Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification and Enhancement Request for Financial Risk Security Groups #363

Open
rafaelbn opened this issue Feb 21, 2024 · 1 comment
Open

Clarification and Enhancement Request for Financial Risk Security Groups #363

rafaelbn opened this issue Feb 21, 2024 · 1 comment
Labels
enhancement
Milestone
16.0

Comments

@rafaelbn
Copy link
Member

Hello,

We've observed an inconsistency regarding the visibility and editability of the "Financial Risk" tab within Odoo's billing and financial risk management functionalities. Specifically:

  1. Billing Users & Financial Risk Permissions: Billing users, without manager permissions in the financial risk security group, cannot view or edit the "Financial Risk" tab. However, granting them manager permissions allows approval of invoices exceeding the limit, despite not having access to view or configure the tab directly.

  2. Billing Managers & Access Restrictions: Billing managers can view the "Financial Risk" tab but are unable to edit it unless they have manager-level permissions in the financial risk security group.

  3. User Group Utility in Financial Risk: The user-level security group for financial risk appears to provide no functional access or editing permissions for the "Financial Risk" tab, which seems redundant as Odoo natively allows write permissions on the credit limit field.

This setup raises questions about the intended utility and differentiation of access levels, particularly for the user-level group in financial risk management. It seems there's an opportunity to clarify or enhance the role and permissions associated with these security groups to ensure a more intuitive and functional access control system.

Could we discuss potential adjustments or clarifications to these security group permissions to better align with user roles and operational needs?

@yajo My 5 minutes (2x) vídeo around this topic:
https://www.loom.com/share/c5e4b5298817425cac51be278079f50e?sid=3204edc3-e49a-40b1-94e3-7a554dcb51d6

My conclusion is:

  • Views should be managed with standard permission: billing, full accounting and accounting manager
  • Approve or not a sale or invoice which is blocked by exceded risk should be manager with a special security group as is in this moment with Financial Risk Manager

@moduon MT-4827 @yajo
@rafaelbn rafaelbn added this to the 16.0 milestone Feb 21, 2024
@yajo
Copy link
Member

yajo commented Feb 22, 2024

I want to clarify that this only applies to Odoo 16+ because it was in this version that Odoo added the credit limit feature in odoo/odoo#83205. In previous versions there might still be some inconsistency, but we didn't check.

Views should be managed with standard permission: billing, full accounting and accounting manager

I agree.

Indeed this permission level seems to be completely useless now:

credit-control/account_financial_risk/security/security.xml

Lines 7 to 11 in 2836567

<record id="group_account_financial_risk_user" model="res.groups">
<field name="name">User</field>
<field name="category_id" ref="category_financial_risk" />
<field name="comment">Read only access to financial risk info</field>
</record>

By removing it, we'd be able to undo the inconsistency. This way, also, installing other modules that used that core Odoo feature would be able to follow core permissions model without having to deal with the fact that there's an OCA module that introduces a separate permissions model.

Approve or not a sale or invoice which is blocked by exceded risk should be manager with a special security group as is in this moment with Financial Risk Manager

This also seems a good solution to me. It's about this permission, and it is still useful:

credit-control/account_financial_risk/security/security.xml

Lines 12 to 22 in 2836567

<record id="group_account_financial_risk_manager" model="res.groups">
<field name="name">Manager</field>
<field name="category_id" ref="category_financial_risk" />
<field
name="implied_ids"
eval="[(4, ref('account_financial_risk.group_account_financial_risk_user'))]"
/>
<field
name="comment"
>Can edit risk limit and overpass partner risk exceptions</field>
</record>

These users will be able to:

  • Set up specific limits (not warnings, like upstream Odoo does (although they call them limits)).
  • Skip those limits in specific occasions.

However, be warned that any other billing/full-accounting user would still be able to edit the global limit, just like with upstream Odoo. This is a bit inconsistent too, but at least it seems the lesser evil, given the current situation.

The module account_financial_risk would be adding that group and at the same time giving it some functionality, so it makes sense in that regard too.

Thanks for the analyisis and detailed explanation @rafaelbn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
16.0
Development

No branches or pull requests
2 participants
@yajo @rafaelbn