I believe the reason for changing the permission system in ERPNext (V11+) is to make things better but so far, we don’t seem to be noticing any of those advantages. Instead, things seem more complicated with more issues! Some of the key issues I’ve encountered so far:
A loophole seems to exist where failing to specify a user permission allows users to view all entries of a doctype. A notable example of this is how all employees can view all salary slips of ALL other employees once you upgrade from V10! I already suggested in another post that there should be a way to specify that a user should not have access to documents unless he/she has a user permission for that doctype
It’s VERY cumbersome managing doctypes that apply to all (or a large number of) Employees. Take for example, I have a new doctype where all users with ‘Employee’ role should only see the records where their Employee ID is selected. We have to manually create a user permission record for a great number of employees! Why? …because of the next point below:
In the User Permissions, we cannot use the generic ‘Apply to All Document Types’ option (especially for the Employee DocType) for a great deal of users because they need access to certain documents for their entire unit, department, or company. This leads to the unbundling of their permissions thereby creating several user permission records for each employee and making the whole system look pretty confusing and complicated. It also means, as mentioned in issue no. 2 above, that adding user permissions for any additional documents needs to be done individually for all these users else you run the risk of falling into the loophole mentioned in issue no. 1 above!
In the former permission system, all you had to do was specify access to ‘DocType A’ for ‘Role B’ if "DocTypes C,D,E’ are permitted for the user… so much easier and less complicated!
Could anyone please explain to me what exactly are the gains (in practice, not theory) of the new permission system over the former and how they deal with the issues listed above? I’m really struggling to make sense of the current permission system