Sharing szufisher’s proposal and PR for reference
- Proposal to refactor user permission based on SAP's authorization object concept
- User permission refactor by szufisher · Pull Request #6582 · frappe/frappe · GitHub
In case of frappe apps (no erpnext) I have a workaround. May not be appropriate for employee case. Sharing here if anyone else finds it helpful.
- user given basic role on login to create a “Permission Request”.
- fresh user selects and create request to ask for Roles and User Permission.
- on approval of the request by user with higher role, programmatically create User Permission and assign roles.
- instead of updating role and user permission directly, update programmatically through the “Permission Request” workflow and doc_events. You can even track changes here.