From 4866c10cc9a12ec9ade05ac7fb5145879a17949b Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Sun, 30 Apr 2023 23:53:02 +0200 Subject: [PATCH 01/10] Add infrastructure to document roles --- sql/modules/Roles.sql | 222 ++++++++++++++++++++++++++++++++++-------- xt/42-roles.pg | 2 +- 2 files changed, 183 insertions(+), 41 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index f8151bccdc6..5da70736362 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -7,7 +7,7 @@ BEGIN; DELETE FROM menu_acl WHERE node_id in (206, 210); DROP FUNCTION IF EXISTS lsmb__create_role(text); -CREATE OR REPLACE FUNCTION lsmb__create_role(in_role text) RETURNS bool +CREATE OR REPLACE FUNCTION lsmb__create_role(in_role text, in_documentation text default null) RETURNS bool LANGUAGE PLPGSQL AS $$ DECLARE @@ -23,13 +23,15 @@ BEGIN USING ERRCODE = 'name_too_long'; END IF; PERFORM rolname FROM pg_roles WHERE rolname = t_in_role; - IF FOUND THEN - RETURN TRUE; + IF NOT FOUND THEN + EXECUTE 'CREATE ROLE ' || quote_ident(t_in_role) + || ' WITH INHERIT NOLOGIN'; END IF; - EXECUTE 'CREATE ROLE ' || quote_ident(t_in_role) - || ' WITH INHERIT NOLOGIN'; - + IF in_documentation IS NOT NULL THEN + EXECUTE 'COMMENT ON ROLE ' || quote_ident(t_in_role) + || ' IS ' || quote_literal(in_documentation); + END IF; RETURN TRUE; END; $$ SECURITY INVOKER; -- intended only to be used for setup scripts @@ -195,16 +197,37 @@ GRANT SELECT ON location_class_to_entity_class TO PUBLIC; \echo BASE ROLES -SELECT lsmb__create_role('base_user'); +SELECT lsmb__create_role( + 'base_user', + $DOC$ + Users need to be given this role in order to be granted access to the database schema which holds all LedgerSMB objects. + $DOC$ + ); SELECT lsmb__grant_schema('base_user', :'lsmb_schema'); \echo BUDGETS -SELECT lsmb__create_role('budget_enter'); -SELECT lsmb__create_role('budget_view'); -SELECT lsmb__create_role('budget_approve'); +SELECT lsmb__create_role('budget_enter', + $DOC$ + This role allows creation and updating of budgets. + $DOC$ +); +SELECT lsmb__create_role('budget_view', + $DOC$ + This role allows searching and viewing of budgets. + $DOC$ +); +SELECT lsmb__create_role('budget_approve', + $DOC$ + This role allows searching, viewing and approving of budgets. + $DOC$ +); SELECT lsmb__grant_role('budget_approve', 'budget_view'); -SELECT lsmb__create_role('budget_obsolete'); +SELECT lsmb__create_role('budget_obsolete', + $DOC$ + This role allows searching, viewing and marking as obsolete of budgets. + $DOC$ +); SELECT lsmb__grant_role('budget_obsolete', 'budget_view'); SELECT lsmb__grant_perms('budget_view', 'budget_info', 'SELECT'); @@ -225,7 +248,11 @@ SELECT lsmb__grant_menu('budget_view', 253, 'allow'); SELECT lsmb__grant_exec('budget_approve', 'budget__reject(in_id int)'); \echo BUSINESS UNITS -SELECT lsmb__create_role('business_units_manage'); +SELECT lsmb__create_role('business_units_manage', + $DOC$ + This role allows searching, viewing, creation and editing of business (reporting) classes and their members. + $DOC$ +); SELECT lsmb__grant_perms('business_units_manage', 'business_unit_class', 'INSERT'); SELECT lsmb__grant_perms('business_units_manage', 'business_unit_class', @@ -249,10 +276,11 @@ GRANT SELECT ON business_unit_class, business_unit, bu_class_to_module TO PUBLIC; \echo Exchange rate creation (requires insert/update on exchangerate table) -SELECT lsmb__create_role('exchangerate_edit'); ---### TODO: advisory rates still need to work! ---SELECT lsmb__grant_perms('exchangerate_edit', 'exchangerate', 'INSERT'); ---SELECT lsmb__grant_perms('exchangerate_edit', 'exchangerate', 'UPDATE'); +SELECT lsmb__create_role('exchangerate_edit', + $DOC$ + This role allows searching, viewing and editing of currencies, exchange rates and exchange rate types. + $DOC$ +); SELECT lsmb__grant_perms('exchangerate_edit', 'currency', 'INSERT'); SELECT lsmb__grant_perms('exchangerate_edit', 'currency', 'UPDATE'); SELECT lsmb__grant_perms('exchangerate_edit', 'currency', 'DELETE'); @@ -278,7 +306,11 @@ GRANT SELECT ON exchangerate_default TO PUBLIC; \echo Basic file attachments -SELECT lsmb__create_role('file_read'); +SELECT lsmb__create_role('file_read', + $DOC$ + This role allows reading of files attachments and files uploaded through the system menu. + $DOC$ +); SELECT lsmb__grant_perms('file_read', 'file_base', 'SELECT'); SELECT lsmb__grant_perms('file_read', 'file_eca', 'SELECT'); SELECT lsmb__grant_perms('file_read', 'file_entity', 'SELECT'); @@ -290,17 +322,29 @@ SELECT lsmb__grant_perms('file_read', 'file_part', 'SELECT'); SELECT lsmb__grant_perms('file_read', 'file_secondary_attachment', 'SELECT'); SELECT lsmb__grant_perms('file_read', 'file_transaction', 'SELECT'); -SELECT lsmb__create_role('file_upload'); +SELECT lsmb__create_role('file_upload', + $DOC$ + This role allows uploading of files through the system menu. + $DOC$ +); SELECT lsmb__grant_perms('file_upload', 'file_internal', 'ALL'); SELECT lsmb__grant_menu('file_upload', 27, 'allow'); -SELECT lsmb__create_role('file_attach_tx'); +SELECT lsmb__create_role('file_attach_tx', + $DOC$ + This role allows attaching files to transactions and invoices. + $DOC$ +); SELECT lsmb__grant_perms('file_attach_tx', 'file_transaction', 'INSERT'); SELECT lsmb__grant_perms('file_attach_tx', 'file_transaction', 'UPDATE'); SELECT lsmb__grant_perms('file_attach_tx', 'file_order_to_tx', 'INSERT'); SELECT lsmb__grant_perms('file_attach_tx', 'file_order_to_tx', 'UPDATE'); -SELECT lsmb__create_role('file_attach_order'); +SELECT lsmb__create_role('file_attach_order', + $DOC$ + This role allows attaching files to orders and quotes. + $DOC$ +); SELECT lsmb__grant_perms('file_attach_order', 'file_order', 'INSERT'); SELECT lsmb__grant_perms('file_attach_order', 'file_order', 'UPDATE'); SELECT lsmb__grant_perms('file_attach_order', 'file_order_to_order', 'INSERT'); @@ -308,15 +352,27 @@ SELECT lsmb__grant_perms('file_attach_order', 'file_order_to_order', 'UPDATE'); SELECT lsmb__grant_perms('file_attach_order', 'file_tx_to_order', 'INSERT'); SELECT lsmb__grant_perms('file_attach_order', 'file_tx_to_order', 'UPDATE'); -SELECT lsmb__create_role('file_attach_part'); +SELECT lsmb__create_role('file_attach_part', + $DOC$ + This role allows attaching files to goods and services. + $DOC$ +); SELECT lsmb__grant_perms('file_attach_part', 'file_part', 'INSERT'); SELECT lsmb__grant_perms('file_attach_part', 'file_part', 'UPDATE'); -SELECT lsmb__create_role('file_attach_eca'); +SELECT lsmb__create_role('file_attach_eca', + $DOC$ + This role allows attaching files to entity credit accounts (customers/vendors). + $DOC$ +); SELECT lsmb__grant_perms('file_attach_eca', 'file_eca', 'INSERT'); SELECT lsmb__grant_perms('file_attach_eca', 'file_eca', 'UPDATE'); -SELECT lsmb__create_role('file_attach_entity'); +SELECT lsmb__create_role('file_attach_entity', + $DOC$ + This role allows attaching files to entities (contacts). + $DOC$ +); SELECT lsmb__grant_perms('file_attach_entity', 'file_entity', 'INSERT'); SELECT lsmb__grant_perms('file_attach_entity', 'file_entity', 'UPDATE'); @@ -326,7 +382,14 @@ SELECT lsmb__grant_perms(role, 'file_incoming', 'DELETE'), 'file_attach_part', 'file_attach_eca']) role; \echo Contact Management -SELECT lsmb__create_role('contact_read'); +SELECT lsmb__create_role('contact_read', + $DOC$ + This role allows searching and viewing entities, persons and companies (contacts). + + Combine this role with one or more 'contact_class_*' roles to be able to access + contacts of the specific class. By itself, this role does not provide sufficient rights. + $DOC$ +); SELECT lsmb__grant_role('contact_read', 'file_read'); SELECT lsmb__grant_perms('contact_read', 'partsvendor', 'SELECT'); SELECT lsmb__grant_perms('contact_read', 'partscustomer', 'SELECT'); @@ -356,18 +419,75 @@ SELECT lsmb__grant_perms('contact_read', 'file_entity', 'SELECT'); SELECT lsmb__grant_exec('contact_read', 'eca__list_notes(int)'); SELECT lsmb__grant_menu('contact_read', 14, 'allow'); -SELECT lsmb__create_role('contact_class_vendor'); -SELECT lsmb__create_role('contact_class_customer'); -SELECT lsmb__create_role('contact_class_employee'); -SELECT lsmb__create_role('contact_class_contact'); -SELECT lsmb__create_role('contact_class_referral'); -SELECT lsmb__create_role('contact_class_lead'); -SELECT lsmb__create_role('contact_class_hot_lead'); -SELECT lsmb__create_role('contact_class_cold_lead'); -SELECT lsmb__create_role('contact_class_sub_contractor'); -SELECT lsmb__create_role('contact_class_robot'); - -SELECT lsmb__create_role('contact_create'); +SELECT lsmb__create_role('contact_class_vendor', + $DOC$ + This role allows access to vendor contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_customer', + $DOC$ + This role allows access to customer contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_employee', + $DOC$ + This role allows access to employee contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_contact', + $DOC$ + This role allows access to contact data (e-mail, phone, etc) of all kinds of contacts (customer/vendor/...). + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_referral', + $DOC$ + This role allows access to referral contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_lead', + $DOC$ + This role allows access to sales lead contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_hot_lead', + $DOC$ + This role allows access to hot sales lead contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_cold_lead', + $DOC$ + This role allows access to cold sales lead contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_sub_contractor', + $DOC$ + This role allows access to subcontractor contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); +SELECT lsmb__create_role('contact_class_robot', + $DOC$ + This role allows access to robot (automated process, acting on behalf of...) contact data. + Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + $DOC$ +); + +SELECT lsmb__create_role('contact_create', + $DOC$ + This role allows searching and viewing existing contacts and creation of new contacts. + + Combine this role with one or more 'contact_class_*' roles to be able to access + contacts of the specific class. By itself, this role does not provide sufficient rights. + $DOC$ +); SELECT lsmb__grant_role('contact_create', 'contact_read'); SELECT lsmb__grant_perms('contact_create', 'entity', 'INSERT'); SELECT lsmb__grant_perms('contact_create', 'entity_id_seq', 'ALL'); @@ -400,7 +520,11 @@ SELECT lsmb__grant_perms('contact_create', obj, 'ALL') SELECT lsmb__grant_menu('contact_create', 12, 'allow'); -SELECT lsmb__create_role('employees_manage'); +SELECT lsmb__create_role('employees_manage', + $DOC$ + This role allows creation, updating and searching of employees. + $DOC$ +); SELECT lsmb__grant_role('employees_manage', 'contact_read'); SELECT lsmb__grant_perms('employees_manage', 'entity_employee', 'ALL'); SELECT lsmb__grant_perms('employees_manage', 'person', 'ALL'); @@ -415,7 +539,14 @@ SELECT lsmb__grant_menu('employees_manage', 49, 'allow'); GRANT select ON employees TO public; -SELECT lsmb__create_role('contact_edit'); +SELECT lsmb__create_role('contact_edit', + $DOC$ + This role allows editing of existing contacts. + + Combine this role with one or more 'contact_class_*' roles to be able to access + contacts of the specific class. By itself, this role does not provide sufficient rights. + $DOC$ +); SELECT lsmb__grant_role('contact_edit', 'contact_read'); SELECT lsmb__grant_role('contact_create', 'contact_edit'); SELECT lsmb__grant_perms('contact_edit', 'entity', 'UPDATE'); @@ -434,7 +565,14 @@ SELECT lsmb__grant_perms('contact_edit', 'eca_to_contact', 'ALL'); SELECT lsmb__grant_perms('contact_edit', 'eca_to_location', 'ALL'); SELECT lsmb__grant_perms('contact_edit', 'eca_tax', 'ALL'); -SELECT lsmb__create_role('contact_delete'); +SELECT lsmb__create_role('contact_delete', + $DOC$ + This role allows editing of existing contacts. + + Combine this role with one or more 'contact_class_*' roles to be able to access + contacts of the specific class. By itself, this role does not provide sufficient rights. + $DOC$ +); SELECT lsmb__grant_perms('contact_delete', obj, 'DELETE') FROM unnest(ARRAY['entity'::text, 'company', 'person', 'location', 'entity_credit_account', 'eca_tax', 'entity_note', @@ -442,7 +580,11 @@ SELECT lsmb__grant_perms('contact_delete', obj, 'DELETE') 'eca_to_contact', 'entity_to_contact', 'entity_other_name', 'entity_bank_account', 'person_to_company']) obj; -SELECT lsmb__create_role('contact_all_rights'); +SELECT lsmb__create_role('contact_all_rights', + $DOC$ + This role combines all 'contact_class_*' and 'contact_*' roles and grants all access rights to all contact classes. + $DOC$ +); SELECT lsmb__grant_role('contact_all_rights', 'contact_class_vendor'); SELECT lsmb__grant_role('contact_all_rights', 'contact_class_customer'); SELECT lsmb__grant_role('contact_all_rights', 'contact_class_employee'); diff --git a/xt/42-roles.pg b/xt/42-roles.pg index abd56ef37d3..0d7c1f441ff 100644 --- a/xt/42-roles.pg +++ b/xt/42-roles.pg @@ -18,7 +18,7 @@ BEGIN; -- Validate required functions -- Can create role - SELECT has_function('lsmb__create_role',ARRAY['text']); + SELECT has_function('lsmb__create_role',ARRAY['text','text']); -- Check Valid Role creation PREPARE test AS SELECT From 0a6d031a51212553d7ff7a15324f970b2811f627 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Mon, 1 May 2023 19:51:21 +0200 Subject: [PATCH 02/10] More role descriptions --- sql/modules/Roles.sql | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 5da70736362..04d8edca4aa 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -201,6 +201,8 @@ SELECT lsmb__create_role( 'base_user', $DOC$ Users need to be given this role in order to be granted access to the database schema which holds all LedgerSMB objects. + + This role only allows access to menu items Preferences, Logout, and New Window. The user basically cannot do anything without added additional roles. $DOC$ ); SELECT lsmb__grant_schema('base_user', :'lsmb_schema'); @@ -225,7 +227,7 @@ SELECT lsmb__create_role('budget_approve', SELECT lsmb__grant_role('budget_approve', 'budget_view'); SELECT lsmb__create_role('budget_obsolete', $DOC$ - This role allows searching, viewing and marking as obsolete of budgets. + This role allows searching and viewing budgets as well as marking them obsolete (=no longer applicable). $DOC$ ); @@ -482,7 +484,7 @@ SELECT lsmb__create_role('contact_class_robot', SELECT lsmb__create_role('contact_create', $DOC$ - This role allows searching and viewing existing contacts and creation of new contacts. + This role allows creation of new contacts. Combine this role with one or more 'contact_class_*' roles to be able to access contacts of the specific class. By itself, this role does not provide sufficient rights. @@ -541,7 +543,7 @@ GRANT select ON employees TO public; SELECT lsmb__create_role('contact_edit', $DOC$ - This role allows editing of existing contacts. + This role allows editing of existing contacts and creation of new ones. Combine this role with one or more 'contact_class_*' roles to be able to access contacts of the specific class. By itself, this role does not provide sufficient rights. @@ -567,7 +569,7 @@ SELECT lsmb__grant_perms('contact_edit', 'eca_tax', 'ALL'); SELECT lsmb__create_role('contact_delete', $DOC$ - This role allows editing of existing contacts. + This role allows removal of existing contacts. Combine this role with one or more 'contact_class_*' roles to be able to access contacts of the specific class. By itself, this role does not provide sufficient rights. @@ -599,7 +601,11 @@ SELECT lsmb__grant_role('contact_all_rights', 'contact_read'); SELECT lsmb__grant_role('contact_all_rights', 'contact_delete'); \echo Batches and Vouchers -SELECT lsmb__create_role('batch_create'); +SELECT lsmb__create_role('batch_create', + $DOC$ + This role allows creation of new batches and vouchers. + $DOC$ +); SELECT lsmb__grant_perms('batch_create', 'batch', 'INSERT'); SELECT lsmb__grant_perms('batch_create', 'batch_id_seq', 'ALL'); SELECT lsmb__grant_perms('batch_create', 'batch_class', 'SELECT'); @@ -607,17 +613,33 @@ SELECT lsmb__grant_perms('batch_create', 'voucher', 'INSERT'); SELECT lsmb__grant_perms('batch_create', 'voucher_id_seq', 'ALL'); SELECT lsmb__grant_exec('batch_create', 'batch__lock_for_update(int)'); -SELECT lsmb__create_role('batch_post'); +SELECT lsmb__create_role('batch_post', + $DOC$ + This role allows posting batches of e.g. transactions, payments and invoices. + $DOC$ +); SELECT lsmb__grant_exec('batch_post', 'batch_post(int)'); SELECT lsmb__grant_menu('batch_post', 206, 'allow'); SELECT lsmb__grant_menu('batch_post', 210, 'allow'); -SELECT lsmb__create_role('voucher_delete'); +SELECT lsmb__create_role('voucher_delete', + $DOC$ + This role allows deletion of vouchers (i.e. groups of e.g. payments). + $DOC$ +); SELECT lsmb__grant_exec('voucher_delete', 'voucher__delete(int)'); SELECT lsmb__grant_exec('voucher_delete', 'batch_delete(int)'); -SELECT lsmb__create_role('draft_modify'); -SELECT lsmb__create_role('draft_post'); +SELECT lsmb__create_role('draft_modify', + $DOC$ + This role allows modification of existing draft (= saved) transactions. + $DOC$ +); +SELECT lsmb__create_role('draft_post', + $DOC$ + This role allows posting of saved transactions to the ledger. + $DOC$ +); SELECT lsmb__grant_menu('draft_post', 210, 'allow'); From d8703cfe2a2df3762666855d16632397f23d952d Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Mon, 1 May 2023 21:26:20 +0200 Subject: [PATCH 03/10] Incorporate @christian-eriksson's review comments --- sql/modules/Roles.sql | 65 ++++++++++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 22 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 04d8edca4aa..02ccb46d2d4 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -386,10 +386,12 @@ SELECT lsmb__grant_perms(role, 'file_incoming', 'DELETE'), \echo Contact Management SELECT lsmb__create_role('contact_read', $DOC$ - This role allows searching and viewing entities, persons and companies (contacts). + When paired with one or more 'contact_class_*' role/-s, this role allows + searching and viewing entities, persons and companies (contacts). - Combine