[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health] Tryton Access Rules | Defaults for defined user groups
From: |
Christoph H. Larsen |
Subject: |
Re: [Health] Tryton Access Rules | Defaults for defined user groups |
Date: |
Sun, 22 Jan 2012 08:40:12 +0430 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.20) Gecko/20110820 Iceowl/1.0b2 Icedove/3.1.12 |
Hi Ronald,
Thanks a lot for your prompt reply.
On 22/01/12 02:38, ronald munjoma wrote:
> Hi Chris,
>
> On 21 January 2012 13:38, Christoph H. Larsen
> <address@hidden <mailto:address@hidden>>
> wrote:
>
> Dear Crowd,
>
> The problem: I have set up a range of "Parties", including patients,
> employees , insurance companies and institutions.
> Likewise, I have a number of user groups, such as "Human Resources",
> "Patient Registration", etc.
> Evidently, we want to make sure that the guys in Human Resources canot
> snoop on the patient core daty put down by "Patient Registration' in
> Parties.
> Hence, I used the access model "Party" for both "Human Resources" and
> "Patient Registration", and defined access rules like:
> Human Resources can see those objects in the Party model, if the field
> is_institution = False AND if the field is_insurance_company = False AND
> if the field is_patient = False. Sounds easy, but it is not: The Rules
> in the Access Permissions tab of Groups can only do OR, not AND, or this
> is what I believe, as I cannot string conditions together. It does not
> make any difference, whether I put all conditions into ONE rule, or have
> sequential rules with single conditions set up. Any ideas?
In a nutshell, my question is: How can I do AND conditional roles for
access to an object specified in -> Groups -> Access Permissions ->
Access Model or Access Field? The mechanism in -> Groups -> Access
Permissions -> Rules seems to do only OR, i.e. becomes effective,
whenever ANY of the rules I set is satisfied. This is a bit of a weird
restriction, and bad for record safety ;-). Have I missed something? It
seems that the threads you mentioned do not address this issue.
>
> Also, for the group "Patient Registration", I would love to have the
> fields is_patient and is_person set to TRUE, both to make life easier,
> and to prevet the locking the patient registration staff from locking
> themselves out of party records, when they forget to set is_patient to
> TRUE. Any way how to define default values in Tryton?
Any ideas regarding how to set default values for specific fields? Here
you can see my glaring lack of knowledge ;-)
>
>
> Some what similar requirements were discussed on the list before, there
> is a proposal to have acess roles by default, see task
> #11368: http://savannah.gnu.org/task/?11368
>
> Find below previous discussions (hope they address your issues):
> http://lists.gnu.org/archive/html/health/2011-11/msg00110.html
> and
> http://lists.gnu.org/archive/html/health/2011-11/msg00115.html
Yes, I am well aware of the old OpenERP heritage of even denying access
rights to admin, once access to an object has been modified. Hence, I
always create universal access to the respective object for admin FIRST,
and then restrict it further for the group(s) in question. No worries
about that one...
>
> Regards
> Ronald
>
>
> Thanks a millions, and best regards from Kabul -
As always, thanks a lot, indeed!
>
> Chris