BLOG

This OFBiz tutorial is the next part of our earlier tutorial “How to Setup User Permissions”.  See how using ECA’s can extend service permissions.

So far we have seen how to assign security permission to a user which will let the user access a particular application. The level of access to an application will depend on the permission(s) assigned to the user. You may want to allow the user to just view an application or maybe you want to allow them other possible permission options like creating new records, updating the existing records or deleting exiting records in a particular application.

You can also assign an admin permission to a user. This gives the user full access to an application so that the user can View, Create, Update and Delete records in a particular application.

Assigning a permission is not restricted to just one application, you can allow the user to access more then one application by assigning permissions related to other apps.

There are certain cases when a user has admin permission for an application but the user is not allowed to perform certain operation in the application. For example, if you want to view a product lookup screen in the “Asset Maint” application then you would need the permission of the Catalog application. The simplest option is to give the user all the required permissions. The downside of this approach is that this will also allow the user access to the Catalog application.

So in this case if you want the user to have access only to the “Asset Maint” app then you can do this by defining ECA (Event Condition Access) rules which will extend the permission of the other applications while still not allowing the user to access these application(s) other than “Asset Maint.”

The rule can be defined in a file under the sevicedef folder in the component directory tree as following.

This also requires the entry of this file in ofbiz-component.xml where secas.xml is the name of the above file.

Whenever the user tries to perform any catalog related operation in the “Asset Maint” application, the catalogPermissionCheck service will run first. We know that the user does not have any explicit permission to the Catalog application hence the service will return hasPermission flag as false. Every permission service implements a generic service interface and hasPermission is one of the boolean attibute that is returned by the permission service. If it is false it means that the user does not have sufficient permission.

Since we want to override the permission we define a permission service in the “Asset Maint” component. This service will check whether the user has permission to access the “Asset Maint” component or not instead of checking for Catalog permission. If the service returns a true for the hasPermission flag (which it will if the user has “Asset Maint” permissions) it means the user can access the catalog related screens in “Asset Maint.”

The code for the permission service will look like this: (Click to expand image.)

This way without explicitly assigning the catalog permissions the user will still be able to access the product lookup screen in the “Asset Maint” application.

Similar you can add more rules to the ECA file to override the OFBiz user permissions of other applications in the “Asset Maint” application.

- Vikas

Vikas Mayur is a dynamic OFBiz developer working for HotWax Media as a Director of Software Development in India. He works in web based application and ERP software using OFBiz, which is a top level project of Apache Software Foundation.

In OFBiz, every application has a base permission (except a few like ecommerce, ofbizwebsite etc.) and users should have at least base OFBiz permission view or base permission admin to login in the application. Sometime base permission may consist of more then one permission and in that case both are required to login/access the application.

The base permission is defined in the ofbiz-component.xml file of each component. If the base permission consists of more then one permission then they are separated by a comma.

Below is a code snippet taken from Asset Maint component ofbiz-component file.

We will now learn how to setup permissions for a new user to gain access to a back-end application while using an Asset Maint component as an example throughout the tutorial.

Just a note that we will not focus on the internal details of this component and we will only visit a couple of screens to see whether we have setup correct permission levels for the user or not.

Step by Step Guide

Lets first create a new user in the system. Login to the party manager application with username: admin and password: ofbiz and click on Create New link located at the top of the main screen.

The screen will provide a variety of options to choose from. Click on Create New Person.

Enter the required fields and save the form.

This will take you to the user profile screen.

Our next step is to create a user login for the new user. Click on Create New link on User Name(s) screen in the right column on the profile page.

Enter the details as below and save the form.

User Login Id: joe.will
Current Password: ofbiz
Current Password Verify: ofbiz

Now coming back to the profile screen you will see that the new user login has appeared under the User Name(s) screen in the right column on the profile page.

Now click on the Security Group link. This will present you with a screen where you can add a security group to the user account. Security Group is basically a set of permissions where permissions are classified as VIEW, CREATE, UPDATE and DELETE. An admin security group contains all of these permissions. Select Asset Maint Admin group from the drop-down list. The From Date field is optional and if user does not enter it then the application will use the system’s current timestamp for this field. Thru Date is also optional but if specified then the security group will be valid for the user till the thru date has passed. You can also assign multiple security groups at the same time to the user. Save this form.

Now you have granted sufficient permission to the user to access the Asset Maint application.

Note: The admin user is available only if demo data is installed. If only seed data is installed then you have to create the admin user explicitly through the command line with an ant target defined in the build file which is present at the root of the project. Run command create-admin-user-login from the terminal and follow onscreen instructions to complete this wizard.

Testing User’s Permissions

Logout from the party manager application and then you can login to the Asset Maint application with the new user. The user should be able to login in to this application without any issues and this signifies that the user has permission to VIEW this application.

Lets try to check whether the user has permission to perform CREATE operation in the application. Go to the Fixed Assets tab and click on New Fixed Asset link. Fill in the basic details as shown in the screenshot and click on update button. The user should be able to create new fixed asset record. This signifies that user has permission to perform create operation in the application.

Similar you can check whether the user has UPDATE or DELETE permissions by updating or removing the fixed asset record.

Lets try to login into any other application (for example catalog) with the same user to check whether the system permits the user to access an application other than Asset Maint. As it would be obvious from the screenshot below that the security permissions assigned to the user is just enough to login and access Asset Maint application and not any other application.

Similar you can try to login into any other application with the same user and you will see the same result.

So far we have learned the basics of security permission in OFBiz and how we can assign these permissions to the user.

Hope you will enjoy this!

- Vikas

Vikas Mayur is a dynamic OFBiz developer working for HotWax Media as a Director of Software Development in India. He works in web based application and ERP software using OFBiz, which is a top level project of Apache Software Foundation.