this role with one or more 'contact_class_*' roles to be able to access - contacts of the specific class. By itself, this role does not provide sufficient rights. + Each contact_class_ role, when paired with contact_read, enables + this access for the specific . On it's own, the contact_read-role + does not provide any rights. $DOC$ ); SELECT lsmb__grant_role('contact_read', 'file_read'); @@ -424,70 +426,82 @@ SELECT lsmb__grant_menu('contact_read', 14, 'allow'); SELECT lsmb__create_role('contact_class_vendor', $DOC$ This role allows access to vendor contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_customer', $DOC$ This role allows access to customer contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_employee', $DOC$ This role allows access to employee contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_contact', $DOC$ This role allows access to contact data (e-mail, phone, etc) of all kinds of contacts (customer/vendor/...). - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_referral', $DOC$ This role allows access to referral contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_lead', $DOC$ This role allows access to sales lead contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_hot_lead', $DOC$ This role allows access to hot sales lead contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_cold_lead', $DOC$ This role allows access to cold sales lead contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_sub_contractor', $DOC$ This role allows access to subcontractor contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_class_robot', $DOC$ This role allows access to robot (automated process, acting on behalf of...) contact data. - Combine with 'contact_read', 'contact_create', 'contact_edit' to determine the type of access granted. + Combine with 'contact_read', 'contact_create', 'contact_edit' and/or 'contact_delete' to determine + the type of access granted. $DOC$ ); SELECT lsmb__create_role('contact_create', $DOC$ - This role allows creation of new contacts. + When paired with one or more 'contact_class_*' role/-s, this role allows + creation of new entities, persons and companies (contacts). - Combine this role with one or more 'contact_class_*' roles to be able to access - contacts of the specific class. By itself, this role does not provide sufficient rights. + Each contact_class_ role, when paired with contact_read, enables + this access for the specific . On it's own, the contact_create-role + does not provide any rights. $DOC$ ); SELECT lsmb__grant_role('contact_create', 'contact_read'); @@ -543,10 +557,12 @@ GRANT select ON employees TO public; SELECT lsmb__create_role('contact_edit', $DOC$ - This role allows editing of existing contacts and creation of new ones. + When paired with one or more 'contact_class_*' role/-s, this role allows + editing of existing entities, persons and companies (contacts). - Combine this role with one or more 'contact_class_*' roles to be able to access - contacts of the specific class. By itself, this role does not provide sufficient rights. + Each contact_class_ role, when paired with contact_read, enables + this access for the specific . On it's own, the contact_edit-role + does not provide any rights. $DOC$ ); SELECT lsmb__grant_role('contact_edit', 'contact_read'); @@ -569,10 +585,15 @@ SELECT lsmb__grant_perms('contact_edit', 'eca_tax', 'ALL'); SELECT lsmb__create_role('contact_delete', $DOC$ - This role allows removal of existing contacts. + When paired with one or more 'contact_class_*' role/-s, this role allows + removal of existing entities, persons and companies (contacts). - Combine this role with one or more 'contact_class_*' roles to be able to access - contacts of the specific class. By itself, this role does not provide sufficient rights. + Note that in order to be able to search for contacts to be deleted, the user + needs to be assigned the 'contact_read' role. + + Each contact_class_ role, when paired with contact_read, enables + this access for the specific . On it's own, the contact_delete-role + does not provide any rights. $DOC$ ); SELECT lsmb__grant_perms('contact_delete', obj, 'DELETE') From bcd010505279a0a9e37e15caa89e5c7f56089327 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Fri, 12 May 2023 22:20:23 +0200 Subject: [PATCH 04/10] Document more roles --- sql/modules/Roles.sql | 105 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 87 insertions(+), 18 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 02ccb46d2d4..349cc792366 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -665,7 +665,11 @@ SELECT lsmb__grant_menu('draft_post', 210, 'allow'); \echo AR -SELECT lsmb__create_role('ar_transaction_create'); +SELECT lsmb__create_role('ar_transaction_create', + $DOC$ + This role allows creation of new sales transactions (not nvoices). + $DOC$ +); SELECT lsmb__grant_role('ar_transaction_create', 'contact_read'); SELECT lsmb__grant_role('ar_transaction_create', 'exchangerate_edit'); SELECT lsmb__grant_perms('ar_transaction_create', 'ar', 'INSERT'); @@ -678,7 +682,7 @@ SELECT lsmb__grant_perms('ar_transaction_create', 'eca_invoice', 'SELECT'); SELECT lsmb__grant_perms('ar_transaction_create', 'journal_line', 'INSERT'); SELECT lsmb__grant_perms('ar_transaction_create', 'journal_line', 'SELECT'); SELECT lsmb__grant_perms('ar_transaction_create', 'business_unit_jl', 'INSERT'); -SELECT lsmb__grant_perms('ar_transaction_create', 'oe', 'SELECT'); +SELECT lsmb__grant_perms('ar_transaction_create', 'oe', 'SELECT'); --@@TODO: Why?? SELECT lsmb__grant_perms('ar_transaction_create', 'id', 'ALL'); SELECT lsmb__grant_perms('ar_transaction_create', 'acc_trans', 'INSERT'); SELECT lsmb__grant_perms('ar_transaction_create', 'acc_trans_entry_id_seq', 'ALL'); @@ -688,7 +692,11 @@ SELECT lsmb__grant_menu('ar_transaction_create', 2, 'allow'); SELECT lsmb__grant_menu('ar_transaction_create', 129, 'allow'); SELECT lsmb__grant_menu('ar_transaction_create', 194, 'allow'); -SELECT lsmb__create_role('ar_transaction_create_voucher'); +SELECT lsmb__create_role('ar_transaction_create_voucher', + $DOC$ + This role allows creation of batches of new sales transactions (not invoices). + $DOC$ +); SELECT lsmb__grant_role('ar_transaction_create_voucher', 'contact_read'); SELECT lsmb__grant_role('ar_transaction_create_voucher', 'batch_create'); SELECT lsmb__grant_perms('ar_transaction_create_voucher', 'ar', 'INSERT'); @@ -705,9 +713,13 @@ SELECT lsmb__grant_menu('ar_transaction_create_voucher',20,'allow'); SELECT lsmb__grant_menu('ar_transaction_create_voucher',11,'allow'); SELECT lsmb__grant_menu('ar_transaction_create_voucher',244,'allow'); -SELECT lsmb__create_role('ar_invoice_create'); +SELECT lsmb__create_role('ar_invoice_create', + $DOC$ + This role allows creation of new sales invoices (not sales transactions). + $DOC$ +); SELECT lsmb__grant_role('ar_invoice_create', 'ar_transaction_create'); --- ### old code needs update +-- ### old code needs UPDATE SELECT lsmb__grant_perms('ar_invoice_create', tname, ptype) FROM unnest('{invoice,new_shipto,business_unit_inv}'::text[]) tname CROSS JOIN unnest('{SELECT,INSERT,UPDATE}'::text[]) ptype; @@ -715,7 +727,11 @@ SELECT lsmb__grant_perms('ar_invoice_create', tname, ptype) SELECT lsmb__grant_menu('ar_invoice_create', 3, 'allow'); SELECT lsmb__grant_menu('ar_invoice_create', 195, 'allow'); -SELECT lsmb__create_role('ar_invoice_create_voucher'); +SELECT lsmb__create_role('ar_invoice_create_voucher', + $DOC$ + This role allows creation of batches of new sales invoices (not sales transactions). + $DOC$ +); SELECT lsmb__grant_role('ar_invoice_create_voucher', 'contact_read'); SELECT lsmb__grant_role('ar_invoice_create_voucher', 'batch_create'); SELECT lsmb__grant_role('ar_invoice_create_voucher', 'ar_transaction_create_voucher'); @@ -725,7 +741,11 @@ SELECT lsmb__grant_perms('ar_invoice_create_voucher', 'invoice_id_seq', 'ALL'); SELECT lsmb__grant_perms('ar_invoice_create_voucher', 'warehouse_inventory_entry_id_seq', 'ALL'); -- TODO add Menu ACLs -SELECT lsmb__create_role('ar_transaction_list'); +SELECT lsmb__create_role('ar_transaction_list', + $DOC$ + This role allows viewing of sales transactions and invoices. + $DOC$ +); SELECT lsmb__grant_role('ar_transaction_list', 'contact_read'); SELECT lsmb__grant_role('ar_transaction_list', 'file_read'); SELECT lsmb__grant_perms('ar_transaction_list', tname, 'SELECT') @@ -738,16 +758,28 @@ SELECT lsmb__grant_perms('ar_transaction_list', tname, 'SELECT') SELECT lsmb__grant_menu('ar_transaction_list', node_id, 'allow') FROM unnest( array[5,7,9,10,15]) node_id; -SELECT lsmb__create_role('ar_voucher_all'); +SELECT lsmb__create_role('ar_voucher_all', + $DOC$ + This role allows creation of batches of both sales transactions and invoices. + $DOC$ +); SELECT lsmb__grant_role('ar_voucher_all', 'ar_transaction_create_voucher'); SELECT lsmb__grant_role('ar_voucher_all', 'ar_invoice_create_voucher'); -SELECT lsmb__create_role('ar_transaction_all'); +SELECT lsmb__create_role('ar_transaction_all', + $DOC$ + This role allows creating and viewing sales transactions and accounts as well as creating