How can I block stock user, sales and accounting user (actually any role) from seeing item valuation rates.
I want them to be able to see the stock balance but not the product costs, buying rates etc…
In the customize form tool, you can give any field a permission level. 0 is default, and any other number will be invisible to users who have only base permissions for the doctype form.
Then, in the Role Permission Manager tool, you can grant permissions for those higher levels back to managers, system administrators, etc.
Yes, but I don’t know how that works on reports.
also when i block access to to stock balance report, they can access it from warehouse tree anyway.
Field permissions don’t work on system-level reports. They’re generated using a lower level API, and I’m not aware of any way to grant access to some parts of a report but not others. You can allow or block a whole report using the “Role Permission for Page and Report” page.
If you want to block the warehouse tree view for a role (such as stock user), you could take away its “Read” permission on the warehouse doctype. You’d probably want to add back the “Select” permission if it’s not there already, so the role can interact with warehouses in other documents (like stock entries).
It’d be nice if there were a way to customize the tree view without a custom app, but I’m not sure how to do it. It might be possible from a client script, but I haven’t tried.
So by default, stock user or anyone with access to warehouse report can see item value.
This should not be the default practice.
Ah, I’m realizing now that we were talking in another thread too.
I think there’s some advantage to keeping the defaults as simple as possible. Deploying software of this complexity is always going to require a full roles and rights audit, and relatively to other ERPs ERPNext has always prioritized flexibility over readiness out of the box.
On the other hand, I definitely see your point. If you feel this could be improved significantly, you might propose a different set of defaults to the maintainers.
Yes, I think these changes are what makes basic business sense.
I mean it what business can a stock employee see what everyitem has costed the business and see the sum ?
While I do understand your perspective on not exposing information to users/roles that don’t have a need to see that information, unfortunately reality is a little bit more complicated than that.
While I can understand that there is no need for a Sales Person to know the item valuation information and with a little bit of difficulty and an iterative process, it is possible to even make that happen (you might need custom reports for Stock Balance report - as you might want to give sales users access to the stock balance report so that they can make delivery commitments to customers/prospects, but when they do have access to your stock balance report, you will need to hide the valuation information in the stock balance report - I am not sure if there is someway to restrict this access to the standard report. Or whether you will have to get another report structured after the Stock Balance report but without the valuation columns), stock users are a lot more tricky.
If you are always going to make receipts from suppliers against PO.s and the rates billed by the supplier is always the rate in the PO. If things work perfectly, then you could still be able to hide the valuation information from stock users, but in most companies things are far from perfect or ideal.
Consequently, if you don’t give the stock user to input the item valuation information in receipts, you could, as an organization, end up with bigger problems.
Tread carefully is my suggestion.
Hope this helps.
I certainly take your point about imperfection in the real world, but I honestly don’t think this permissions issue is so fragile. At my company, we do periodic audits for each of our ~20 roles, and it’s always been relatively straight forward. We’ve had one or two awkward glitches over the years, but far less than when we were working off of excel sheets.
That’s at least part of the reason why I don’t think there’s much talk about default permissions on these forums. The best practice, in my opinion, is to start from scratch, adding minimal permissions to roles tailored to a company’s own workflows. It’s really not very time consuming, and the results are just so much tighter.
Tnx for your point.
But here me out, shouldn’t there be a simple way to restrict this info… even if you are right with stock, again sales is the issue.
This is an out of the box issue for many esp smaller shops that is very hard to configure right now.
As for me I have to restrict access to the warehouse report and I still am not sure if there are other ways of accessing the values.
To my mind, adding a field permission level is the simple way. There’s a single system for permissions, and it’s both straightforward and flexible.
I certainly take your point about default permissions, and I’d definitely be open to the idea that valuation should be hidden by default, but either way hiding valuation is a quick and simple process.
For reporting, there are a number of different reports for inventory levels. Some show valuation and others don’t. If the Stock Balance report is giving too much info, would the Stock Summary report or the Stock Projected Qty report do the job?
Can you please instruct on hiding that field?
Sure. To remove the valuation in Sales Order Items, for example, first go to the “Customize Form” tool. Load up “Sales Order Item”, then find the field “valuation_rate”. It should be midway through the list. In the field details, there’s an option called “Perm Level”. Set that to 1. Clear caches, and that field should be hidden.
Yes . Perm levels don’t work on reports that’s the whole problem here as far as i know.
Right. Reports don’t have fields in the same way, and as a consequence field permissions don’t work. You’ll have to use one of the reports that doesn’t show valuation, or create your own.
Yes that is my point the default for stock user should have access to quantity but not values in the report. Thats the suggestion here. All low level employees need access to some reports and docs without the values.
Let me add not only in reports for everywhere but that can be done with perm level (it should be the default)
I understand what you are recommending. It is not in my power to make your recommendations happen. I’ve suggested a pathway for you to do that yourself, if you so wish.
In the meantime, the situation is fairly straight forward: by default, item valuation is visible in some places to both the Sales User and the Stock User roles. It is possible to modify those defaults so that item valuation is not visible to those roles. We have outlined the steps for that process.
- For forms, you can use the Customize tool to change perm levels on single fields.
- For reports, you can’t do it at the field level. You have to either grant or block the report as a whole, using the Role Permissions for Reports tool. There are several different reports that show stock levels, some of which include valuation and some of which don’t. You’ll have to evaluate for yourself which, if any, are suitable for your needs.
If you have other questions, we are happy to try to help you get them answered. If you have recommendations, the best path is to submit a pull request to the maintainers.
Tnx a lot I will try and make my suggestion there.