INTRODUCTION TO SECURITY
This Chapter describes the Security features in Compiere. All Companies have need for Security in their ERP/CRM applications.Compiere provides comprehensive, yet flexible security to meet your needs. Security is defined with increasing restrictions. If you think of it as a funnel, the user must pass through the first level before getting to the next level.
- Data Access Level is defined for Tables, Reports/Processes, Forms, Workflows and Tasks. It can be All, System, Client & System, Client & Organization, Client or Organization.
- Roles are assigned to Users and provides the default functional access. The values can be Organization, Client, Client & Organization or System. If a Role is not manual, the user will have access to all Tables, Reports/Processes, Forms, Workflows and Tasks where the Data Access Level corresponds to the Role Access Level.
- Client and Organization define the specific Clients and Organizations that a Role has access to.
- Function and Data defines more specific security by Table, Column and Record.
For example, if a Role does not have access to Table XYZ based on the Data Access Level defined, you cannot allow access to a record on that table based on function and data access.
Additionally, when defined Record Level Access, you can choose to include or exclude Dependent Entities. A Dependent Entity is a record which references the record you are defining security for.
For example, if you want to restrict access to a specific GL Account, you most likely do not want users to be able to generate a report or query the Accounting Fact or Accounting Balances tables. Details on how this is defined is described later in this chapter.
Note: Currently this functionality is available on in the Java Client.
The first level of Security in Compiere is Roles. When a user logs into Compiere, they do so for a specific Role. A single User may have many Roles. Once you log in, you are granted access based on the single Role that is selected. Roles define the first level of Security, the Organizations, Windows, Processes, Forms, Workflows and Tasks that a User can access. When you log into Compiere the menu is automatically trimmed based on the entities that Role has access to. The user does not see menu items that they do not have permission to access.
Roles also define the actions that a User can perform in the entities they have access to. These include Viewing Accounting Information, Reporting, Exporting, Locking, and Viewing Locked records.
The Role window can be accessed from the Main Menu.
We are looking at the record for Garden Admin. When a User logs in using this Role they have access to both Client and Organization level data. This means that they can enter reference data (Business Partners, Payment Terms etc.) and can also enter transactional data (Orders, Payments, etc.). A User Level of Client allows access to reference data but no transactional data and a User Level of Organization allows access to transactional data only.
Select the Manual check box if you will be modifying the default access for a Role. By default, Compiere will add Window Access, Process Access, Form Access and Workflow Access for new Roles based on the User Level selected. When Manual is not selected, Role access will be updated by the Migration Process or the Role Access Update Process. This ensures that the non-manual roles have access to any new Windows, Forms, Processes or Workflows. Access to any new entities would have to be manually added to any manual Roles.
Select the Show Accounting check box if this Role should have access to the Accounting Tab on windows, the Posted/Not Posted button on documents, and the Account Info window. Preferences (under Tools > Preferences) must also have Show Accounting Tabs selected. If the Show Accounting check box is not selected then the Show Accounting Tabs check box is deselected and disabled.
Select Show Customize Table to enable the Customize Table option in the windows grid component.
Select the Access all Orgs check box if this Role should have access to all Organizations. If this is selected, Compiere will ignore any records defined for this Role for the Org Access tab. However, if this option selected it may speed up the record retrieval if your Client has a large number of Organizations.
Select an Organization Tree to be used when defining Organization access for this Role. This allows you to select a Summary Level Organization as opposed to individual Organizations.
Select the Use User Org Access if you want to define the Organizations that can be accessed at the User level as opposed to the Role level. This allows you to define a generic Role and then multiple Users, each having access to the desired Organizations. The other option would be to create unique Roles for each unique Organization access.
Select the Can Report check box if this Role should have the ability to execute reports.
Select the Can Export check box if this Role should have the ability to export data. A Role must have the ability to Report to be able to Export.
Select the Personal Lock check box if this Role can "Lock" records so no other Role can access them.
Select Maintain Query Log to maintain a log of all queries.
Select the Personal Access check box if this Role can access all Locked records regardless of the Role that locked the record.
Select the Override Return Policy check box to allow user to override if the policy time frame is exceeded.
Select the Override Credit Limit check box to provide access to a user to override the credit limit set at business partner level.
All of the information on the Role Tab is also found on the Role Tab of the Role Access window discussed in the following section.
