I have a multi-company setup in Odoo, and I would like to limit the products that each user (under the group "User") can access (read/write/create/delete) to the products assigned to the company that the user is assigned to.
To be clear, I have:
Companies:
Company A
Company B
Users:
User A (assigned to "Company A" and user group "User")
User B (assigned to "Company B" and user group "User")
Products:
Product A (assigned to "Company A")
Product B (assigned to "Company B")
With the default setup, User A has access to both Product A and Product B, and I would like user A to have access exclusively to product A, on all modules (Sales, Inventory, POS…)
I believe that is possible to accomplish using Record Rules, but I haven't been able to do it.
I got the answer I needed from Jerome Guerriat at the the Odoo forums. I only needed to tick a checkbox under the general settings page:
There already is a product.product multicompany rule (but it is
inactive by default): "Product multi-company"
xml id: product.product_comp_rule
You can active it by going to settings => general settings. Check
"manage multi company", then uncheck "share product to all companies"
link here: https://www.odoo.com/es_ES/forum/ayuda-1/question/limit-products-to-company-assigned-to-user-in-multi-company-odoo-9-102686
Odoo's record rules are the way to do it, as you mentioned it by yourself. For example look at the rule for sales order (sale.order). It's global (no group selected/assigned) and it's restricted to companies:
['|',('company_id','=',False),('company_id','child_of',[user.company_id.id])]
Now create your own record rules for product.template and product.product like the example under Settings/Technical/Security/Record Rules (in Odoo V9 you'll need developer mode to see this) or within a custom module.
Odoo Can manage share partner and product without add rules:
Use multiple company
Don`t forget add parent company at Settings > Users> companies (choose child company)
Uncheck Share partner to all companies and Share product to all companies at Settings > General Settings > Shared resources
So, Difference company can`t read product.....
Related
Question is more advanced than usual.
Imagine you have three users groups in Keycloak: Group_Basic, Group_Client_A, Group_Client_B.
You add two different LDAP user federation setting for "Client A" and "Client B".
You make Group_Basic as your default group.
How to automatically assign Group_Client_A to LDAP users from "Client A", and Group_Client_B group to LDAP users from "Client B" ?
Any ideas are welcome! Thanks!
Basically #Vadim pointed to right thing:
Under created LDAP -> Mappers -> Create ->
Mapper type: hadrcoded-ldap-group-mapper
Group: /Group_Client_A
Did synced user, got default Group_Basic group + hardcoded Group_Client_A.
I assume pointing to different group under different LDAP synchronisation will got another group assigned.
Thanks!
I want to setup default account entries for creation of invoices. In that, I want to add just a customer name and the product details rest all should be there by default.
I had already given default values at so many fields but it is working only for few fields.
I want to set default values for
Account
Journal
Tax Account
In Partner Form -> Accounting
Account Receivable
Account Payable
So is there any way we can do that. For Reference check below given images
In order to set company default Account Receivable and Account Payable properties, as administrator user go to Settings → Technical → Company Properties. Find a property with name property_account_receivable_id where the Resource field is not set. If such entry does not exist, create it with the following values:
Name → property_account_receivable_id
Field → Account Receivable (res.partner)
Type → Many2One
Value → account.account,<id>
Where <id> is the database ID of the account (model: account.account) you want to use as the default value (you can find all accounts by going to Invoicing / Accounting → Adviser → Chart of Accounts. You can find out the database ID from the URL (id=<id>) when you open a single record in a form view):
For default Account Payable, analogically find or create a company property called property_account_payable_id with the following values:
Name → property_account_payable_id
Field → Account Payable (res.partner)
Type → Many2One
Value → account.account,<id>
Where <id> is the database ID of the account (model: account.account) you want to use as the default value (you can find all accounts by going to Invoicing / Accounting → Adviser → Chart of Accounts. You can find out the database ID from the URL (id=<id>) when you open a single record in a form view):
To set the default journal on invoices, as administrator user go to Settings → Technical → User-defined Defaults and click Create and fill in the following values:
Name → journal_id
Model Name → account.invoice
Default value or action reference → <id>
where <id> is the database ID of the journal (model: account.journal) you want to use as the default value (you can find all journals by going to Invoicing / Accounting → Configuration → Accounting → Journals. You can find out the database ID from the URL (id=<id>) when you open a single record in a form view):
The value for Account on invoice will come from the Customer, once you select one, and Tax Account will come from taxes defined for a given product. You can configure taxes by going to Invoicing / Accounting → Configuration → Accounting → Taxes. Alternatively, you could set user-definde default values (like for journal_id) for taxes, with the following values:
Name → account_id
Model Name → account.tax
Default value or action reference → <id>
where <id> is the database ID of the account (model: account.account) you want to use as the default value (you can find all accounts by going to Invoicing / Accounting → Adviser → Chart of Accounts. You can find out the database ID from the URL (id=<id>) when you open a single record in a form view):
How i can specify point of sale dashboard for specific user/ users who can see his/ her orders on dashboard when they logged into point of sale via their login account ?
