Employee role default permission can see modules they should not

Trying a new setup for ERPNext, am new to the product.

I have set default “Employee” permission for a user. The docs say that users only see modules they have permission for. But when I login as an Employee user they can see modules like Company, all modules for Settings.
If I drill down into Company, the employee user can Read the Company record, which includes Sales figures! In the permission manager for Employee role I can see that Read permission has been given to the Company record, I don’t know what will break if that is revoked.

  1. I can see a way to restrict access to modules per user. Is there a way to do it per Role? Or what way would you recommend restricting module access to all employee role users, I don’t want them to see any of the Settings options?

  2. Is there an additional setting besides giving role of Employee that I am missing to only let them access required areas? Like in the HR module as well I can see they get access to see the “Salary Components”, “Performance Appraisal Template” etc. Too many options where they should not be looking around. How does one turn off these within a module?

I went through the docs but didn’t find the default permissions setup for a new installation and how to get users into the system configured correctly.

Thanks for your help.

I’m on the same boat as you.

Documentation on ERPNext is better than in other free ERP’s I’ve been trying, but it is still hard enough to keep people away. Hope someone will be kind enough to put us on track to fully understand how permissions are supposed to work on ERPNext.

OK. In another post, I see they mentioned you can disable access to modules via Users and Permissions > User > (Select User) > Allow Modules Tab. I did that and it kind of worked… more or less. I disabled everything there for a test user with role “Sales User” and everything on the left side bar disappeared, but user still have access to things like Chart of Accounts trough the search bar.

Depending on how you get to create a new user (at least on v13), this tab is completely empty, completely full, or it does appear empty (no check boxes at all). Very confusing. Anyway, just after user is saved, every module in “Allow Modules” tab is selected. If you have to go to this tab and un-select everything or select what should be selected (supposing somehow you got to know that), it would be pretty time consuming and error prone. Anyway, as mentioned before, even with everything un-selected, user has access to things you probably don’t want she or him to see. Probably this can be fixed with something like document type restrictions or so. I have to investigate that now. Only thing I can say for sure is that this is not very user friendly.

1 Like

For v12 I ended up writing a custom script to disable all modules based on the role being added. In v13 they have added a new feature called Module Profile that lets you do the same based on the users role. It has simplified this quite a bit. Module Profile.

on V13 they also implemented the “Select” option on the role permission manager. I hope ERPNext also implements new features on the V12 especially if it is a feature about security and system management since right now it is hard for all companies to upgrade to V13 right away since the Immutable ledger is still a big change not only for the system but also to the company.