User Permissions Redesign (#10006)
* [fixes] for user permission
* [docs] updated docs for user permissions
* [docs] updated docs for user permissions
* [docs] updated docs for user permissions
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permission-company.png b/erpnext/docs/assets/img/users-and-permissions/user-permission-company.png
deleted file mode 100644
index eb529f1..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permission-company.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permission-quotation.png b/erpnext/docs/assets/img/users-and-permissions/user-permission-quotation.png
deleted file mode 100644
index ee7a19b..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permission-quotation.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permissions-company-role-all.png b/erpnext/docs/assets/img/users-and-permissions/user-permissions-company-role-all.png
deleted file mode 100644
index 0aececd..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permissions-company-role-all.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permissions-ignore-user-permissions.png b/erpnext/docs/assets/img/users-and-permissions/user-permissions-ignore-user-permissions.png
deleted file mode 100644
index 5f55e37..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permissions-ignore-user-permissions.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permissions-lead-role-permissions.png b/erpnext/docs/assets/img/users-and-permissions/user-permissions-lead-role-permissions.png
deleted file mode 100644
index 23564fa..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permissions-lead-role-permissions.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permissions-new.gif b/erpnext/docs/assets/img/users-and-permissions/user-permissions-new.gif
deleted file mode 100644
index 609bf25..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permissions-new.gif
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-permissions-quotation-sales-user.png b/erpnext/docs/assets/img/users-and-permissions/user-permissions-quotation-sales-user.png
deleted file mode 100644
index dd9ed49..0000000
--- a/erpnext/docs/assets/img/users-and-permissions/user-permissions-quotation-sales-user.png
+++ /dev/null
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-perms/ignore-user-permissions.png b/erpnext/docs/assets/img/users-and-permissions/user-perms/ignore-user-permissions.png
new file mode 100644
index 0000000..56e0d44
--- /dev/null
+++ b/erpnext/docs/assets/img/users-and-permissions/user-perms/ignore-user-permissions.png
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-perms/new-user-permission.png b/erpnext/docs/assets/img/users-and-permissions/user-perms/new-user-permission.png
new file mode 100644
index 0000000..d2762dd
--- /dev/null
+++ b/erpnext/docs/assets/img/users-and-permissions/user-perms/new-user-permission.png
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-perms/permitted-documents.png b/erpnext/docs/assets/img/users-and-permissions/user-perms/permitted-documents.png
new file mode 100644
index 0000000..2558b62
--- /dev/null
+++ b/erpnext/docs/assets/img/users-and-permissions/user-perms/permitted-documents.png
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-perms/select-document-types.png b/erpnext/docs/assets/img/users-and-permissions/user-perms/select-document-types.png
new file mode 100644
index 0000000..b54d36a
--- /dev/null
+++ b/erpnext/docs/assets/img/users-and-permissions/user-perms/select-document-types.png
Binary files differ
diff --git a/erpnext/docs/assets/img/users-and-permissions/user-perms/view-selected-documents.png b/erpnext/docs/assets/img/users-and-permissions/user-perms/view-selected-documents.png
new file mode 100644
index 0000000..bc2ce78
--- /dev/null
+++ b/erpnext/docs/assets/img/users-and-permissions/user-perms/view-selected-documents.png
Binary files differ
diff --git a/erpnext/docs/user/manual/de/setting-up/users-and-permissions/user-permissions.md b/erpnext/docs/user/manual/de/setting-up/users-and-permissions/user-permissions.md
index a751693..68fc412 100644
--- a/erpnext/docs/user/manual/de/setting-up/users-and-permissions/user-permissions.md
+++ b/erpnext/docs/user/manual/de/setting-up/users-and-permissions/user-permissions.md
@@ -1,45 +1,5 @@
# Benutzer-Berechtigungen
-<span class="text-muted contributed-by">Beigetragen von CWT Connector & Wire Technology GmbH</span>
-Verwenden Sie den Benutzerberechtigungen-Manager um den Zugriff eines Benutzers auf eine Menge von Dokumenten einzuschränken.
