Managing role access in Openbravo
The capability of Role inheritance was conceived to improve ease of use by making it simpler to manage role accesses, particularly when the business structure is created. Role inheritance comes into action when the general set-up is done and the roles are created.
Before role inheritance, every role was manually created. This is not a big issue if we have, for example, three roles, but in the case of a large organization with hundreds of roles, the effort can be considerable.
Some of the roles will share a lot of permissions with others, but all of them had to be manually created. Role inheritance makes it easier to setup roles by automating much of the process.
The key to implementing role inheritance are the “role templates“. A role can inherit from a role template and that role will now have the permissions set in the template. A role can inherit from more than one template to create much more finely-grained roles.
The inheritable elements are the following: organizations, windows, tabs, fields, processes, forms, widgets, views, process definitions, preferences and alert recipients.
A template can be defined with access permissions to any of these elements.
In this example we can see how it works: there are four different templates: Sales Role, Purchase Role, White Valley and Vall Blanca.
The two first templates give permissions to Sales Order, Sales Invoice, Purchase Order and Purchase Invoice windows, the White Valley and the Vall Blanca templates give access to White Valley Org and Vall Blanca Org respectively.
With the combination of these templates we can create different functional roles. For example, we have the WV Sales role. This role is a combination of the Sales Role template and the White Valley template. It has access permission to the White Valley organization, which is given by the White Valley template, and it also has access permission to the Sales Order and the Sales Invoice windows, given by Sales Role template.
Every inheritance from a template has a sequence number to solve possible conflicts. It can occur, for example, that a role inherits from two templates, one can be giving access to inheritable element and the other one can be restricting the same access. In this case, the behavior that will be taken into account is the one retrieved from the inheritance with the higher sequence number.