Combining "If Owner" and "User Permissions"

Hey all,

My situation is the following: using ERPNext’s Academic modules, we need to restrict a particular document by student group, by course and by owner. So basically, it should work like this:

Any employee can create new documents of this doctype, and see their own documents

Employees that have a student group set can create new documents, see their own documents, and see all documents with that student group link set.

Employees that have a course set can create new documents, see their own documents, and see all documents with that course link set.

Employees that have both a course and a student group set can create new documents, see their own documents, see all documents with that course link set and see all documents with that student group set.

The permissions page looks like this at the moment:

When an employee with a permissions page that looks like this attempts to save a document of this type, it says they don’t have permissions. What am I doing wrong?

EDIT: Oh, forgot to mention: this user has the “Employee” and “Form Tutor” roles.

You have to set Role and User permissions like this, Refer following links -

https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/role-based-permissions
https://frappe.github.io/erpnext/user/manual/en/setting-up/users-and-permissions/user-permissions

@priya_s: I’m fully aware of those links, and have used them to set up permissions on many other documents on our ERPNext instance.

I’m asking about this particular use case which is not covered on those documents where (this is an assumption following, as I’m not completely sure what’s going on internally) it seems that setting up the Student Group permission seems to be overriding everything else.

Based on testing, it seems that if you have a student group set then it overrides all the other permissions, resulting in not being able to save unless you’re selecting a student from that student group.

Can you check Apply User Permission option on Role permission manager for Employee role to respective doctype ?

Thanks, Priya

@priya_s That results in exactly the same problem of users not being able to create entries for students outside of their student groups.

@JamesE, First you have to set Student Group to user of that employee through User Permissions. Then in Role Permission Manager select doctype and role Employee and check Apply User Permission and set Document Type is Student Group. Then Employee user access all records of respective Student Group only.

Thanks, Priya

1 Like

@priya_s

Sorry Priya, obviously I’m being unclear here. Let me try and rephrase what I’m trying to do:

Employees should be able to create for ANY student group. They should not be limited in any way by student group, but they should only see their own entries.

Form tutors should be able to see entries created by other people with their student group AND their own entries.

Currently I can only get it to either be restricted by owner and restricted by student group instead of being able to see all entries created by the user regardless of student group as well as all entries created by OTHER users for your student group.

EDIT: Actually, I can think of an easier way to explain my issue; it’s the difference between the following:

Allow when Owner AND Student Group - How it works

Allow when Owner OR Student Group - How I need it to work

Set Role Permission for All and check If owner.

@KanchanChauhan

It seems that setup has exactly the opposite problem: all users can now make documents with no issues, but they cannot see documents they did not make that they should have permissions to see.

It seems the “All” role is taking precedence over the others, when I would like all 3 potential roles to grant access to more documents.