attachments. + $DOC$ +); SELECT lsmb__grant_role('ar_transaction_all', rname) FROM unnest(ARRAY['ar_transaction_create'::text, 'ar_invoice_create', 'ar_transaction_list', 'file_attach_tx']) rname; -SELECT lsmb__create_role('sales_order_create'); +SELECT lsmb__create_role('sales_order_create', + $DOC$ + This role allows creating sales orders. + $DOC$ +); SELECT lsmb__grant_role('sales_order_create', 'contact_read'); SELECT lsmb__grant_role('sales_order_create', 'exchangerate_edit'); SELECT lsmb__grant_perms('sales_order_create', obj, 'ALL') @@ -761,15 +793,36 @@ SELECT lsmb__grant_perms('sales_order_create', 'business_unit_oitem', 'UPDATE'); SELECT lsmb__grant_perms('sales_order_create', 'new_shipto_id_seq', 'ALL'); SELECT lsmb__grant_menu('sales_order_create', '51', 'allow'); -SELECT lsmb__create_role('sales_order_edit'); +SELECT lsmb__create_role('sales_order_edit', + $DOC$ + This role allows (searching for and) modifying existing sales orders. + $DOC$ +); SELECT lsmb__grant_perms('sales_order_edit', 'orderitems', 'DELETE'); SELECT lsmb__grant_perms('sales_order_edit', 'business_unit_oitem', 'DELETE'); SELECT lsmb__grant_perms('sales_order_edit', 'new_shipto', 'DELETE'); SELECT lsmb__grant_perms('sales_order_edit', 'new_shipto_id_seq', 'ALL'); -SELECT lsmb__create_role(dt || '_delete') - FROM unnest(array['sales_order'::text, 'sales_quotation', 'purchase_order', - 'rfq']) dt; +SELECT lsmb__create_role('sales_order_delete', + $DOC$ + This role allows (searching for and) deleting existing sales orders. + $DOC$ +); +SELECT lsmb__create_role('sales_quotation_delete', + $DOC$ + This role allows (searching for and) deleting existing sales quotations. + $DOC$ +); +SELECT lsmb__create_role('purchase_order_delete', + $DOC$ + This role allows (searching for and) deleting existing purchase orders. + $DOC$ +); +SELECT lsmb__create_role('rfq_delete', + $DOC$ + This role allows (searching for and) deleting existing requests for quotation. + $DOC$ +); SELECT lsmb__grant_perms(dt || '_delete', obj, 'DELETE') FROM unnest(ARRAY['oe'::TEXT, 'orderitems', 'business_unit_oitem', 'new_shipto']) obj @@ -777,7 +830,11 @@ SELECT lsmb__grant_perms(dt || '_delete', obj, 'DELETE') JOIN unnest(array['sales_order'::text, 'sales_quotation', 'purchase_order', 'rfq']) dt; -SELECT lsmb__create_role('sales_quotation_create'); +SELECT lsmb__create_role('sales_quotation_create', + $DOC$ + This role allows creating sales quotations. + $DOC$ +); SELECT lsmb__grant_role('sales_quotation_create', 'contact_read'); SELECT lsmb__grant_role('sales_quotation_create', 'exchangerate_edit'); SELECT lsmb__grant_perms('sales_quotation_create', obj, 'ALL') @@ -790,7 +847,11 @@ SELECT lsmb__grant_perms('sales_quotation_create', 'new_shipto_id_seq', 'ALL'); SELECT lsmb__grant_menu('sales_quotation_create', 68, 'allow'); -SELECT lsmb__create_role('sales_order_list'); +SELECT lsmb__create_role('sales_order_list', + $DOC$ + This role allows searching and viewing sales orders. + $DOC$ +); SELECT lsmb__grant_role('sales_order_list', 'contact_read'); SELECT lsmb__grant_role('sales_order_list', 'file_read'); SELECT lsmb__grant_perms('sales_order_list', obj, 'SELECT') @@ -798,7 +859,11 @@ SELECT lsmb__grant_perms('sales_order_list', obj, 'SELECT') SELECT lsmb__grant_menu('sales_order_list', 54, 'allow'); -SELECT lsmb__create_role('sales_quotation_list'); +SELECT lsmb__create_role('sales_quotation_list', + $DOC$ + This role allows searching and viewing sales quotations. + $DOC$ +); SELECT lsmb__grant_role('sales_quotation_list', 'contact_read'); SELECT lsmb__grant_role('sales_quotation_list', 'file_read'); SELECT lsmb__grant_perms('sales_quotation_list', obj, 'SELECT') @@ -806,7 +871,11 @@ SELECT lsmb__grant_perms('sales_quotation_list', obj, 'SELECT') SELECT lsmb__grant_menu('sales_quotation_list', 71, 'allow'); -SELECT lsmb__create_role('ar_all'); +SELECT lsmb__create_role('ar_all', + $DOC$ + This role combines all (batches of) sales transaction and invoices permissions. + $DOC$ +); SELECT lsmb__grant_role('ar_all', rname) FROM unnest(array['ar_voucher_all'::text, 'ar_transaction_all', 'file_attach_tx']) rname; From e3777b4932cf2331bc1e70ba0288ac185356c873 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Sun, 14 May 2023 13:53:26 +0200 Subject: [PATCH 05/10] Resolve role naming unclarity Closes #7376 --- lib/LedgerSMB/Admin/Command/user.pm | 4 +-- .../1.11/ar-ap-role-naming-consistency.sql | 26 +++++++++++++++++++ sql/changes/LOADORDER | 1 + sql/modules/Roles.sql | 15 ++++------- 4 files changed, 34 insertions(+), 12 deletions(-) create mode 100644 sql/changes/1.11/ar-ap-role-naming-consistency.sql diff --git a/lib/LedgerSMB/Admin/Command/user.pm b/lib/LedgerSMB/Admin/Command/user.pm index 19aab20be36..55459724168 100644 --- a/lib/LedgerSMB/Admin/Command/user.pm +++ b/lib/LedgerSMB/Admin/Command/user.pm @@ -555,7 +555,7 @@ Permission(s) to affect to the user. Permission can be C or a comma separated list of the following roles: C C C C C -C C C C C +C C C C C C C C C C C C C C C C C @@ -579,7 +579,7 @@ C C C C C C C C C C C C C C C C C C C -C C C C +C C C C =item ssn C diff --git a/sql/changes/1.11/ar-ap-role-naming-consistency.sql b/sql/changes/1.11/ar-ap-role-naming-consistency.sql new file mode 100644 index 00000000000..c5c18471da8 --- /dev/null +++ b/sql/changes/1.11/ar-ap-role-naming-consistency.sql @@ -0,0 +1,26 @@ + +-- Define a function which will be dropped after the session ends +CREATE FUNCTION pg_temp.lsmb__role(global_role text) RETURNS text + LANGUAGE SQL STABLE AS + $$ select coalesce((select value + from defaults + where setting_key = 'role_prefix'), + 'lsmb_' || current_database() || '__') || global_role; $$; + + DO $$ + DECLARE + t_rolename text; +BEGIN + select pg_temp.lsmb__role('ap_all_vouchers') into t_rolename; + perform * from pg_roles where rolname = t_rolename; + if found then + execute 'alter role ' || quote_ident(t_rolename) || ' rename to ' || quote_ident(pg_temp.lsmb__role('ap_voucher_all')); + end if; + + -- drop a role which doesn't have an AR equivalent and from its naming + -- is at least confusing... + select pg_temp.lsmb__role('ap_all_transactions') into t_rolename; + execute 'drop role if exists ' || quote_ident(t_rolename); +END; +$$ language plpgsql; + diff --git a/sql/changes/LOADORDER b/sql/changes/LOADORDER index 39bbb4e8dd2..7094dbfe0a9 100644 --- a/sql/changes/LOADORDER +++ b/sql/changes/LOADORDER @@ -178,3 +178,4 @@ mc/delete-migration-validation-data.sql 1.11/reversed-transactions.sql 1.11/negative-assets-liablilities-reclass.sql 1.11/rm-aa-entity_id.sql +1.11/ar-ap-role-naming-consistency.sql diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 349cc792366..76e7feeec32 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -950,14 +950,9 @@ SELECT lsmb__grant_perms('ap_transaction_list', obj, 'SELECT') SELECT lsmb__grant_menu('ap_transaction_list', node_id, 'allow') FROM unnest(array[25,29,34]) node_id; -SELECT lsmb__create_role('ap_all_vouchers'); -SELECT lsmb__grant_role('ap_all_vouchers', 'ap_transaction_create_voucher'); -SELECT lsmb__grant_role('ap_all_vouchers', 'ap_invoice_create_voucher'); - -SELECT lsmb__create_role('ap_all_transactions'); -SELECT lsmb__grant_role('ap_all_transactions', 'ap_transaction_create'); -SELECT lsmb__grant_role('ap_all_transactions', 'ap_invoice_create'); -SELECT lsmb__grant_role('ap_all_transactions', 'ap_transaction_list'); +SELECT lsmb__create_role('ap_voucher_all'); +SELECT lsmb__grant_role('ap_voucher_all', 'ap_transaction_create_voucher'); +SELECT lsmb__grant_role('ap_voucher_all', 'ap_invoice_create_voucher'); SELECT lsmb__create_role('ap_transaction_all'); SELECT lsmb__grant_role('ap_transaction_all', rname) @@ -1008,8 +1003,8 @@ SELECT lsmb__grant_perms('rfq_list', obj, 'SELECT') SELECT lsmb__create_role('ap_all'); SELECT lsmb__grant_role('ap_all', rname) - FROM unnest(array['ap_all_vouchers'::text, 'file_attach_tx', - 'ap_all_transactions']) rname; + FROM unnest(array['ap_voucher_all'::text, 'ap_transaction_all', + 'file_attach_tx']) rname; \echo CASH From 8e288c6b6a2e6429aa4736f9333ec01ddf023e60 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Mon, 15 May 2023 22:40:57 +0200 Subject: [PATCH 06/10] Add AP and reconciliation related role documentation --- sql/modules/Roles.sql | 96 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 80 insertions(+), 16 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 76e7feeec32..d64d9fd0908 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -881,7 +881,11 @@ SELECT lsmb__grant_role('ar_all', rname) 'file_attach_tx']) rname; \echo AP -SELECT lsmb__create_role('ap_transaction_create'); +SELECT lsmb__create_role('ap_transaction_create', + $DOC$ + This role allows creation of purchase transactions (not invoices). + $DOC$ +); SELECT lsmb__grant_role('ap_transaction_create', 'contact_read'); SELECT lsmb__grant_role('ap_transaction_create', 'exchangerate_edit'); SELECT lsmb__grant_perms('ap_transaction_create', obj, ptype) @@ -899,7 +903,11 @@ SELECT lsmb__grant_perms('ap_transaction_create', 'oe', 'SELECT'); SELECT lsmb__grant_menu('ap_transaction_create', node_id, 'allow') FROM