I just realised this and have to draw your attention to it.
The current user permission is seriously flawed.
I tested with a procurement officer user who is supposed to have access only to create Suppliers and purchase orders and noticed the flaw.
The procurement officer is able to generate a spend money transaction even though he has no bank or cash access by duplicating the spend money transaction he is allowed to view.
He is also able to edit and update records Purchase Invoices transactions already showing in the Supplierâs records even though he doesnât have any permission to do so.
Same applies to Customers, and employees, a user having no access to pay slips can still duplicate or edit pay slips from the employees tab. I havenât taken my time to check everything, but I believe you know the right places to check.
I believe the permissions should be specific to the tabs and not generalized. I may want my Procurement officer to be able to View, Create, and Update and delete things under suppliers and purchase orders but only need him to see Purchase invoices and not be able to do anything to it.
So in the table below I have elaborated on the permission controls procedure that will solve the current permission control weakness.
I have come across similar complaints before; I just donât remember the user or the topic title.
I dont know If you have already talked about improving it or there is a way out
I agree that if you give access just to Suppliers and Purchase Orders, users should not be able to access purchase invoices.
However there are at least dozen of similar flaws I can think of right now and to some businesses, these flaws are actually âfeaturesâ they rely on.
The current implementation of user permissions is naive in a sense that it just restricts access to tabs. What I will need to implement at some point is to restrict access to columns within the tabs based on user permissions.
could you please kindly consider or add ( create Only ) permission.
Adding Create Only like (view Only ) might be another solution that could solve maybe most of the user problem. this permission will only give the restricted user the ability only to create a Voucher. which must prevent him to access other tabs. and only one option will be available Create.
also, since most of the user were complaining that the restricted users able to view voucher they donât have the authorization to view. I think adding Create Only Permission will solve majority of this problem.
@abdulbari yes , if a user can only create , he canât view or edit vouchers and will prevent him from making duplicate copies and or editing data.
But you may want a user who can create , edit, view and delete transactions with Payslips but only create sales invoices. How is that possible? The current feature set these privileges on general terms so you canât set the user to be able to create and view in Customer tab and create only in invoice tab.
I hope Create only Permission will be considered in the improvement plan, because it is needed in some tab like Expense Claim Tab, and other tab if the user authorized only to create a Voucher.
It would also help to have a select all on restricted users. This way you can give âviewâ or âcreateâ access for a user to all modules and reports in a single click. It will also help if you need all but one module for a user. You can select all and just deselect the one you donât needs.
Hello @lubos Iâm following up on the user permission improvements. I would love to Deploy Manager on our company network and get other users to the system to reduce my workload. As at now there is no way i could do that because people will be messing things up.
I just want to know your progress so far on improving the permissions and user activity log and the new ideas you have on the permissions in Manager.io for me to plan my activities for the rest of the year.
I have gone through above exchange of opinions relating to permission to limited access users.
As I see in one of the conversation above, someone mentioned about one of the permission being only âCREATEâ just like only âVIEWâ.
I felt the necessity of only CREATE permission because I may not like the user to have a look at all the transaction for whatever reason. One of the reason, being privacy.
However, Manager just brushed aside my request saying with CREATE, it must be VIEW too. But, I believe, if only VIEW is available then, it should be no problem to add limited user permission of only CREATE.
It should work like this:
Open create ăă Input information/ data ăă CREATE (save) back to create screen
Hope @lubos would consider to listen to our views and provide us with this immensely useful feature for privacy.
how do the user that has create permission know that it inserted the right data?. it must have view permission also maybe need to add additional permission called (limited view) only able to review one time only of what transaction is created not the list but is not that convenient.
My other suggestion would be having tag the transaction only viewable in listing by the creator of the transaction (limited view permission) , administrator and users who have the full view permission.
We have to remember you have to view before you can print.
To me every user who creates must be able to view as well, but another could be made to view but not create, or edit or clone or delete anything.
Sounds like clone permission settings.
Sounds to me like complexity. Best method is set action permissions on tab levels as suggested earlier. So some users could view only in some tabs, but create and view in other tabs and create, view, edit, clone and delete in another. Taking this to the document level will be too deep and may have programing challenges.
I know is a very complex programming but this is the ultimate user assignment features that disallow unauthorized user/employee to see the full listing, they only able to view what they have created. Unless, of course theyâve be given full authorize to that tab. I doubt it will be implement soon, but this is the one I have in mind if software user is a medium to large size corporation.
This also allows narrowing down which entry they have created. is easy if the administrator able to access impersonate the user. Indirectly made the audit trail easy I believe.
yes , âcloning permissionâ is also known as âinherit permissionâ I learnt it from customer relation management webapp.
Not necessarily - âcloningâ in Manager means creating a new transaction or object using an existing transaction or object as a model. Once cloned, the new transaction or object has a separate identity which can then evolve differently from the parent object.
Inheritance is generally persistant ie if the permissions on the parent object are changed, then the new object will also acquire the changes.
@Abeiku & @lubos The user suggestion I made can be done with little changes in the software. My suggestion is intended to work this way, please take a look. Supposing, I gave the permission to user to make only âSALES INVOICEâ, the screen/page he may go to would be in the below scenario
First, he click the Sales Invoice Tab then he can see just this page
I understand what you are suggesting perfectly and it would be the best fix. But my fear is that this may call for deeper reprogramming and may delay the fix.
Currently if you donât have permission to do something (e.g create or receive money), you could do all editing or entry but the create or update button to finalise the move would be inactive so you wouldnât be able to create a transaction, or save any changes to transactions in the application even if the buttons are there, i think is enough control. It will all depends on what will be easier to implement if the programmer decides to do the fix.
Iâm working on new API which is cleaning up many aspects in Manager.
When API is released, as a side-effect, user not having access to Payslips tab wonât be able to access them through Employees tab.
A lot of these leaks will be plugged.
When leaks are plugged, we can see if itâs needed to extend user permission system further (perhaps having a grid where actions can be set per tab rather than globally).
