I have recently noticed that the financial reports have been mainly based on the GL Entry in Accounts now this has created an issue with the permissions. The problem is that all the users who have access to the General Ledger report are able to see the following reports:
Balance Sheet
Cash Flow
General Ledger (already have access)
Profit and Loss Statement
Profitability Analysis
Trial Balance
Trial Balance for Party
Now since all the above reports are based on the GL Entry anyone who has a right to view report on GL entry would automatically get access to all the other reports.
In case of General Ledger we have actually restricted some limited users by the accounts for which they are permitted to view the GL Entry and this works fine for General Ledger but all the other 6 reports which are actually based on GL entry are not limited by the permission manager.
This seems more like a problem to me and I would request a change in the Permission base Ref doctype for the other 6 reports since these reports needs to be restricted to only a few in an organisation and not all.
As a stop gap arrangement I have changed the 6 reports to be based on a custom doctype in my account so that not all users can view these reports but I would strongly suggest for change of these reports’ reference doctype for permissions
I thought the profit and loss statement access was based on the role for it. Might be wrong though. What doctype did you create to setup the access for your use case? Mind sharing what you did here?
Thank @felix, that makes sense. I am wondering if this is something that the core product should have in it. Gotta have solid security to be a competitive solution. Maybe a github should be raised? Just not sure if this is base frappe or should be in erpnext.
Great and easy solution.
Do you have an idea if this Doctype (if custom is checked while creating it) and the modifications made in the relevant documents will be kept while updating ERPNext?
Is this still the only available solution to restrict users to specific reports? How can you restrict them to see only specific portions of the report (e.g. only specific accounts in the CoA)?
OK. Thanks. But can you also restrict them to see only parts of the report (e.g. for a warehouse manager to see only the stock for his warehouse or for a regional manager only the account balances relevant for his position)?
I am also dealing with a similar issue. Accounts User with permission for a cost center is able to view P&L / financial data for whole company - as std P&L report by default loads with “blank” filter on Cost Center. The default accounts dashboard loads with a P&L graph that shows company wide profitability- even for a user restricted to a branch cost center. This is a serious breach of confidentiality imo - a user is able to escape their permission - by default.
Dont know how to resolve. Branch accounts dept should have access to branch P&L / P&L report.
I did setup session defaults for cost center. However, upon login the user has to voluntarily / manually select session default value for cost center each time. I came across a post on the forum that suggested writing a client script that would assign a session default cost center value for a specific user run upon login - but I am not a developer - so dont have a clue on how to accomplish it. For me , implementing a branch with cost centers / permissions seems broken with std ERP - unless I am ok with sharing confidential company wide financial data with branch account users.