unnest(array[13,22,196]) node_id; -SELECT lsmb__create_role('ap_transaction_create_voucher'); +SELECT lsmb__create_role('ap_transaction_create_voucher', + $DOC$ + This role allows creation of batches of new purchase transactions (not invoices). + $DOC$ +); SELECT lsmb__grant_role('ap_transaction_create_voucher', 'contact_read'); SELECT lsmb__grant_role('ap_transaction_create_voucher', 'batch_create'); SELECT lsmb__grant_perms('ap_transaction_create_voucher', 'oe', 'SELECT'); @@ -921,7 +929,11 @@ SELECT lsmb__grant_perms('ap_transaction_create_voucher', obj, 'ALL') SELECT lsmb__grant_menu('ap_transaction_create_voucher', node_id, 'allow') FROM unnest(array[199, 243, 39]) node_id; -SELECT lsmb__create_role('ap_invoice_create'); +SELECT lsmb__create_role('ap_invoice_create', + $DOC$ + This role allows creation of new purchase invoices (not purchase transactions). + $DOC$ +); SELECT lsmb__grant_role('ap_invoice_create', 'ap_transaction_create'); SELECT lsmb__grant_perms('ap_invoice_create', obj, 'INSERT') FROM unnest(array['invoice'::text, 'business_unit_inv', 'warehouse_inventory', @@ -932,7 +944,11 @@ SELECT lsmb__grant_perms('ap_invoice_create', obj, 'ALL') SELECT lsmb__grant_menu('ap_invoice_create', node_id, 'allow') FROM unnest(array[23,197]) node_id; -SELECT lsmb__create_role('ap_invoice_create_voucher'); +SELECT lsmb__create_role('ap_invoice_create_voucher', + $DOC$ + This role allows creation of batches of new purchase invoices (not purchase transactions). + $DOC$ +); SELECT lsmb__grant_role('ap_invoice_create_voucher', 'contact_read'); SELECT lsmb__grant_role('ap_invoice_create_voucher', 'batch_create'); SELECT lsmb__grant_perms('ap_invoice_create_voucher', 'invoice', 'INSERT'); @@ -941,7 +957,11 @@ SELECT lsmb__grant_perms('ap_invoice_create_voucher', 'invoice_id_seq', 'ALL'); SELECT lsmb__grant_perms('ap_invoice_create_voucher', 'warehouse_inventory_entry_id_seq', 'ALL'); -- TODO add Menu ACLs -SELECT lsmb__create_role('ap_transaction_list'); +SELECT lsmb__create_role('ap_transaction_list', + $DOC$ + This role allows viewing of purchase transactions and invoices. + $DOC$ +); SELECT lsmb__grant_role('ap_transaction_list', 'contact_read'); SELECT lsmb__grant_role('ap_transaction_list', 'file_read'); SELECT lsmb__grant_perms('ap_transaction_list', obj, 'SELECT') @@ -950,17 +970,29 @@ SELECT lsmb__grant_perms('ap_transaction_list', obj, 'SELECT') SELECT lsmb__grant_menu('ap_transaction_list', node_id, 'allow') FROM unnest(array[25,29,34]) node_id; -SELECT lsmb__create_role('ap_voucher_all'); +SELECT lsmb__create_role('ap_voucher_all', + $DOC$ + This role allows creation of batches of both purchase transactions and invoices. + $DOC$ +); SELECT lsmb__grant_role('ap_voucher_all', 'ap_transaction_create_voucher'); SELECT lsmb__grant_role('ap_voucher_all', 'ap_invoice_create_voucher'); -SELECT lsmb__create_role('ap_transaction_all'); +SELECT lsmb__create_role('ap_transaction_all', + $DOC$ + This role allows creating and viewing purchase transactions and accounts as well as creating attachments. + $DOC$ +); SELECT lsmb__grant_role('ap_transaction_all', rname) FROM unnest(array['ap_transaction_create'::text, 'ap_invoice_create', 'ap_transaction_list', 'file_attach_tx', 'exchangerate_edit' ]) rname; -SELECT lsmb__create_role('purchase_order_create'); +SELECT lsmb__create_role('purchase_order_create', + $DOC$ + This role allows creating purchase orders. + $DOC$ +); SELECT lsmb__grant_role('purchase_order_create', 'contact_read'); SELECT lsmb__grant_perms('purchase_order_create', obj, ptype) FROM unnest(array['oe'::text, 'orderitems', 'business_unit_oitem']) obj @@ -972,13 +1004,21 @@ SELECT lsmb__grant_perms('purchase_order_create', obj, 'ALL') SELECT lsmb__grant_perms('purchase_order_create', 'new_shipto_id_seq', 'ALL'); SELECT lsmb__grant_menu('purchase_order_create', 52, 'allow'); -SELECT lsmb__create_role('purchase_order_edit'); +SELECT lsmb__create_role('purchase_order_edit', + $DOC$ + This role allows (searching for and) modifying existing purchase orders. + $DOC$ +); SELECT lsmb__grant_perms('purchase_order_edit', obj, 'DELETE') FROM unnest(array['oe'::text, 'orderitems', 'business_unit_oitem', 'new_shipto']) obj; SELECT lsmb__grant_perms('purchase_order_edit', 'new_shipto_id_seq', 'ALL'); -SELECT lsmb__create_role('rfq_create'); +SELECT lsmb__create_role('rfq_create', + $DOC$ + This role allows creating (purchase) requests for quotation. + $DOC$ +); SELECT lsmb__grant_role('rfq_create', 'contact_read'); SELECT lsmb__grant_role('rfq_create', 'exchangerate_edit'); SELECT lsmb__grant_menu('rfq_create', 69, 'allow'); @@ -989,26 +1029,42 @@ SELECT lsmb__grant_perms('rfq_create', obj, ptype) unnest(array['INSERT'::text, 'UPDATE']) ptype; SELECT lsmb__grant_perms('rfq_create', 'new_shipto_id_seq', 'ALL'); -SELECT lsmb__create_role('purchase_order_list'); +SELECT lsmb__create_role('purchase_order_list', + $DOC$ + This role allows searching and viewing sales orders. + $DOC$ +); SELECT lsmb__grant_role('purchase_order_list', 'contact_read'); SELECT lsmb__grant_menu('purchase_order_list', 55, 'allow'); SELECT lsmb__grant_perms('purchase_order_list', obj, 'SELECT') FROM unnest(array['oe'::text, 'orderitems', 'business_unit_oitem']) obj; -SELECT lsmb__create_role('rfq_list'); +SELECT lsmb__create_role('rfq_list', + $DOC$ + This role allows searching and viewing (purchase) requests for quotation. + $DOC$ +); SELECT lsmb__grant_role('rfq_list', 'contact_read'); SELECT lsmb__grant_menu('rfq_list', 72, 'allow'); SELECT lsmb__grant_perms('rfq_list', obj, 'SELECT') FROM unnest(array['oe'::text, 'orderitems', 'business_unit_oitem']) obj; -SELECT lsmb__create_role('ap_all'); +SELECT lsmb__create_role('ap_all', + $DOC$ + This role combines all (batches of) purchase transaction and invoices permissions. + $DOC$ +); SELECT lsmb__grant_role('ap_all', rname) FROM unnest(array['ap_voucher_all'::text, 'ap_transaction_all', 'file_attach_tx']) rname; \echo CASH -SELECT lsmb__create_role('reconciliation_enter'); +SELECT lsmb__create_role('reconciliation_enter', + $DOC$ + This role allows creation and updating of reconciliation reports. + $DOC$ +); SELECT lsmb__grant_perms('reconciliation_enter', 'recon_payee', 'SELECT'); SELECT lsmb__grant_perms('reconciliation_enter', 'cr_report', ptype) FROM unnest(array['SELECT'::text, 'INSERT', 'UPDATE']) ptype; @@ -1026,7 +1082,11 @@ SELECT lsmb__grant_perms('reconciliation_enter', obj, 'ALL') SELECT lsmb__grant_menu('reconciliation_enter', 45, 'allow'); -SELECT lsmb__create_role('reconciliation_approve'); +SELECT lsmb__create_role('reconciliation_approve', + $DOC$ + This role allows approval of reconciliation reports. + $DOC$ +); SELECT lsmb__grant_perms('reconciliation_approve', obj, 'DELETE') FROM unnest(array['cr_report_line'::text, 'cr_report_line_links']) obj; SELECT lsmb__grant_perms('reconciliation_approve', 'cr_report', 'UPDATE'); @@ -1045,7 +1105,11 @@ SELECT lsmb__grant_exec('reconciliation_approve', 'reconciliation__delete_unappr GRANT EXECUTE ON FUNCTION reconciliation__delete_my_report(in_report_id int) TO PUBLIC; -SELECT lsmb__create_role('reconciliation_all'); +SELECT lsmb__create_role('reconciliation_all', + $DOC$ + This role combines creation, updating and approval rights for reconciliation reports. + $DOC$ +); SELECT lsmb__grant_role('reconciliation_all', 'reconciliation_approve'); SELECT lsmb__grant_role('reconciliation_all', 'reconciliation_enter'); From 9164b4e52056a81da1627e197a7c806582e55be6 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Fri, 19 May 2023 23:04:33 +0200 Subject: [PATCH 07/10] Add more role descriptions --- sql/modules/Roles.sql | 57 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index d64d9fd0908..078055ff225 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -1113,7 +1113,11 @@ SELECT lsmb__create_role('reconciliation_all', SELECT lsmb__grant_role('reconciliation_all', 'reconciliation_approve'); SELECT lsmb__grant_role('reconciliation_all', 'reconciliation_enter'); -SELECT lsmb__create_role('payment_process'); +SELECT lsmb__create_role('payment_process', + $DOC$ + This role allows entry of payments to vendors. + $DOC$ +); SELECT lsmb__grant_role('payment_process', 'ap_transaction_list'); SELECT lsmb__grant_role('payment_process', 'exchangerate_edit'); SELECT lsmb__grant_menu('payment_process', node_id, 'allow') @@ -1128,7 +1132,11 @@ SELECT lsmb__grant_perms('payment_process', obj, ptype) FROM unnest(array['payment_links'::text, 'overpayments', 'acc_trans']) obj, unnest(array['SELECT'::text, 'INSERT']) ptype; -SELECT lsmb__create_role('receipt_process'); +SELECT lsmb__create_role('receipt_process', + $DOC$ + This role allows entry of receipts from customers. + $DOC$ +); SELECT lsmb__grant_role('receipt_process', 'ap_transaction_list'); SELECT lsmb__grant_role('receipt_process', 'exchangerate_edit'); SELECT lsmb__grant_menu('receipt_process', node_id, 'allow') @@ -1143,14 +1151,25 @@ SELECT lsmb__grant_perms('receipt_process', obj, ptype) FROM unnest(array['payment_links'::text, 'overpayments', 'acc_trans']) obj, unnest(array['SELECT'::text, 'INSERT']) ptype; -SELECT lsmb__create_role('cash_all'); +SELECT