System Manager permissions

My client will use only a few doctypes, so I want to remove access to unused doctypes to reduce noise. I still want them to be able to add new users.

I see 2 possible solutions.

1- Remove permissions from the built-in System Manager role.
Not sure if this is even viable, and if a migrate will reset role’s permissions…

2- Create a new role and add needed permissions only, including acess to create new user.
The issue I have with this option is the client can still select the role System Manager on a new user.
Not a huge issue but I would prefer them not having access to select it.

I’m looking for insights if anyone had similar requirements.

Either of these approaches should work, and I think the correct answer depends on the administration workflow you want.

Frappe assumes that somebody has access to the System Manager role. There are certain things that only a System Manager (or the Administrator account) can do. Your client doesn’t need to have this role for their daily operations, but somebody needs to be able to come in to do System Manager things as needed. That doesn’t have to be your client, of course. It could be you, depending on the kind of support contract you have.

Solution (1) should work fine. Any document privileges added or removed via the Role Permissions Manager should survive a migration. Role Permissions created this way are site-level, not app-level. Removing permissions from the System Manger will effectively de-clutter the workspace and search bar and is very useful to this end. There’s one major caveat: somebody with the System Manager role can always just add those permissions back to themselves at any time.

Solution (2) should also work, but in this case your client won’t be able to add permissions to themselves. Whether this is a good thing or bad thing depends on your goals. They also won’t be able to create new users unless you explicitly grant that permission to them. If you want to give them the ability to create new users but not grant the System Manager role, it can probably be done but will require some custom implementation.

So, you have two options:
(1) will simplify your client’s experience but doesn’t secure the site against them
(2) does secure the site against them

Thanks for your input Peter.

As you mentionned, I want my client to do its daily operations, nothing more. All the admin stuff will be handled by me using the Administrator account.

I will try my luck with solution 2.
My plan is to customize User doctype to prevent saving a user if that user has System Manager role and session’s user has not.

1 Like