Frappe Cloud

Marketplace

DocType Permission

Search for an app

Frappe

Products

Insights

DocType Permission
Restrict first, grant later - Document Permission Management

Install now

4

installs

Publisher

Kitti U.

Supported versions

Version 15

Categories

Free
Utilities

E-Commerce

About

DocType Permission

This app is the answer to the topic Design of User Permissions is Dangerous, where data is grant first and then add more restriction later.

The DocType Permission is the opposite, it allow system admin to restrict first, and then grant more permission later.

Behind the scene, it is using permission_query_conditions and has_permission in hooks.py and so, it works as additional security measurement with existing User Permission and Permission query.

Key DocTypes:

  1. DocType Permission,a submittable document that restrict and then grant different permission to different role

  2. DocType Permission Level, master data for pre-built permission query script

Benefit:

  • Intuitive and easy to use by restrict first permit later.

  • Still work along side with standard user permissions, permission queries.

Problem with current User Permissions:

Given an example of sensitive document such as Salary Slip.

  • Employees to see only his/her own Salary Slip

  • Payroll Users to see all Salary Slips

Without this app, following setup is required.

  • For Employees, create each User Permission for each employee. If there are 1,000 employees then 1,000 User Permissions is required.

  • For Payroll Users, make sure there is no User Permissions created for them.

As you can see it is now difficult to keep track of the amount of User Permissions. And if for some reason either system or human, a User Permission is missing for someone, this can be a very serious data breach!

Solution with DocType Permission:

Given the same example, no 1,000 User Pemissions is needed, just create 1 DocType Permission as following,

As soon as this document is created for Salary Slip, all documents will be restrictred. And then by adding each Role’s Additional Permission, the permission will be granted (using OR condition).

Notes:

  • The combined SQL condition would be, (false OR Role-1 OR Role-2).

  • This consition will then be AND with other SQL condition from User Permissiona and/or Permission Query (if used).

  • DocTyper Prmission Level are canned permission query which can be exteded by ourself.

License

mit

User Reviews

No reviews yet, be the first to review.

0 rating

Rate and share your experience

Text

Explore more apps