lsmb__create_role('cash_all', + $DOC$ + This role combines the all reconciliation rights with the rights to enter payments and receipts. + $DOC$ +); SELECT lsmb__grant_role('cash_all', rname) FROM unnest(array['reconciliation_all'::text, 'payment_process', 'receipt_process']) rname; \echo INVENTORY CONTROL -SELECT lsmb__create_role('part_create'); +SELECT lsmb__create_role('part_create', + $DOC$ + This role allows creation of new parts. + + So as to let the user of this role see/manage pricing per customer, this role includes + the ability to read contacts. + $DOC$ +); SELECT lsmb__grant_role('part_create', 'contact_read'); SELECT lsmb__grant_menu('part_create', node_id, 'allow') FROM unnest(array[78,79,80,81,82,259,260,261]) node_id; @@ -1164,7 +1183,11 @@ SELECT lsmb__grant_perms('part_create', obj, 'INSERT') FROM unnest(array['parts'::text, 'makemodel', 'partsgroup', 'assembly', 'partstax']) obj; -SELECT lsmb__create_role('part_edit'); +SELECT lsmb__create_role('part_edit', + $DOC$ + This role allows changing existing parts. + $DOC$ +); SELECT lsmb__grant_role('part_edit', 'file_read'); SELECT lsmb__grant_menu('part_edit', node_id, 'allow') FROM unnest(array[86,91]) node_id; @@ -1182,11 +1205,19 @@ SELECT lsmb__grant_perms('part_edit', obj, 'SELECT') FROM unnest(array['assembly'::text, 'orderitems', 'jcitems', 'invoice', 'business_unit_oitem']) obj; -SELECT lsmb__create_role('part_delete'); +SELECT lsmb__create_role('part_delete', + $DOC$ + This role allows deletion of existing parts. + $DOC$ +); SELECT lsmb__grant_perms('part_delete', obj, 'DELETE') FROM unnest(array['parts'::text, 'partsgroup', 'assembly']) obj; -SELECT lsmb__create_role('inventory_reports'); +SELECT lsmb__create_role('inventory_reports', + $DOC$ + This role allows searching for and reading existing inventory adjustment reports. + $DOC$ +); SELECT lsmb__grant_perms('inventory_reports', obj, 'SELECT') FROM unnest(array['ar'::text, 'ap', 'warehouse_inventory', 'invoice', 'acc_trans']) obj; @@ -1194,7 +1225,11 @@ SELECT lsmb__grant_perms('inventory_reports', obj, 'SELECT') SELECT lsmb__grant_menu('inventory_reports', 114, 'allow'); SELECT lsmb__grant_menu('inventory_reports', 75, 'allow'); -SELECT lsmb__create_role('inventory_adjust'); +SELECT lsmb__create_role('inventory_adjust', + $DOC$ + This role allows adjusting inventory by creating inventory adjustment reports. + $DOC$ +); SELECT lsmb__grant_perms('inventory_adjust', obj, 'SELECT') FROM unnest(array['parts'::text, 'ar', 'ap', 'invoice']) obj; @@ -1207,7 +1242,11 @@ SELECT lsmb__grant_perms('inventory_adjust', obj, 'ALL') SELECT lsmb__grant_menu('inventory_adjust', node_id, 'allow') FROM unnest(array[6,16]) node_id; -SELECT lsmb__create_role('inventory_approve'); +SELECT lsmb__create_role('inventory_approve', + $DOC$ + This role allows confirmation of inventory adjustments by approval of inventory adjustment reports. + $DOC$ +); SELECT lsmb__grant_menu('inventory_approve', 59, 'allow'); SELECT lsmb__grant_role('inventory_approve', 'ar_invoice_create'); SELECT lsmb__grant_role('inventory_approve', 'ap_invoice_create'); From 458016da21db374bb3b61d3549a21cd0032a4333 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Sat, 20 May 2023 21:58:01 +0200 Subject: [PATCH 08/10] Add more role documentation --- sql/modules/Roles.sql | 103 +++++++++++++++++++++++++++++++++--------- 1 file changed, 81 insertions(+), 22 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 078055ff225..56ffbe0f0c5 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -1254,20 +1254,38 @@ SELECT lsmb__grant_perms('inventory_adjust', obj, 'SELECT') FROM unnest(array['inventory_report'::text, 'inventory_report_line']) obj; SELECT lsmb__grant_perms('inventory_adjust', 'inventory_report', 'UPDATE'); -SELECT lsmb__create_role('pricegroup_create'); +SELECT lsmb__create_role('pricegroup_create', + $DOC$ + This role allows creation of new price groups. + $DOC$ +); +--@@@BUG? Why read contacts?? SELECT lsmb__grant_role('pricegroup_create', 'contact_read'); SELECT lsmb__grant_menu('pricegroup_create', 83, 'allow'); SELECT lsmb__grant_perms('pricegroup_create', 'pricegroup', 'INSERT'); SELECT lsmb__grant_perms('pricegroup_create', 'pricegroup_id_seq', 'ALL'); +--@@@BUG? Why update entity_credit_accounts?? SELECT lsmb__grant_perms('pricegroup_create', 'entity_credit_account', 'UPDATE'); -SELECT lsmb__create_role('pricegroup_edit'); +SELECT lsmb__create_role('pricegroup_edit', + $DOC$ + This role allows changing existing price groups. + $DOC$ +); +--@@@BUG? Why read contacts?? SELECT lsmb__grant_role('pricegroup_edit', 'contact_read'); SELECT lsmb__grant_menu('pricegroup_edit', 83, 'allow'); SELECT lsmb__grant_perms('pricegroup_edit', 'pricegroup', 'UPDATE'); +--@@@BUG? Why update entity_credit_accounts?? SELECT lsmb__grant_perms('pricegroup_edit', 'entity_credit_account', 'UPDATE'); -SELECT lsmb__create_role('assembly_stock'); +SELECT lsmb__create_role('assembly_stock', + $DOC$ + This role allows triggering a stocking action on assemblies. + + Stocking assemblies means converting labor and parts to stocked assemblies. + $DOC$ +); SELECT lsmb__grant_perms('assembly_stock', 'parts', 'UPDATE'); SELECT lsmb__grant_perms('assembly_stock', t_name, perm) @@ -1282,33 +1300,57 @@ SELECT lsmb__grant_perms('assembly_stock', t_name, perm) SELECT lsmb__grant_menu('assembly_stock', 84, 'allow'); -SELECT lsmb__create_role('inventory_ship'); +SELECT lsmb__create_role('inventory_ship', + $DOC$ + This role allows shipping of stocked parts. + $DOC$ +); SELECT lsmb__grant_role('inventory_ship', 'sales_order_list'); SELECT lsmb__grant_menu('inventory_ship', 64, 'allow'); SELECT lsmb__grant_perms('inventory_ship', 'warehouse_inventory', 'INSERT'); SELECT lsmb__grant_perms('inventory_ship', 'warehouse_inventory_entry_id_seq', 'ALL'); -SELECT lsmb__create_role('inventory_receive'); +SELECT lsmb__create_role('inventory_receive', + $DOC$ + This role allows receiving of parts into stock. + $DOC$ +); SELECT lsmb__grant_role('inventory_receive', 'purchase_order_list'); SELECT lsmb__grant_menu('inventory_receive', 65, 'allow'); SELECT lsmb__grant_perms('inventory_receive', 'warehouse_inventory', 'INSERT'); SELECT lsmb__grant_perms('inventory_receive', 'warehouse_inventory_entry_id_seq', 'ALL'); -SELECT lsmb__create_role('inventory_transfer'); +SELECT lsmb__create_role('inventory_transfer', + $DOC$ + This role allows moving stock between warehouses. + $DOC$ +); SELECT lsmb__grant_perms('inventory_transfer', 'warehouse_inventory', 'INSERT'); SELECT lsmb__grant_perms('inventory_transfer', 'warehouse_inventory_entry_id_seq', 'ALL'); SELECT lsmb__grant_menu('inventory_transfer', 66, 'allow'); -SELECT lsmb__create_role('warehouse_create'); +SELECT lsmb__create_role('warehouse_create', + $DOC$ + This role allows creation of (configuration of) new warehouses. + $DOC$ +); SELECT lsmb__grant_perms('warehouse_create', 'warehouse', 'INSERT'); SELECT lsmb__grant_perms('warehouse_create', 'warehouse_id_seq', 'ALL'); SELECT lsmb__grant_menu('warehouse_create', 141, 'allow'); -SELECT lsmb__create_role('warehouse_edit'); +SELECT lsmb__create_role('warehouse_edit', + $DOC$ + This role allows updating of (configuration of) existing warehouses. + $DOC$ +); SELECT lsmb__grant_perms('warehouse_edit', 'warehouse', 'UPDATE'); SELECT lsmb__grant_menu('warehouse_edit', 141, 'allow'); -SELECT lsmb__create_role('inventory_all'); +SELECT lsmb__create_role('inventory_all', + $DOC$ + This role grants all rights to manage warehouse configuration, stock receipt, shipping and transfer. + $DOC$ +); SELECT lsmb__grant_role('inventory_all', rname) FROM unnest(array['warehouse_create'::text, 'warehouse_edit', 'inventory_transfer', 'inventory_receive', 'inventory_ship', @@ -1316,7 +1358,11 @@ SELECT lsmb__grant_role('inventory_all', rname) ) rname; \echo GL -SELECT lsmb__create_role('gl_transaction_create'); +SELECT lsmb__create_role('gl_transaction_create', + $DOC$ + This role allows creation of new and updating of saved GL transactions. + $DOC$ +); SELECT lsmb__grant_perms('gl_transaction_create', 'gl', ptype) FROM unnest(array['SELECT'::text, 'INSERT', 'UPDATE']) ptype; @@ -1330,7 +1376,11 @@ SELECT lsmb__grant_perms('gl_transaction_create', obj, 'ALL') SELECT lsmb__grant_menu('gl_transaction_create', node_id, 'allow') FROM unnest(array[74,40,245,262]) node_id; -SELECT lsmb__create_role('gl_voucher_create'); +SELECT lsmb__create_role('gl_voucher_create', + $DOC$ + This role allows creation of batches of GL transactions. + $DOC$ +); SELECT lsmb__grant_perms('gl_voucher_create', obj, 'INSERT') FROM unnest(array['gl'::text, 'acc_trans', 'business_unit_ac']) obj; @@ -1338,7 +1388,11 @@ SELECT lsmb__grant_perms('gl_voucher_create', obj, 'ALL') FROM unnest(array['id'::text, 'acc_trans_entry_id_seq']) obj; -- TODO Add menu permissions -SELECT lsmb__create_role('gl_reports'); +SELECT lsmb__create_role('gl_reports', + $DOC$ + This role allows searching transactions in the general ledger. + $DOC$ +); SELECT lsmb__grant_role('gl_reports', 'ar_transaction_list'); SELECT lsmb__grant_role('gl_reports', 'ap_transaction_list'); SELECT