DESKTOP EDITION CLOUD EDITION SERVER EDITION GUIDES FORUM

Suggestion for improving user permissions


#1

Hello Guys

I just realised this and have to draw your attention to it.
The current user permission is seriously flawed.
I tested with a procurement officer user who is supposed to have access only to create Suppliers and purchase orders and noticed the flaw.

The procurement officer is able to generate a spend money transaction even though he has no bank or cash access by duplicating the spend money transaction he is allowed to view.
He is also able to edit and update records Purchase Invoices transactions already showing in the Supplier’s records even though he doesn’t have any permission to do so.

Same applies to Customers, and employees, a user having no access to pay slips can still duplicate or edit pay slips from the employees tab. I haven’t taken my time to check everything, but I believe you know the right places to check.

I believe the permissions should be specific to the tabs and not generalized. I may want my Procurement officer to be able to View, Create, and Update and delete things under suppliers and purchase orders but only need him to see Purchase invoices and not be able to do anything to it.
So in the table below I have elaborated on the permission controls procedure that will solve the current permission control weakness.

5

I have come across similar complaints before; I just don’t remember the user or the topic title.

I dont know If you have already talked about improving it or there is a way out


Limit update to Issued Invoices. Allow other [View, Create, Update. Delete]
Customer portal
Audit trail Feature suggestion (User History on Documents)
#2

I agree that if you give access just to Suppliers and Purchase Orders, users should not be able to access purchase invoices.

However there are at least dozen of similar flaws I can think of right now and to some businesses, these flaws are actually “features” they rely on.

The current implementation of user permissions is naive in a sense that it just restricts access to tabs. What I will need to implement at some point is to restrict access to columns within the tabs based on user permissions.


#3

could you please kindly consider or add ( create Only ) permission.

Adding Create Only like (view Only ) might be another solution that could solve maybe most of the user problem. this permission will only give the restricted user the ability only to create a Voucher. which must prevent him to access other tabs. and only one option will be available Create.

also, since most of the user were complaining that the restricted users able to view voucher they don’t have the authorization to view. I think adding Create Only Permission will solve majority of this problem.


#4

@abdulbari yes , if a user can only create , he can’t view or edit vouchers and will prevent him from making duplicate copies and or editing data.

But you may want a user who can create , edit, view and delete transactions with Payslips but only create sales invoices. How is that possible? The current feature set these privileges on general terms so you can’t set the user to be able to create and view in Customer tab and create only in invoice tab.


#5

Iam totally agreed with you @Abeiku .

I hope Create only Permission will be considered in the improvement plan, because it is needed in some tab like Expense Claim Tab, and other tab if the user authorized only to create a Voucher.


#6

On extra note, @lubos please add ‘Permission Inheritance feature’

Is a pain in the **** with lots of permission to assign everytime we add new user with similar or exact as per user’s job or scope of work.


#7

It would also help to have a select all on restricted users. This way you can give “view” or “create” access for a user to all modules and reports in a single click. It will also help if you need all but one module for a user. You can select all and just deselect the one you don’t needs.


#8

You are very right. I believe this is the topic you are talking about. User permissions and cash accounts.

I had an issue with it today and I just reopened it a few minutes ago.

I believe lubos will work on it soon.


#9

Hello @lubos I’m following up on the user permission improvements. I would love to Deploy Manager on our company network and get other users to the system to reduce my workload. As at now there is no way i could do that because people will be messing things up.

I just want to know your progress so far on improving the permissions and user activity log and the new ideas you have on the permissions in Manager.io for me to plan my activities for the rest of the year.

Thank you.


#10

@lubos
Hi, how fat with this request. Any planned implementation soon?
Thanks


#11

I have gone through above exchange of opinions relating to permission to limited access users.

As I see in one of the conversation above, someone mentioned about one of the permission being only “CREATE” just like only “VIEW”.

I felt the necessity of only CREATE permission because I may not like the user to have a look at all the transaction for whatever reason. One of the reason, being privacy.

However, Manager just brushed aside my request saying with CREATE, it must be VIEW too. But, I believe, if only VIEW is available then, it should be no problem to add limited user permission of only CREATE.

It should work like this:
Open create 》》 Input information/ data 》》 CREATE (save) back to create screen

Hope @lubos would consider to listen to our views and provide us with this immensely useful feature for privacy.

Thanks a lot


#12

how do the user that has create permission know that it inserted the right data?. it must have view permission also maybe need to add additional permission called (limited view) only able to review one time only of what transaction is created not the list but is not that convenient.

My other suggestion would be having tag the transaction only viewable in listing by the creator of the transaction (limited view permission) , administrator and users who have the full view permission.


#13

We have to remember you have to view before you can print.

To me every user who creates must be able to view as well, but another could be made to view but not create, or edit or clone or delete anything.

Sounds like clone permission settings.

Sounds to me like complexity. Best method is set action permissions on tab levels as suggested earlier. So some users could view only in some tabs, but create and view in other tabs and create, view, edit, clone and delete in another. Taking this to the document level will be too deep and may have programing challenges.


#14

I know is a very complex programming but this is the ultimate user assignment features that disallow unauthorized user/employee to see the full listing, they only able to view what they have created. Unless, of course they’ve be given full authorize to that tab. I doubt it will be implement soon, but this is the one I have in mind if software user is a medium to large size corporation.

This also allows narrowing down which entry they have created. is easy if the administrator able to access impersonate the user. Indirectly made the audit trail easy I believe.

yes , ‘cloning permission’ is also known as ‘inherit permission’ I learnt it from customer relation management webapp.


#15

Not necessarily - “cloning” in Manager means creating a new transaction or object using an existing transaction or object as a model. Once cloned, the new transaction or object has a separate identity which can then evolve differently from the parent object.

Inheritance is generally persistant ie if the permissions on the parent object are changed, then the new object will also acquire the changes.


#16

Yes @lubos , we hope you improve the user permissions. I havs the sam problem. It would be great


#17

Thanks for made it clear. Then, Inheritance is better control by group level compare to Cloning by per user.


#18

@Abeiku & @lubos The user suggestion I made can be done with little changes in the software. My suggestion is intended to work this way, please take a look. Supposing, I gave the permission to user to make only “SALES INVOICE”, the screen/page he may go to would be in the below scenario

First, he click the Sales Invoice Tab then he can see just this page

Clicking on the New Sales Invoice, he should get this page

After required input, the user will click “CREATE” then he will get this page/screen

The user can only use the highlighted tab, the rest (crossed) tab is dormant for him.

Once he has finished, he can click “back”, then he gets (comes back) to the starting screen as below:

I just hope I am clear. Further, I sincerely hope that @lubos will seriously consider about this improvement

Thanks


#19

I understand what you are suggesting perfectly and it would be the best fix. But my fear is that this may call for deeper reprogramming and may delay the fix.

Currently if you don’t have permission to do something (e.g create or receive money), you could do all editing or entry but the create or update button to finalise the move would be inactive so you wouldn’t be able to create a transaction, or save any changes to transactions in the application even if the buttons are there, i think is enough control. It will all depends on what will be easier to implement if the programmer decides to do the fix.


#20

I’m working on new API which is cleaning up many aspects in Manager.

When API is released, as a side-effect, user not having access to Payslips tab won’t be able to access them through Employees tab.

A lot of these leaks will be plugged.

When leaks are plugged, we can see if it’s needed to extend user permission system further (perhaps having a grid where actions can be set per tab rather than globally).