+This document has been changed but not yet translated. Please see the English Version
-Rollenbasierte Berechtigungen definieren den Rahmen an Dokumententypen, innerhalb derer sich ein Benutzer mit einer Anzahl von Rollen bewegen darf. Sie können jedoch noch feinere Einstellungen treffen, wenn Sie für einen Benutzer Benutzerberechtigungen definieren. Wenn Sie bestimmte Dokumente in der Liste der Benutzerberechtigungen eintragen, dann können Sie den Zugriff dieses Benutzers auf bestimmte Dokumente eines bestimmten DocTypes begrenzen, unter der Bedingung, dass die Option "Benutzerberechtigungen anwenden" im Rollenberechtigungs-Manager aktiviert ist.
-
-Beginnen Sie wie folgt:
-
-> Einstellungen > Berechtigungen > Benutzerrechte-Manager
-
-
-Abbildung: Übersicht aus dem Benutzerberechtigungs-Manager die aufzeigt, wie Benutzer nur auf bestimmte Firmen zugreifen können
-
-#### Beispiel
-
-Der Benutzer "aromn@example.com" hat die Rolle "Nutzer Vertrieb" und wir möchten die Zugriffsrechte des Benutzers so einschränken, dass er nur auf Datensätze einer bestimmten Firma, nämlich der Wind Power LLC, zugreifen kann.
-
-1\. Wir fügen eine Benutzerberechtigungs-Zeile für die Firma hinzu.
-
-Abbildung: Hinzufügen einer Zeile "Benutzer-Berechtigung" für die Kombination aus dem Benutzer "aromn@example.com" und der Firma Wind Power LLC
-
-2\. Die Rolle "Alle" hat nur Leseberechtigungen für die Firma, "Benutzer-Berechtigungen anwenden" ist aktiviert.
-
-Abbildung: Leseberechtigung mit aktivierter Option "Benutzer-Berechtigungen anwenden" für den DocType Firma
-
-3\. Die oben abgebildete Kombination der zwei Regeln führt dazu, dass der Benutzer "aromn@example.com" für die Firma Wind Power LLC nur Leserechte hat.
-
-Abbildung: Der Zugriff wird auf die Firma Wind Power LLC beschränkt
-
-4\. Wir möchten nun diese Benutzer-Berechtigung für "Firma" auf andere Dokumente wie "Angebot", "Kundenauftrag" etc. übertragen. Diese Formulare haben **Verknüpfungsfelder zu "Firma"**. Als Ergebnis werden Benutzer-Berechtigungen von "Firma" auch auf diese Dokumente übertragen, was dazu führt, dass der Benutzer "aromn@example.com" auf diese Dokumente zugreifen kann, wenn Sie mit Wind Power LLC verbunden sind.
-
-Abbildung: Benutzer mit der Rolle "Nutzer Vertrieb" können, basierend auf Ihren Benutzer-Berechtigungen, Angebote lesen, schreiben, erstellen, übertragen und stornieren, wenn "Benutzer-Berechtigungen anwenden" aktiviert ist.
-
-Abbildung: Die Auflistung der Angebote enthält nur Ergebnisse für die Firma Wind Power LLC für den Benutzer "aromn@example.com"
-
-5\. Benutzer-Berechtigungen werden automatisch auf Basis von verknüpften Feldern angewandt, genauso wie wir es bei den Angeboten gesehen haben. Aber: Das Lead-Formular hat vier Verknüpfungsfelder: "Region", "Firma", "Eigentümer des Leads" und "Nächster Kontakt durch". Nehmen wir an, Sie möchten dass die Leads den Zugriff des Benutzers basierend auf Ihrer Region einschränken, obwohl Sie für die DocTypes "Benutzer", "Region" und "Firma" Benutzer-Berechtigungen angelegt haben. Dann gehen Sie wir folgt vor: Aktivieren Sie die Option "Benutzer-Berechtigungen ignorieren" für die Verknüpfungsfelder "Firma", "Eigentümer des Leads" und "Nächster Kontakt durch".
-
-Abbildung: Der Vertriebsmitarbeiter kann Leads lesen, schreiben und erstellen, eingeschränkt durch Benutzer-Berechtigungen.
-
-Abbildung: Markieren Sie "Benutzer-Berechtigungen ignorieren" für die Felder "Firma", "Lead-Inhaber" und "Nächster Kontakt durch" über Setup > Anpassen > Formular anpassen > Lead.