lsmb__grant_menu('gl_reports', node_id, 'allow') @@ -1347,21 +1401,22 @@ SELECT lsmb__grant_menu('gl_reports', node_id, 'allow') SELECT lsmb__grant_perms('gl_reports', obj, 'SELECT') FROM unnest(array['gl'::text, 'acc_trans', 'account_checkpoint']) obj; -SELECT lsmb__create_role('yearend_run'); -SELECT lsmb__grant_perms('yearend_run', obj, ptype) - FROM unnest(array['acc_trans'::text, 'account_checkpoint', 'yearend']) obj, - unnest(array['SELECT'::text, 'INSERT']) ptype; -SELECT lsmb__grant_perms('yearend_run', 'account_checkpoint_id_seq','ALL'); -SELECT lsmb__grant_menu('yearend_run', 132, 'allow'); - -SELECT lsmb__create_role('yearend_run'); +SELECT lsmb__create_role('yearend_run', + $DOC$ + This role allows running the year-end process, i.e. clearing the P&L. + $DOC$ +); SELECT lsmb__grant_perms('yearend_run', obj, ptype) FROM unnest(array['acc_trans'::text, 'account_checkpoint', 'yearend']) obj, unnest(array['SELECT'::text, 'INSERT']) ptype; SELECT lsmb__grant_perms('yearend_run', 'account_checkpoint_id_seq','ALL'); SELECT lsmb__grant_menu('yearend_run', 132, 'allow'); -SELECT lsmb__create_role('yearend_reopen'); +SELECT lsmb__create_role('yearend_reopen', + $DOC$ + This role allows undoing a prior year-end run by reversing the year-end transaction. + $DOC$ +); SELECT lsmb__grant_perms('yearend_reopen', obj, ptype) FROM unnest(array['account_checkpoint'::text]) obj, unnest(array['DELETE'::text]) ptype; @@ -1370,7 +1425,11 @@ SELECT lsmb__grant_perms('yearend_reopen', obj, ptype) unnest(array['UPDATE'::text]) ptype; -- also needs access to posting of transactions... -SELECT lsmb__create_role('batch_list'); +SELECT lsmb__create_role('batch_list', + $DOC$ + This role allows listing existing batches. + $DOC$ +); SELECT lsmb__grant_role('batch_list', 'gl_reports'); SELECT lsmb__grant_perms('batch_list', obj, 'SELECT') FROM unnest(array['batch'::text, 'batch_class', 'voucher']) obj; From d1dc9f6e06e174c8c9e28fbf600eae1976f20b08 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Sun, 28 May 2023 11:35:22 +0200 Subject: [PATCH 09/10] Add more role documentation --- sql/modules/Roles.sql | 212 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 181 insertions(+), 31 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index 56ffbe0f0c5..cb5bea29ffb 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -1434,12 +1434,22 @@ SELECT lsmb__grant_role('batch_list', 'gl_reports'); SELECT lsmb__grant_perms('batch_list', obj, 'SELECT') FROM unnest(array['batch'::text, 'batch_class', 'voucher']) obj; -SELECT lsmb__create_role('gl_all'); +SELECT lsmb__create_role('gl_all', + $DOC$ + This role combines GL transaction and batch creation + with GL reporting and year-end processing. + $DOC$ +); SELECT lsmb__grant_role('gl_all', rname) FROM unnest(array['gl_transaction_create'::text, 'gl_voucher_create', 'yearend_run', 'gl_reports']) rname; -SELECT lsmb__create_role('timecard_add'); +SELECT lsmb__create_role('timecard_add', + $DOC$ + This role allows adding time cards for which it needs + read access to customers. + $DOC$ +); SELECT lsmb__grant_role('timecard_add', 'contact_read'); SELECT lsmb__grant_menu('timecard_add', node_id, 'allow') FROM unnest(array[100, 106, 8]) node_id; @@ -1448,13 +1458,24 @@ SELECT lsmb__grant_perms('timecard_add', 'jcitems_id_seq', 'ALL'); SELECT lsmb__grant_perms('timecard_add', 'jcitems', 'INSERT'); SELECT lsmb__grant_perms('timecard_add', 'jcitems', 'UPDATE'); -SELECT lsmb__create_role('timecard_list'); +SELECT lsmb__create_role('timecard_list', + $DOC$ + This role allows viewing the list of time cards; + for which it needs read access to customers. + $DOC$ +); SELECT lsmb__grant_role('timecard_list', 'contact_read'); SELECT lsmb__grant_menu('timecard_list', 106, 'allow'); SELECT lsmb__grant_perms('timecard_list', 'jcitems', 'SELECT'); \echo ORDER GENERATION -SELECT lsmb__create_role('orders_generate'); +SELECT lsmb__create_role('orders_generate', + $DOC$ + This role combines the rights to generate orders from + time cards, purchase orders from sales orders + and consolidate (purchase and sales) orders. + $DOC$ +); SELECT lsmb__grant_role('orders_generate', 'contact_read'); SELECT lsmb__grant_perms('orders_generate', obj, ptype) FROM unnest(array['oe'::text, 'orderitems', 'business_unit_oitem']) obj, @@ -1481,6 +1502,7 @@ SELECT lsmb__create_role('orders_sales_consolidate'); SELECT lsmb__grant_role('orders_sales_consolidate', 'orders_generate'); SELECT lsmb__grant_menu('orders_sales_consolidate', 61, 'allow'); +--###BUG: Duplicate with 'orders_generate' SELECT lsmb__create_role('orders_manage'); SELECT lsmb__grant_role('orders_manage', rname) FROM unnest(array['timecard_order_generate'::text, 'orders_sales_to_purchase', @@ -1488,7 +1510,13 @@ SELECT lsmb__grant_role('orders_manage', rname) ) rname; \echo FINANCIAL REPORTS -SELECT lsmb__create_role('financial_reports'); +SELECT lsmb__create_role('financial_reports', + $DOC$ + This role allows running of financial reports: + Income Statement, Balance Sheet, Trial Balance and + Inventory & COGS. + $DOC$ +); SELECT lsmb__grant_role('financial_reports', 'gl_reports'); SELECT lsmb__grant_menu('financial_reports', node_id, 'allow') FROM unnest(array[75,110,111,112,113,114]) node_id; @@ -1497,37 +1525,70 @@ SELECT lsmb__grant_perms('financial_reports', obj, 'SELECT') FROM unnest(array['yearend'::text, 'cash_impact']) obj; \echo RECURRING TRANSACTIONS -SELECT lsmb__create_role('recurring'); +SELECT lsmb__create_role('recurring', + $DOC$ + This role allows access to the Recurring Transactions + menu; it does not grant rights to list or create + transactions. + $DOC$ +); SELECT lsmb__grant_menu('recurring', 115, 'allow'); SELECT lsmb__grant_menu('recurring', 28, 'allow'); \echo TEMPLATE TRANSACTIONS -SELECT lsmb__create_role('transaction_template_delete'); +SELECT lsmb__create_role('transaction_template_delete', + $DOC$ + This role allows deletion of template (i.e. unposted) + transactions. + $DOC$ +); SELECT lsmb__grant_perms('transaction_template_delete', 'eca_invoice', 'DELETE'); SELECT lsmb__grant_perms('transaction_template_delete', 'journal_entry', 'DELETE'); SELECT lsmb__grant_perms('transaction_template_delete', 'journal_line', 'DELETE'); \echo TAX FORMS -SELECT lsmb__create_role('tax_form_save'); +SELECT lsmb__create_role('tax_form_save', + $DOC$ + This role allows modification of tax forms. + $DOC$ +); SELECT lsmb__grant_perms('tax_form_save', 'country_tax_form', 'ALL'); SELECT lsmb__grant_perms('tax_form_save', 'country_tax_form_id_seq', 'ALL'); SELECT lsmb__grant_menu('tax_form_save', id, 'allow') FROM unnest(array[218, 225, 226]) id; \echo SYSTEM SETTINGS -SELECT lsmb__create_role('system_settings_list'); +SELECT lsmb__create_role('system_settings_list', + $DOC$ + This role allows viewing items in the System > Defaults + menu. + $DOC$ +); SELECT lsmb__grant_menu('system_settings_list', 131, 'allow'); -SELECT lsmb__create_role('system_settings_change'); +SELECT lsmb__create_role('system_settings_change', + $DOC$ + This role allow changing items in the + System > Defaults menu. + $DOC$ +); SELECT lsmb__grant_role('system_settings_change', 'system_settings_list'); SELECT lsmb__grant_menu('system_settings_change', 17, 'allow'); -SELECT lsmb__create_role('taxes_set'); +SELECT lsmb__create_role('taxes_set', + $DOC$ + This role allows changing tax rates on tax accounts. + $DOC$ +); SELECT lsmb__grant_perms('taxes_set', 'tax', 'INSERT'); SELECT lsmb__grant_perms('taxes_set', 'tax', 'UPDATE'); SELECT lsmb__grant_menu('taxes_set', 130, 'allow'); -SELECT lsmb__create_role('account_create'); +SELECT lsmb__create_role('account_create', + $DOC$ + This role allows creation of new GL accounts. + $DOC$ +); SELECT lsmb__grant_perms('account_create', obj, 'INSERT') FROM unnest(array['account'::text, 'cr_coa_to_account', 'account_heading', 'account_link', @@ -1538,7 +1599,11 @@ SELECT lsmb__grant_perms('account_create', obj, 'ALL') SELECT lsmb__grant_menu('account_create', id, 'allow') FROM unnest(array[246]) id; -SELECT lsmb__create_role('account_edit'); +SELECT lsmb__create_role('account_edit', + $DOC$ + This role allows modification of GL accounts. + $DOC$ +); SELECT lsmb__grant_perms('account_edit', obj, perm) FROM unnest(array['account'::text, 'account_heading', 'account_link', 'account_translation', 'account_heading_translation', @@ -1548,84 +1613,169 @@ SELECT lsmb__grant_perms('account_edit', 'account_link', 'DELETE'); SELECT lsmb__grant_perms('account_edit', 'account_translation', 'DELETE'); SELECT lsmb__grant_perms('account_edit', 'account_heading_translation', 'DELETE'); -SELECT lsmb__create_role('account_delete'); +SELECT lsmb__create_role('account_delete', + $DOC$ + This role allows deletion of GL accounts. + Please note that there are only very few circumstances + where a GL account can be deleted. Instead of deleting + the account, the user is advised to mark the account + as 'obsolete'. + $DOC$ +); SELECT lsmb__grant_perms('account_delete', obj, 'DELETE') FROM unnest(array['account'::text, 'account_heading', 'account_link', 'account_translation', 'account_heading_translation', 'cr_coa_to_account', 