We have been self-hosting and running ERPNext/Frappe/HRMS for roughly 6 years. We are finally at the stage where we are ready to start looking at storing HR data within ERPNext, but security seems to be a concern.
We have 3 developers who are working with us full-time on this system. Until now, all 3 developers have been using the Administrator account to access the ERPNext sites. In addition to this, all 3 developers have the SQL logins to the DB.
Moving forward, I will move all 3 developers onto non-administrator accounts and I will change the SQL logins, so they dont have access to the DB, but what is stopping any developer from running:
bench --site [sitename] console
And then accessing the database via frappe.db.sql or similar? Or, for that matter, writing a frappe.db.sql command, then running it via a front-end call to this back-end procedure and printing out the results?
@Mitch123 what you saying does not make sense . your developers will always have access no matter how many passwords you gonna change . just make them sign a non confidential agreement .
Maybe Frappe could offer workshops on humans in a free, honest and transparent workplace culture.
That said, I’d say that any specific lockdowns could be achieved, as there are linux tools to even exclude root from accessing everything and create different scenarios than the common root-is-godlike-everywhere “security” model. And also to track accesses.
It’s a question of effort to achieve this kind of things, and of rigourous testing also.
But that’s probably not the nicest of environments, and I guess everybody can be happier in social environments where such is not needed.
You need to setup two different servers for that scenario, development and production, and setup a pipeline to send code changes from development server to the production server. Your devs shouldn’t have the sudo access to the production server.