Page Security Level for BOMs.php etc.

[dalers]

Can anyone explain why the default page security level for BOMs.php is "Supplier centre - Supplier access only"?

It seems this means the only users who can create a BOM are employees with security role Accountant or Administrator, and non-employees with security role "Supplier (login only)" if my created Security Token / Level vs Security Role matrix is correct.

I had expected an engineering or manufacturing role employee would be able to create/maintain a BOM. Am I missing something?

Security Token / Level vs Security Role matrix

[dalers]

The more I look at the Security Token names (descriptions?) the less I understand. How does everyone else feel?

• Why are 7 user security roles not assigned ANY tokens?
• Why does BOMs.php require the "Supplier centre - Supplier access only" token?
• Why does "Supplier (login only)" have the "Timesheet Administrator" token?
• Why does "index.php" require the "Order Entry/Inquiry customer access only" token and why are PDFCOA.php and PDFProdSpec.php require the "Main Index Page" token?

The Security Schema section in the users manual gives a good description of the "how" but I'm having trouble with the "why".

1. Does your company (or your client) use the default Security Roles[1] and Page Security Levels[2]? Have you had to create new security roles, edit the security token assignment to the default security roles, or edit the security token assigned to a script? (by "default", I am referring to the values in sql/mysql/country_sql/demo.sql).

2. Have you ever tried to check the correctness of an implemented security schema by examining which scripts a particular user is allowed to access? If a business was having an audit perfomed, I would think such a question would almost be guaranteed from the auditor. Has anyone coded a report to do this?

Fwiw, I attached the spreadsheet file used to create the security token vs role matrix screenshot (the screenshot is actually from the previous rev of spreadsheet). It includes a tab for a list of scripts grouped by token name to see which scripts are assigned to each token. If you happen to take a look, please post if it the assignments all look good or any assignments you didn't expect.

Cheers,
Dale

[1] [Main Menu > Setup > General > Access Permissions Maintenance] - WWW_Access.php
[2] [Main Menu > Setup > General > Page Security Settings] - PageSecurity.php

P.S. Fwiw the spreadsheet also includes a "v2" matrix I was starting to play around with

• Rename “Inquiries & Order Entry” to “Sales” for all sales staff
• Rename “Mfg & Stock Admin” to “Production” for all production staff
• Add “Engineering” security role for product development and PLM staff (starting with a mix of “Mfg & Stock Admin” and “Inquiries & Order Entry”)

security tokens vs security roles v02.ods

[timschofield]

Hi Dale, I actually think the security model in webERP is incredibly well designed - the credit belongs to @PhilDaintree not me.
It is very powerful and very flexibile. The administrator has the ability to have fine grained control over who can use what functionality. All this comes with inevitable complexity. One of the first jobs I do when implementing webERP into an organisation is to sit the senior management team down and work out a security schema for their organisation. It can take a day to do this, and it still gets fine tuned as the implementation goes on.

In my experience no two organisations need the same schema, so any "defaults" are really just a guide. For instance in some organisations Stock Admin and Manufacturing come under the same banner, but in others they are very different. For instance I have worked in places where stock admin is a function in it's own right, and some where it has come under purchasing.

Thanks
Tim

[dalers]

Hi Tim,

the security model in webERP is incredibly well designed ... It is very powerful and very flexibile ... comes with inevitable complexity.

Agree with everything you say!

any "defaults" are really just a guide.

But are they really a "guide", or do they just happen to be the out-of-box values and as you said, every organization is different, and each has to create their own from-scratch security schema.

For the BOMs.php script that requires the "Supplier centre - Supplier access only" token and the "Supplier (login only)" security role that has the "Timesheet Administrator" token, I would guess a) the business has a supplier who provides an assembly or manufactured Item, and the supplier creates the BOM in the business's webERP system, and b) the supplier is charging the business for assembly or manufacturing labor, and their employees enter their time in the businesses webERP system. Is there a more likely scenario that fits the defaults?

Sorry to be pedantic but I'm struggling how to explain, to the power user in a business implementing webERP, what the procedure is to configure user security.

Thanks,
Dale

[dalers]

Also, fwiw, here is a role vs permissions suggestion from Copilot...