'tax']) obj; -SELECT lsmb__create_role('account_link_description_create'); +SELECT lsmb__create_role('account_link_description_create', + $DOC$ + This role allows creating new use-cases for GL + accounts (so called "account link descriptions"). + $DOC$ +); SELECT lsmb__grant_perms('account_link_description_create', 'account_link_description', 'INSERT'); -SELECT lsmb__create_role('auditor'); +SELECT lsmb__create_role('auditor', + $DOC$ + This role grants read access to the audit trail table. + $DOC$ +); SELECT lsmb__grant_perms('auditor', 'audittrail', 'SELECT'); -SELECT lsmb__create_role('audit_trail_maintenance'); +SELECT lsmb__create_role('audit_trail_maintenance', + $DOC$ + This role grants delete access to the audit trail table. + $DOC$ +); SELECT lsmb__grant_perms('audit_trail_maintenance', 'audittrail', 'DELETE'); -SELECT lsmb__create_role('gifi_create'); +SELECT lsmb__create_role('gifi_create', + $DOC$ + This role allows creation of new GIFI codes. + $DOC$ +); SELECT lsmb__grant_perms('gifi_create', 'gifi', 'INSERT'); SELECT lsmb__grant_menu('gifi_create', 136, 'allow'); -SELECT lsmb__create_role('gifi_edit'); +SELECT lsmb__create_role('gifi_edit', + $DOC$ + This role allows modification of GIFI codes. + $DOC$ +); SELECT lsmb__grant_perms('gifi_edit', 'gifi', 'UPDATE'); SELECT lsmb__grant_menu('gifi_edit', 136, 'allow'); -SELECT lsmb__create_role('account_all'); +SELECT lsmb__create_role('account_all', + $DOC$ + This role combines all GL account and GIFI code rights. + $DOC$ +); SELECT lsmb__grant_role('account_all', rname) FROM unnest(array['account_create'::text, 'taxes_set', 'account_edit', 'gifi_create', 'gifi_edit', 'account_delete']) rname; -SELECT lsmb__create_role('business_type_create'); +SELECT lsmb__create_role('business_type_create', + $DOC$ + This role allows creation of new 'type of business' + classes. + $DOC$ +); SELECT lsmb__grant_perms('business_type_create', 'business', 'INSERT'); SELECT lsmb__grant_perms('business_type_create', 'business_id_seq', 'ALL'); SELECT lsmb__grant_menu('business_type_create', 147, 'allow'); -SELECT lsmb__create_role('business_type_edit'); +SELECT lsmb__create_role('business_type_edit', + $DOC$ + This role allows modification of 'type of business' + classes. + $DOC$ +); SELECT lsmb__grant_perms('business_type_edit', 'business', ptype) FROM unnest(array['UPDATE'::text, 'DELETE'::text]) ptype; SELECT lsmb__grant_menu('business_type_edit', 147, 'allow'); -SELECT lsmb__create_role('business_type_all'); +SELECT lsmb__create_role('business_type_all', + $DOC$ + This role combines the create and edit righs for + 'type of business' classes. + $DOC$ +); SELECT lsmb__grant_role('business_type_all', 'business_type_create'); SELECT lsmb__grant_role('business_type_all', 'business_type_edit'); -SELECT lsmb__create_role('country_create'); +SELECT lsmb__create_role('country_create', + $DOC$ + This role allows creation of new countries. + $DOC$ +); SELECT lsmb__grant_perms('country_create', 'country', 'INSERT'); SELECT lsmb__grant_perms('country_create', 'country_id_seq', 'ALL'); SELECT lsmb__grant_menu('country_create', 264, 'allow'); -SELECT lsmb__create_role('country_edit'); +SELECT lsmb__create_role('country_edit', + $DOC$ + This role allows modification of countries. + $DOC$ +); SELECT lsmb__grant_perms('country_edit', 'country', ptype) FROM unnest(array['UPDATE'::text, 'DELETE']) ptype; SELECT lsmb__grant_menu('country_edit', 264, 'allow'); -SELECT lsmb__create_role('country_all'); +SELECT lsmb__create_role('country_all', + $DOC$ + This role combines all rights for countries. + $DOC$ +); SELECT lsmb__grant_role('country_all', 'country_create'); SELECT lsmb__grant_role('country_all', 'country_edit'); -SELECT lsmb__create_role('sic_create'); +SELECT lsmb__create_role('sic_create', + $DOC$ + This role allows creation of new Standardized Industry + Codes (SIC). + $DOC$ +); SELECT lsmb__grant_perms('sic_create', 'sic', 'INSERT'); SELECT lsmb__grant_menu('sic_create', 153, 'allow'); -SELECT lsmb__create_role('sic_edit'); +SELECT lsmb__create_role('sic_edit', + $DOC$ + This role allows modification of Standardized Industry + Codes (SIC). + $DOC$ +); SELECT lsmb__grant_perms('sic_edit', 'sic', ptype) FROM unnest(array['UPDATE'::text, 'DELETE']) ptype; SELECT lsmb__grant_menu('sic_edit', 153, 'allow'); -SELECT lsmb__create_role('sic_all'); +SELECT lsmb__create_role('sic_all', + $DOC$ + This role combines all rights for Standardized Industry + Codes (SIC). + $DOC$ +); SELECT lsmb__grant_role('sic_all', 'sic_create'); SELECT lsmb__grant_role('sic_all', 'sic_edit'); -SELECT lsmb__create_role('template_edit'); +SELECT lsmb__create_role('template_edit', + $DOC$ + This role allows modification of document + (e.g. invoice) templates. + $DOC$ +); SELECT lsmb__grant_perms('template_edit', 'template', 'ALL'); SELECT lsmb__grant_perms('template_edit', 'template_id_seq', 'ALL'); SELECT lsmb__grant_menu('template_edit', 156, 'allow'); -SELECT lsmb__create_role('users_manage'); +SELECT lsmb__create_role('users_manage', + $DOC$ + This role allows addition and removal of users to + the current company. + $DOC$ +); SELECT lsmb__grant_role('users_manage', 'contact_read'); SELECT lsmb__grant_role('users_manage', 'contact_create'); SELECT lsmb__grant_role('users_manage', 'contact_class_employee'); From f143479e6cad9fb0424b70ddd3632a07d3e18236 Mon Sep 17 00:00:00 2001 From: Erik Huelsmann Date: Sun, 28 May 2023 11:45:29 +0200 Subject: [PATCH 10/10] Add more role descriptions --- sql/modules/Roles.sql | 53 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/sql/modules/Roles.sql b/sql/modules/Roles.sql index cb5bea29ffb..4f174dd1a63 100644 --- a/sql/modules/Roles.sql +++ b/sql/modules/Roles.sql @@ -1796,22 +1796,41 @@ SELECT lsmb__grant_exec('base_user', 'admin__get_roles_for_user_by_entity(int)') -SELECT lsmb__create_role('system_admin'); +SELECT lsmb__create_role('system_admin', + $DOC$ + This role combines the rights to manage settings, + GL accounts, types of business, SIC, users and tax + forms. + $DOC$ +); SELECT lsmb__grant_role('system_admin', rname) FROM unnest(array['system_settings_change'::text, 'account_all', 'business_type_all', 'sic_all', 'users_manage', 'tax_form_save']) rname; \echo MANUAL TRANSLATION -SELECT lsmb__create_role('language_create'); +SELECT lsmb__create_role('language_create', + $DOC$ + This role allows creation of new languages. + $DOC$ +); SELECT lsmb__grant_perms('language_create', 'language', 'INSERT'); SELECT lsmb__grant_menu('language_create', 150, 'allow'); -SELECT lsmb__create_role('language_edit'); +SELECT lsmb__create_role('language_edit', + $DOC$ + This role allows modification of languages. + $DOC$ +); SELECT lsmb__grant_perms('language_edit', 'language', 'UPDATE'); SELECT lsmb__grant_menu('language_edit', 150, 'allow'); -SELECT lsmb__create_role('translation_create'); +SELECT lsmb__create_role('translation_create', + $DOC$ + This role allows creation of translations for parts, + parts groups and reporting units. + $DOC$ +); SELECT lsmb__grant_perms('translation_create', obj, 'ALL') FROM unnest(array['parts_translation'::text, 'partsgroup_translation', 'business_unit_translation']) obj; @@ -1820,12 +1839,20 @@ SELECT lsmb__grant_menu('translation_create', id, 'allow') FROM unnest(array[96,97,108]) id; \echo FIXED ASSETS -SELECT lsmb__create_role('assets_administer'); +SELECT lsmb__create_role('assets_administer', + $DOC$ + This role combines all assets rights. + $DOC$ +); SELECT lsmb__grant_perms('assets_administer', 'asset_class', 'ALL'); SELECT lsmb__grant_perms('assets_administer', 'asset_class_id_seq', 'ALL'); SELECT lsmb__grant_menu('assets_administer', 237, 'allow'); -SELECT lsmb__create_role('assets_enter'); +SELECT lsmb__create_role('assets_enter', + $DOC$ + This role allows creation of new assets. + $DOC$ +); SELECT lsmb__grant_perms('assets_enter', 'asset_item_id_seq', 'ALL'); SELECT lsmb__grant_perms('assets_enter', 'asset_class', 'SELECT'); SELECT lsmb__grant_perms('assets_enter', 'asset_item', ptype) @@ -1836,7 +1863,12 @@ SELECT lsmb__grant_perms('assets_enter', 'asset_note', ptype) SELECT lsmb__grant_menu('assets_enter', id, 'allow') FROM unnest(array[230, 231, 232, 233, 235]) id; -SELECT lsmb__create_role('assets_depreciate'); +SELECT lsmb__create_role('assets_depreciate', + $DOC$ + This role allows running the asset depreciation + procedure. + $DOC$ +); SELECT lsmb__grant_perms('assets_depreciate', 'asset_report_id_seq', 'ALL'); SELECT lsmb__grant_perms('assets_depreciate', 'asset_report', 'UPDATE'); SELECT lsmb__grant_perms('assets_depreciate', obj, ptype) @@ -1848,7 +1880,12 @@ SELECT lsmb__grant_perms('assets_depreciate', obj, ptype) SELECT lsmb__grant_menu('assets_depreciate', 238, 'allow'); SELECT lsmb__grant_menu('assets_depreciate', 234, 'allow'); -SELECT lsmb__create_role('assets_approve'); +SELECT lsmb__create_role('assets_approve', + $DOC$ + This role allows approving the output of the + depreciation procedure. + $DOC$ +); SELECT lsmb__grant_perms('assets_approve', obj, 'SELECT') FROM unnest(array['asset_report'::text, 'asset_report_line', 'asset_item', 'asset_class']) obj;