Select the Org Access tab to define the Organizations this Role will be able to access.
This tab defines the Organizations a User who has logged in with this Role may access.
Toggle to the single record view by clicking the data/toggle grid on the toolbar.
To add access to an Organization select New Record and then select the Organization and select the Active check box.
If you want Users in this Role to be allowed to view data for this Organization, but not insert or update, then select the Read Only check box.
Note: The Admin Role defined in the Initial Client set up will automatically be granted access to any new Organization added for the Client.
Important: If the Use User Org Access check box has been selected, then any data entered on this tab is ignored.
Select the User Assignment tab to modify or view the Users for this Role.
To assign a User to this Role, simply enter or select the desired User. You may also assign a User to a Role in the User window.
The remaining tabs list all of the Windows, Processes, Forms Workflows, and Tasks available in Compiere. The functionality, from a Security perspective is the same for each of the tabs is the same so we will look only at the Window Access. Keep in mind that if the Manual check box is not selected in the Role window, then any new Windows, Processes, Forms, Workflows, and Tasks added during Migration, will automatically be added to the Roles when Role access Update is run. If the Manual check box has been selected, you must add this yourself after running a Migration.
A list of all Windows in Compiere is displayed. Let's look at the GL Journal window. Move to single record view.
If you have defined your Roles as Manual, you will need to add access to each desired window by selecting the Window and the Active check box. You may also restrict access to "Read Only" by de-selecting the Read Write check box.
For more information on Roles, refer to the Implementation and Basic Settings Chapter.
ROLE DATA ACCESS
The second level of Security in Compiere is Role Access. For a given Role and its privileges, you can further refine the security be defining access for specific tables, columns or records. For example, perhaps there are specific Users who may only create Orders with Payment Terms of Immediate. They are not allowed to offer Credit Payment Terms. Or, you may want to prevent Users from using specific accounts in GL Journal or to see the balances for these accounts. This can all be accomplished using Role Data Access.
The Role Data Access window can be accessed from the Main Menu.
The Role tab of the Role Access window contains a subset of the fields found in Role discussed in the previous section. This record can be maintained in either window. New Roles must be defined in the Role window to grant access to Organizations and entities.
Click on the Table Access tab to define access to specific tables.
Select a Table from the drop down list box. Select the Active check box to indicate that this security rule is active.
Select the Exclude check box to indicate that this security rule is to prevent the selected type of access to this table. If you de-select this check box this specifies that this security rule is to allow the selected type of access to this table. If you have one table defined with include access then all other tables not specifically included are excluded. In most instances, the Exclude check box will be selected.
Select an Access Type of Accessing, Exporting, or Reporting to indicate the type of access for this security rule.
If you select Accessing, the Read Only check box displays. Select this check box if you want the user to be able to read records on this table but not insert, update or delete records.
If you select Exporting, the Can Export check box displays. Select this check box if you want the user to be able to export records on this table. Leave this box unselected if you want to restrict exporting from this table.
If you select Reporting, the Can Report check box displays. Select this check box if you want the user to be able to report on records on this table. Leave this box unselected if you want to restrict reporting from this table.
Note: If you use Table Access to allow Reporting or Exporting access, the Can Report and Can Export check boxes must be selected for the Role.
Important: A User must have report access on a table to have export access on a table.
Click on the Column Access tab to define access to specific columns.
Select a Table and Column that this column access will apply to. Select the Active check box to indicate that this security rule is active.
Select the Exclude check box to indicate that this security rule will prevent access to this column. As with the Table Access, de-selecting the Exclude check box will indicate that this security rule will allow access to this column. Also, all other columns for all other tables unless explicitly allowed in this window. In most case this check box will be selected.
Select the Read Only check box to indicate that Users for this Role will be able to see this column but will not be able to update it.
Click on the Record Access tab to view and modify access to specific columns.
In the Record Access tab you can modify existing Record Access Security Rules.
First we will look at how the records that are displayed on this tab are created.
Note: This method of defining record level security is not yet available in Compiere Web User Interface. This feature is currently only available when using the Compiere Java Swing User Interface. The Security defined here is enforced in both user interfaces.
For this example, we want to restrict access to Payment Terms. For this Role we want to allow users access to just the Payment Term Immediate. We want them to be able to select only the Payment Term Immediate for any documents they enter. We also want to allow them to see all documents (regardless of the Payment Term).
