[Request for Comments] Introducing User Type for restricted user

Hi All,

As you are aware, we are working on introducing Employee Self Service (ESS) for our customers soon.

Design

Following are the changes made in the current product to introduce the ESS feature:

1. User Type

A new doctype called User Type has been added. User Type can be edited by the System Manager (and the Admin) only. However, the System Manager has the right to give rights to anyone to edit/add/delete the User Type doctype.

Website User and System User will be standard user types and these cannot be deleted or edited. However, non-standard (Custom) user types can be deleted, created, edited. By default, delete rights are not given to any user.

User Type is created so that in the future we can introduce “User Type” based pricing.

In the User Type doctype, you need to define the following:

a) Role and User Permissions: The role for which this User type is applicable. In our case, the role, ESS User is applicable against the User Type, ESS User. Also, since all ESS employees will be restricted to their own records, defining the same here will automatically create User Permissions for that ESS user.

b) Document Types: Here, for now, the System Manager is free to add max. 10 doctypes in total including a max of 3 custom doctypes. (We can change the max no. of standard and custom doctypes later on based on feedback).

The above table also acts as the Role Permission Manager for this particular User Type (ESS User in our case). ESS User as a role won’t be accessible in the general Role Permission Manager.

You can expand the row of the table to give read, write, create, cancel, amend, delete access to the ESS User for that particular doctype as shown in the screenshot below.

Based on the doctypes that the System Manager adds, the 3rd table, “Allowed Modules” in the User Type doctype gets updated. For example, we have added doctypes related to the HR and Payroll module in the “Document Types” table. Based on this, the “Allowed Modules” table gets updated and the ESS user will only be able to see these 2 modules on his desk and the doctypes defined here in these 2 modules. This table is non-editable.

Since “Allowed Modules” has been translated into a table for custom User Types (ESS User), the allow modules section in the User master won’t be visible for such users. Also, the Roles section won’t be visible for such users in the User master.

Roles and Allowed Modules section will be visible only to users who have Standard User Type, i.e. to System and Website Users.

c) Document Types (Select Permissions Only): In this table, you need to list down all the doctypes that you want the ESS user to have SELECT access to. There is no limit to the no. of doctypes you can add here.

2. ALL role removed from Role Permissions Manager

So ALL is a role that every user has by default. All the doctypes that ALL has access to, every user will have access to it by default.

To restrict the System Manager to give access to doctypes not listed in User type to the ESS User via ALL role, the ALL role has been removed from Role Permission Manager, i.e. it exists, but it won’t be accessible to the System Manager in RPM.

NOTE: ALL role (for the Custom doctype) will only be visible to the Administrator.

3. User Type editable in User master

When you create a new user now, you will get a quick entry which will also give you the option to select the User Type (link field).

If no roles are given, the User Type will be “Website User”. If any role having desk access is given, then automatically the User Type becomes “System User”.

To make the user an ESS user, go to the User master, under the “Security Settings” section, change the User Type to “ESS User”.

On doing so, automatically the user will be assigned the role of ESS User . What you will have to do next is create an employee record for this user, and tag the User ID of this employee under the “ERPNext User” section in the Employee master as shown in the screenshot below.

Please leave your feedback/suggestions as a comment on this post. This will help us to release this feature sooner.

12 Likes

Thanks.Under 1C above,in a COMPLEX multi company situation,you want an employee to have access to only his company and unit/division/branch activities and reports only,can it be achieved?Carry out sales and purchase cycle relating to his department and be able to see reports relating to sales and purchases and performance relating to his unit and branch only.

Yes, that is possible. You will have to ensure that user permissions are applied on your employee for Company/branch/department record.

Curious as to the reason for this limit.

Also, will it be possible to include Loan Application in that list? It has applicant, instead of employee field.

I’m struggling to wrap my head around this. Is there an explanation available in functional terms? Is the primary function here to provide rule-based user permissions for classes of users?

I’m also wondering about this… With a system that has so many moving parts like ERPNext, you’re bound to quickly run out of DocTypes!

Great feature by the way

Cheers!

@rohit_w could you please elaborate what problem you’re trying to solve and why it can’t be solved with the existing permission system?

2 Likes

Is that also can be applied to customers?

I understand that this is primarily to price for different types of users, e.g. drivers to be allowed to update delivery trip only, and things like that, apart from ESS.

But I thought that DocType Layout was supposed to be used for this purpose, I hope there are no parallel implementations of same feature

Yes I know user permission can achieve that but with a lot of going front and back.My thought is that with ESS,it should be made simpler

This is configurable, you can set the limit in the site_config.json file under ess_user key
48%20AM

3 Likes

@Fred1 check point (a). User permission for employee records will be automatically set. For the rest like branch, dept, etc, you can do it via User Permissions.

this will be better explained in a video.

1 Like

Great work @rohit_w.

A quick question, In the case where we want to modify the number documents that the ESS role has access to, for example, if we want to give Employees access to the support module to create issues for themselves, Is there a way to do this on the user type definition or do we have to switch to a generic System User?

Is a new custom user type more like a Desk user or a Website user?

My perspective here is coming form a website / webform / portal user. We find that webforms are limited in functionality: for example, there does not seem to be a way to give a student (website user) access to their own record via the portal. This custom user type appears to allow this – but does this mean that the user is more of a Desk user? If more like Desk, then the other webpages won’t be easily visible?

once this site config is changed, you can also add the actual user type via IMPORT since there is no “NEW” button in User Type Doctype list.

Why is this hidden and read only? I can unhide it form customize form, but cannot unset the read only part. (On Frappé Cloud). I’ve tried overriding the table using data import or upload table, but it doesn’t save. I suppose there is some logic that requires that LINK fields in the permitted doctypes should automatically be set for SELECT permission?

Dear @rohit_w ,

I can see that the user type feature is extremely important. Now, our needs require from us to create a User Type. However, it seems that there are some limitation to use this feature.

For example, I am not able to unhide some fields nor am I able to create any user type.

Could you please clarify how to utilize the User Type.

Note:
I am assuming that any permission I set in a User Type and Link that user type to a User Role, I am assuming that this will override all permissions for that User Role in the Role Permission Manager.

Is this true?