[Quality Management] Enforce rules and restrictions with indirect and implicit permissions#8556
Conversation
ReadPermission guard also removed from warehouse activity checkThe same Recommendation:
Line mapping was unavailable, so this was posted as an issue comment. 👍 useful · ❤️ especially valuable · 👎 wrong - reply with why |
Error message loses actionable remediation guidanceThe Recommendation:
Line mapping was unavailable, so this was posted as an issue comment. 👍 useful · ❤️ especially valuable · 👎 wrong - reply with why |
Agentic PR Review - Round 1Recommendation: Request ChangesWhat this PR doesThis PR adds procedure-level implicit permissions to Quality Management integration subscribers so automatic inspection creation and item-tracking/warehouse restrictions run even when the current user lacks direct Quality Management permissions. That is the right enforcement direction for the described issue, and the tracking change intentionally removes the old SuggestionsS1 - Add permission regression coverage S2 - Cover production source update subscribers S3 - Restore actionable reinspection remediation Risk assessment and necessityRisk: The changed subscribers sit on purchase, sales return, transfer, assembly, manufacturing, warehouse posting/registering, and item-tracking validation paths. An incomplete permission fix can either continue bypassing mandatory inspections/restrictions or unexpectedly block operational transactions; the unannotated manufacturing line/routing callbacks are a concrete remaining gap. Necessity: The scenario is important because users without direct Quality Management permissions should not bypass mandatory inspection creation or transaction restrictions. AB#626330 is linked, but the work item was not independently verified; the PR body and diff still show a valid enforcement need.
|
alexei-dobriansky
left a comment
There was a problem hiding this comment.
@JakovljevicDusan, please check if the suggestions are valid.
b824839
…QM-EnforcingQMRulesAndRestrictionWithImplicitPermissions
|
…QM-EnforcingQMRulesAndRestrictionWithImplicitPermissions
Copilot PR ReviewIteration 1 · Outcome: completed Knowledge source: https://github.com/microsoft/BCQuality@822cae1b2771ac25f665f73369f69093bd4fd630 Orchestrator pre-filter (13 file(s) excluded)
Findings produced by the Copilot CLI agent against BCQuality at |
Agentic PR Review - Round 2Recommendation: Request ChangesWhat this PR doesSince round 1, the PR changed the permission model. Automatic enforcement now checks setup and generation rules with inherent permissions, then requires the user to have the new minimum Quality Inspection create permissions when a rule applies. The manufacturing source-update gap is fixed, and the new page fallback avoids opening inspection pages when the user cannot read them. The remaining concern is proof: this is a broad permission and posting behavior change, but the current PR diff still has no Quality Management test changes. Status of previous suggestions
New observations (commits since round 1)S4 - Align manual create access check Risk assessment and necessityRisk: This still touches purchase receipt/release, sales return receipt, transfer receipt, assembly, manufacturing, warehouse, and item-tracking checks. A mistake can either let mandatory inspections and blocking rules be skipped, or can block normal operational posting with permission errors. The new minimum permission set also changes which QM actions are visible and runnable for users without full QM access. Necessity: The change is necessary because mandatory Quality Management enforcement must not depend on broad direct QM access. The scope is now closer to the stated concept, but permission behavior needs regression coverage before merge because the failure modes are security and posting regressions.
|
alexei-dobriansky
left a comment
There was a problem hiding this comment.
@JakovljevicDusan please check if the new suggestion is valid.
|
S4 - Align manual create access check Answer: AccessByPermission is there just to avoid showing report in search/tell me. |
What & why
Implement InherentPermissions so users without QM permissions would not silently skip mandatory Quality Inspection creation or transaction restrictions.
Automatic Quality Inspection creation is now handled like this:
Linked work
Fixes AB#626330