Open the window and display the record you want to restrict access.
The Payment Term Immediate is displayed.
While holding down the CTRL key, select the Personal Lock button on the toolbar. A dialog box is displayed.
Select the Role this Record Access Security Rule is to be applied.
Select the Active check box to indicate this Security Rule is active.
Select the Exclude check box to restrict access to this specific record. If the Exclude check box is not selected then access to this specific record is allowed and access to all other records on this table is restricted (unless they are specifically included). In our example we want Users in this Role to have access to just this specific Payment Term so the Exclude check box remains unselected.
Select the Read Only check box if this Role should not be allowed to update or delete this record.
Select the Dependant Entities check box if access should also be restricted for entities which use this record. In our example we leave this unselected as we want users to be able to see Orders, Invoices, etc. where any Payment Term is used.
Select the OK button to save the record.
If we now log in as this user and enter a Sales Order the only payment term available in the drop down list box is Immediate. They can see Sales Order with other payment terms but there access is restricted to only Immediate.
Let's look again at the Record Access tab of the Role Access window.
Most of the fields are the same as on the Record Access dialog.
The Table displays the table for which this Record Access Security Rule is defined.
Select the Record ID button to zoom to the record for which this security rule is defined.
If you want to de-activate this Record Access rule, de-select the Active check box.
There are two types of Users in Compiere. One User identifies individuals associated with a Business Partner. The other type of User is a Compiere User. This User has a Role associated with them and accesses Compiere directly.
The User window can be accessed from the Main Menu.
The User tab defines a User or Contact in Compiere.
For more information on Users, refer to the Implementation and Basic Settings Chapter.
Select the User Role tab to view or update the Roles assigned to this User.
This User is assigned to a single Role called Stores.
You may add access to other Roles in this tab by selecting New Record and selecting the desired Role.
Select the User Substitute tab.
This tab is currently for informational purposes only.
Enter a Name and Description, if desired.
Select the User who is a Substitute for this User.
Enter a Valid from and Valid to date range to indicate the valid time-frame for this Substitute.
The Org Assignment tab is not used at this time.
Select the Org Access tab to define the Organizations this User has access.
In this tab you may define the Organizations in which this User may access. The data entered here is used only if the Use User Org Access check box has been selected for a Role that this User is assigned to, otherwise it is ignored.
When defining access to an Organization, select the posting Organization or Summary Organization. If a Summary Organization is selected then the User has access to all of its children.
The following describes an Organization hierarchy. The tree, Store 1, Store 2, and HQ are transaction or posting Organizations and All Stores and All Organizations are summary level Organizations. Summary level Organizations may not be used in documents.
Next, we have a Role called Stores.
The important fields to note are found on the Organization Tree, which is populated with the name of our tree and the Use User Org Access check box has been selected.
Next, we will look at the All Store User.
This User has been assigned a Role of Stores. Because the Role indicated that Organization access will be defined at the User level, we move to the Org Access tab.
Here we have indicated that this User will have access to All Stores. Based on our tree displayed above, this User will have access to documents and records for Store 1 and Store 2 but not for HQ.
The same could be accomplished by adding two records to the Org Access tab, one for Store 1 and one for Store 2. Or we could have defined the Organization access at the Role level.
What this functionality provides is the following: Compiere may be used in a retail environment with many Organizations or Stores and many users. The access to Windows, Forms, Processes, etc. is the same for most Users, the only difference being the Organizations they should access. You can define a single Role and indicate that Organization access will be defined at the User level. Then for each User, you define the Organization in which they may access. The other option would have been to create unique Roles for each User.
Another feature is the ability to reference Summary Organizations for accessing data. This is especially attractive if there are many Organizations as you may reference the Organization Tree that has the desired summary levels and reference the Summary Organization as opposed to the individual Organizations. This is also a benefit if the hierarchy changes, as you merely have to update the Tree and do not have to remember to update individual Roles or Users.
ROLE ACCESS UPDATE
Role Access Update is a process that updates the access rights of a role or all roles of a client to windows, forms, processes and workflows. It should be run when you add a new Menu item (e.g. Window, Form, Workflow, Report or Process), or if you alter the ownership (e.g. from all Organizations * to a specific Organization ownership).
Note that a Role is only updated if it is not marked as manual.
To execute the 'Role Access Update' process, click on Role Access Update from the Main Menu. The icon indicates that this is a Process.
