOrdered_Date Ordered)
    • Select the Exclude and Read Only checkboxes

After these changes, the user ID connected with this role will not be able to alter the Date Ordered field. The system sets this field as read-only information, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

If you have not selected the Read Only checkbox field, then this Date Ordered field information will completely disappear, or will be hidden in the document.

Obscuring information

When working with a system that involves many people, we need to make sure that sensitive data, such as the user IDs password information, and financial information such as credit-card numbers, are secure.

As an ADempiere standard feature, the system has a mechanism to obscure information. We will elaborate on how ADempiere accomplishes this in the following sections.

Enabling the encrypted feature

When we interact with the Menu  System Admin | General Rules | Security | User window, we can define the user ID information, including the Password. By default, the Password field does not show the actual password characters. The information in the Password field will be as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

We will now take a look at the Window, Tab & Field window to understand how ADempiere makes this work:

  1. Log in with user ID System, password System and using System Administrator as the Role. Open the Menu  Application Dictionary | Window, Tab & Field window. In the upcoming Lookup Record (search dialog) window, enter User in the Name field. With this activity, we will check the User window configuration.
  2. In the Window tab, ensure that your active record has User in the Name field, and Maintain Users of the system in the Description field.
  3. Navigate to the Tab tab. As per the default configuration, you are directed to the first record of the eight available records in this tab (which are displaying User Contact in the Name field).
  4. Navigate to the Field tab. Here, there are many fields available, which construct your User Contact tab. Find your Password record, and click on the Grid Toggle button to show the detailed configuration for this field. Here, you will have the Encrypted checkbox selected, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

With this configuration, the system tells us that any information entered in this field should be encrypted, and you will not be able to see the characters entered.

Deselect the Encrypted checkbox, and save your changes. Log in with the user ID admin, using Sistematika Fashion, Ltd Admin as the role. Open the Menu  System Admin | General Rules | Security | User window. Select the Password field in the User Contact tab. Now in the User Contact tab of the User window, the Password field will appear as plain text, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

Working with the Obscure feature

There is another option for obscuring information. Below the Encrypted checkbox, there is an Obscure field available. Here, you can select an option from the four available methods, as shown in the following screenshot:

ADempiere 3.4 ERP Solutions

If you select the Obscure AlphaNumeric but last 4 as your option, then the system will not obscure the last four characters when entering any data, but will obscure the rest. In this case, your admin user ID's Password field will appear as *dmin. You can try any of the other available option that suits your needs.

You need deselect the Encrypted checkbox when using the Obscure option.

Summary

In this article, we have learnt how to implement security in ADempiere. We started with a discussion on how to create a new user ID in the system. With the new user ID available, we assigned a role.

When creating the role, we explained the important options, such as accessing all organizations, maintaining a change log, and showing accounting and other available attributes. We continued these activities and saw examples of how to grant access to the Info Window, Window, Process Access, Document Action Access, and Form Access.

We elaborated on how to restrict access to a certain record, and introduced you to table, report, export, and column access configuration. Finally, we showed you how ADempiere obscures information.

[ 1 | 2 ]

If you have read this article you may be interested to view :

 

ADempiere 3.4 ERP Solutions Design, configure, and implement a robust enterprise resource planning system in your organization using ADempiere
Published: December 2009
eBook Price: £20.99
Book Price: £33.99
See more
Select your format and quantity:

About the Author :


Bayu Cahya Pamungkas

Bayu Cahya Pamungkas has an experience of working in various financial and manufacturing industries. He is currently employed as a functional consultant on both financial and manufacturing domains for a leading proprietary ERP. He also works on implementation of project management software for apparel industries. With his experience and background, he established his own consulting company and implements ADempiere for customers around the world. You can reach him on his blog at http://sistematika.web.id.

Books From Packt


Zend Framework 1.8 Web Application Development
Zend Framework 1.8 Web Application Development

Drupal 6 JavaScript and jQuery
Drupal 6 JavaScript and jQuery

WordPress 2.7 Cookbook
WordPress 2.7 Cookbook

jQuery UI 1.6: The User Interface Library for jQuery
jQuery UI 1.6: The User Interface Library for jQuery

Joomla! E-Commerce with VirtueMart
Joomla! E-Commerce with VirtueMart

Ext JS 3.0 Cookbook
Ext JS 3.0 Cookbook

Blender 3D 2.49 Incredible Machines
Blender 3D 2.49 Incredible Machines

Papervision3D Essentials
Papervision3D Essentials


Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software