-
-Abbildung: Aufgrund der obigen Kombination kann der Benutzer "aromn@example.com" nur auf Leads der Region "United States" zugreifen.
-
-{next}
+<a href="{{docs_base_url}}/erpnext/user/manual/en/setting-up/users-and-permissions/user-permissions">User Permission</a>
diff --git a/erpnext/docs/user/manual/en/setting-up/users-and-permissions/user-permissions.md b/erpnext/docs/user/manual/en/setting-up/users-and-permissions/user-permissions.md
index 7fae95c..f90cf44 100644
--- a/erpnext/docs/user/manual/en/setting-up/users-and-permissions/user-permissions.md
+++ b/erpnext/docs/user/manual/en/setting-up/users-and-permissions/user-permissions.md
@@ -1,60 +1,52 @@
# User Permissions
-Role Base Permissions define the periphery of document types within which a user with a set of Roles can move around in. However, you can have an even finer control by defining User Permissions for a User. By setting specific documents in User Permissions list, you can limit access for that User to specific documents of a particular DocType, on the condition that "Apply User Permissions" is checked in Role Permissions Manager.
+Along with Role based permissions, you can also set user level permissions that are based on rules that are evaluated against the data containted in the document being accessed. This is particularly useful when you want to restrict based on:
-To start with, go to:
+1. Allow user to access data belonging to one Company
+1. Allow user to access data related to a specific Customer or Territory
-> Setup > Permissions > User Permissions Manager
+### Creating User Permissions
-User Permissions Manager displaying how users can access only a specific Company.
+To create a User Permission, go to Setup > Permission > User Permissions
-#### Example
+When you create a new record you will have to specify
-User 'tom.hagen@riosolutions.com' has Sales User role and we want to limit the user to access records for only a specific Company 'Rio Solutions'.
+1. The user for which the rule has to be applied
+1. The type of document which will be allowed (for example "Company")
+1. The specific item that you want to allow (the name of the "Company)
- 1. We add a User Permissions row for Company.
-
- <img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permissions-new.gif" class="screen" alt="User Permissions For Company">
+<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-perms/new-user-permission.png" class="screenshot" alt="Creating a new user permission">
- Add User Permissions row for a combination of User 'tom.hagen@riosolutions.com' and Company 'Rio Solutions'.
+If you want to apply the permissions to all Roles for that user, keep the "Apply Permissions for all Roles of this User" checked. If you check this, it will automatically setup the rules for Roles to check for User Permissions.
- 1. Also Role "All" has only Read permission for Company, with 'Apply User Permissions' checked.
-
- <img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permissions-company-role-all.png" class="screen" alt="Role Permissions for All on Company">
+### Choosing Which Roles to Apply
- Read Permission with Apply User Permissions checked for DocType Company.
+You can also manually edit the the roles for which you want the user permissions to apply. To do that go the the **Role Permission Manager** and select the role for which you want to Edit the User Permissions.
- 1. The combined effect of the above two rules lead to User 'tom.hagen@riosolutions.com' having only Read access to Company 'Rio Solutions'.
-
- <img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permission-company.png" class="screen" alt="Effect of Role and User Permissions on Company">
-
- Access is limited to Company 'Rio Solutions'.
+Note that the "Apply User Permissions" is already checked for this role. Then click on "Select Document Types"
- 1. We want this User Permission on Company to get applied on other documents like Quotation, Sales Order, etc.
-
- These forms have a **Link Field based on Company**. As a result, User Permissions on Company also get applied on these documents, which leads to User 'tom.hagen@riosolutions' to acces these documents having Company 'Rio Solutions'.
+<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-perms/select-document-types.png" class="screenshot" alt="Select Document Types to Edit the Setting">
- <img class="screen" alt="Sales User Role Permissions for Quotation" src="{{docs_base_url}}/assets/img/users-and-permissions/user-permissions-quotation-sales-user.png" >
-
- Users with Sales User Role can Read, Write, Create, Submit and Cancel Quotations based on their User Permissions, since 'Apply User Permissions' is checked.
+Here you will see that Company has already been checked. If you want user permissions not be applied for that particular rule, you can un check it.