Select a Tenant to use for running this process. If System is selected all Role for all Clients (except those indicated as Manual) will be updated.
Select a Role or set the Role to blank to update all Roles for the Client.
When the process has completed, a message is displayed indicating the records updated.
DISPLAYING SECURITY ROLES
If you are defining Security Rules for a Role and are trying to troubleshoot them the first step is to understand how the system interprets the rules that have been defined.
First, remember that the access allowed at the Role level (Reporting, Exporting, Accounting Tabs, Windows, etc.) is the highest level.
Second, you can see the rules defined for a Role in a concise manner by opening the Preferences window (Tools/Preferences from any window) in the Java Client or by clicking on the User:Name field at the upper right in the Web UI.
Select the Role button to display the Security Rules for this Role.
This displays the following information for Role of test role.
This Role cannot Export.
This Role can Report.
This Role has access to and may defined new records that are shared by all Organizations *.
This Role has access to and may define new records for Organization HQ.
This Role can read the Bank table but cannot update it.
This Role does not have access to the Charge table.
This Role can read the Currency Code on GL Journal but cannot update it.
This Role cannot see the NAIC/SIC field on Business Partner.
This Role cannot see the Control Amount field on GL Journal.
This Role has access to the Payment Term where record id = 105 (Immediate) but can see records where other Payment Term are used.
This Role does not have access to the Account where record id = 518 (Accounts Receivable Trade). In addition, it cannot see any records which contain this account.
Personal Lock allows a User to restrict access to a specific record. If a Personal Lock is applied only that User and those User's whose Role has Personal Access enabled have access to the record. This restriction is over and above any security rules that have been defined.
The lock in the open position indicates that this record is open to all users.
The lock in the closed position indicates that this record is open to only the user who locked the record and those users whose role has Personal Access enabled.
Note: The Personal Lock feature is not yet available in Compiere Web User Interface. This feature is currently only available when using the Compiere Java Swing User Interface.
The Reset Password process is used to change your own Password, or if you have an Administrator Role, you can change other user's Passwords.
The change a Password, execute the Reset Password process from the Main Menu. The icon indicates that this is a process.
The Reset Password dialog appears. With this process, you may change User Passwords and User E-mail settings.
Select the Start button to initiate the process.
Select the User/Contact in which you would like to Reset a Password or change e-mail settings.
Enter the Old Password for this User/Contact. If you are logged into the system with an Administrator Role then you do not need to enter the Old Password (unless you are changing your own Password).
Enter the New Password for this User/Contact.
Enter a New e-mail Address, New Email User ID, and New e-mail User Password if desired.
Select the OK button to start the process.
When the process has completed, the following message dialog will be displayed.
The message dialog indicates that the process has been successfully completed.
SECURITY HINTS AND TIPS
Plan and document what you want to accomplish with security.
Start of simple, refine and add complexity as you move forward.
Roles define the first level of Security. If a Role does not have access to a Window it does not matter if the Role Access allows access to the table.
It is suggested that you create a new Role when experimenting with Security settings. Once you are satisfied with the settings, assign Users to this Role. You should keep the Roles created when you create a new Client but change the password and restrict access.
If a Role is defined to not allow Reporting or Exporting specific table security defined in the Role Access is ignored.
A Role must have Reporting access to be able to Export.
Security settings are cached. If you change the settings either re-login or reset the cache.
You may only "Lock" data in which you have access.
Include is the most restrictive access. De-selecting the Exclude check box specifies that all records not explicitly included are excluded.
If you are restricting access to a column so it is read only, make sure that it is not required or that there is a default value so users can enter new records.
If you restrict access to a required field, ensure it has a default value.
You cannot exclude access (e.g. not display) required fields.
If you want to restrict access to sensitive data (e.g. specific GL Accounts), define Record Level Access Security for the specific Accounts. Select both the Exclude and Dependant Entities check boxes. Users of the Role will not be able to see the specific account in the Account Element window. Nor will they have access to it in Account Fact Balances, Details, or be able to select the Account in Queries or Reports.
You must have the Personal Lock enabled if you are defining Record Access Security Rules.
User and Roles
This feature is used to generate a report with the list of users and the roles assigned to them. Navigate to Main Menu > System Admin > User & Roles to generate a report.
For the detailed steps, please see the document for User and Roles feature.