- <img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permission-quotation.png" class="screenshot" alt="Quotation List limited to results for Company 'Rio Solutions'">
+<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-perms/view-selected-documents.png" class="screenshot" alt="Select Document Types to Edit the Setting">
- Quotation List is limited to results for Company 'Rio Solutions' for User 'tom.hagen@riosolutions.com'.
+### Ignoring User Permissions on Certain Fields
- 1. User Permissions get applied automatically based on Link Fields, just like how it worked for Quotation. But, Lead Form has 4 Link fields: Territory, Company, Lead Owner and Next Contact By. Say, you want Leads to limit access to Users based only on Territory, even though you have defined User Permissions for DocTypes User, Territory and Company. You can do this by setting 'Ignore User Permissions' for Link fields: Company, Lead Owner and Next Contact By.
-
-<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permissions-lead-role-permissions.png" class="screen" alt="Role Permissions on Lead for Sales User Role">
+Another way of allowing documents to be seen that have been restricited by User Permissions is to check "Ignore User Permissions" on a particular field by going to **Customize Form**
-Sales User can Read, Write and Create Leads limited by User Permissions.
+For example you don't want Assets to be restricited for any user, then select **Asset** in **Customize Form** and in the Company field, check on "Ignore User Permissions"
-<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-permissions-ignore-user-permissions.png" class="screenshot" alt="Set Ingore User Permissions from Setup > Customize > Customize Form">
+<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-perms/ignore-user-user-permissions.png" class="screenshot" alt="Ignore User Permissions on specific properties">
-Check 'Ingore User Permissions' for Company, Lead Owner and Next Contact By fields using Setup > Customize > Customize Form for Lead.
+### Strict Permisssions
-<img src="{{docs_base_url}}/assets/img/users-and-permissions/permissions-lead-list.png" class="screenshot" alt="Lead List is limited to records with Territory 'United States'">
+Since User Permissions are applied via Roles, there may be many users belonging to a particular Role. Suppose you have three users belonging to Role "Accounts User" and you have applied **User Permissions** to only one user, then the permissions will only be restricted to that user.
-Due to the effect of the above combination, User 'tom.hagen@riosolutions.com' can only access Leads with Territory 'United States'.
+You can change this setting incase you want the user permissions to be assigned to all users, even if they are not assigned any user permissions by going to **System Settings** and checking "Apply Strict User Permissions"
-{next}
+### Checking How User Permissions are Applied
+Finally once you have created your air-tight permission model, and you want to check how it applies to various users, you can see it via the **Permitted Documents for User** report. Using this report, you can select the **User** and document type and check how user permissions get applied.
+
+<img src="{{docs_base_url}}/assets/img/users-and-permissions/user-perms/permitted-documents.png" class="screenshot" alt="Permitted Documents for User report">
diff --git a/erpnext/patches/v4_0/apply_user_permissions.py b/erpnext/patches/v4_0/apply_user_permissions.py
index 640fe6b..c21b605 100644
--- a/erpnext/patches/v4_0/apply_user_permissions.py
+++ b/erpnext/patches/v4_0/apply_user_permissions.py
@@ -12,8 +12,6 @@
frappe.clear_cache()
def update_hr_permissions():
- from frappe.core.page.user_permissions import user_permissions
-
# add set user permissions rights to HR Manager
frappe.db.sql("""update `tabDocPerm` set `set_user_permissions`=1 where parent in ('Employee', 'Leave Application')
and role='HR Manager' and permlevel=0 and `read`=1""")
diff --git a/erpnext/public/js/help_links.js b/erpnext/public/js/help_links.js
index 6ac60c2..7de87b7 100644
--- a/erpnext/public/js/help_links.js
+++ b/erpnext/public/js/help_links.js
@@ -14,7 +14,7 @@
frappe.help.help_links['permission-manager'] = [
{ label: 'Role Permissions Manager', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/role-based-permissions' },
{ label: 'Managing Perm Level in Permissions Manager', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/articles/managing-perm-level' },
- { label: 'User Permissions Manager', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/user-permissions' },
+ { label: 'User Permissions', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/user-permissions' },
{ label: 'Sharing', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/sharing' },
{ label: 'Password', url: 'https://frappe.github.io/erpnext/user/manual/en/setting-up/articles/change-password' },
]