Is there possibility to write expression with multiple OR / And conditions ?
If I understand your question well, this is how to Restrict POS user from viewing other users' orders
Create a new Record Rule (Settings > Security > Record Rules)
Named it anything you want
Object is Point of Sales Orders
Rule Definition: [('user_id','=',user.id)]
Groups Point of Sale / User
Now your POS users should only see orders created by themself.
You can also Assign a specific User to opening session on one POS by
Create a field (Settings > Database Structure > Fields)
Named it: x_user_id
Field type: many2one
Model: pos.config
Relation of object: res.users
Add the field to pos.config.form.view (Settings > User Interface > Views)
<group name="assigned_users" string="Assigned Users">
<field name="x_user_id" string="Assigned Users" />
</group>
Create a Record Rule (Settings > Security > Record Rules)
Named it anything you want
Object: pos.config
Rule Definition: [('x_user_id','=',user.id)]
Groups: Point of Sale / User
Assign user to a POS. Go to Point of Sale > Configuration > Point of Sale > Select a POS > Assigned Users
Now except Admin (with Manager role) can open Session on all POS, only assigned user can open sessions in a given POS.
First I'll describe rougthly the context. I want to have a symfony application where I can create various areas. In each of the areas, you can have different kinds of users (or roles). Each user can have multiple roles in different areas.
To illustrate the question, we'll define:
2 areas: "Area 1" and "Area 2".
2 users: "User 1" and "User 2".
2 roles: "seller" and "buyer".
"User 1" is a seller and a buyer in "Area 1"
"User 2" is a seller and a buyer in "Area 1" and a buyer only in "Area 2"
My question is: which is the best way to check in restricted pages if a user belongs to a given area and if he has the required role in that area.
After thinking a bit about it, I have done the following:
When an area is created, I also create one sfGuardGroup per role and one global sfGuardGroup for the area, each suffixed with the area id. So in our example, we'll have the roles:
area-1, sellers-1, buyers-1 for area 1
area-2, sellers-2, buyers-2 for area 2
The users are added to the relevant groups. So in our example:
User 1 will belong to the groups area-1, sellers-1 and buyers-1
User 2 will belong to the groups area-1, sellers-1, buyers-1, area-2 and buyers-2
From the URL, I know in which area we are, for instance:
http://example.com/area-1/sellers-restricted-page (accessible to users in the group area-1 and sellers-1)
http://example.com/area-2/buyers-restricted-page (accessible to users in the group area-2 and buyers-2)
http://example.com/area-2/ (accessible to users in the group area-2)
At that point, I am kind of stuck as I cannot make out the best place to implement the permission check: modify the guard filter? Change the actions?
Your required implementation is not supported by sfGuard so I would recommend creating a new, additional, security filter.
You can create a brand new filter that extends sfFilter, then add it into filter.yml after the existing security filter. This means that all existing security functionality provided by sfGuard continues.
You can then determine what area is being requested by looking at the current module name and action name (how you access these is different dependent on which version of symfony you are using, look in sfBasicSecurityFilter for a clue) then compare that with the roles that the current user has using sfGuardSecurityUser.
how can I get all accounts of am employee?
In the "Siebel Object Interaces Reference" I found an example, how to get all industries of an account:
var myAccountBO = TheApplication().GetBusObject("Account");
var myAccountBC = myAccountBO.GetBusComp("Account");
var myAssocBC = myAccountBC.GetMVGBusComp("Industry");
So I would like to do something like:
var myEmployeeBO = TheApplication().GetBusObject("Employee");
var myEmployeeBC = myAccountBO.GetBusComp("Employee");
var myAssocBC = myAccountBC.GetMVGBusComp("Account");
But I get an error
Semantic Warning around line 23:No such predefined property Account in class BusComp[Employee].MVGFields.
I can see in Tools that there is no Multi Value Link called "Account" in Business Component "Employee", so I can actually understand the error message.
So I wonder how I can get all accounts of an employee.
I found the Business Component "User" which has a Multi Value Link to "Organisation" and another link "User/Account".
Is this what I am looking for?
How can I know? Where is documentation which tells me about the semantics of links? (Is this described in "Siebel data model reference"? I cannot download this document, although I have signed in...) This link could also link a user to the organization it belongs to.
If one of these links IS what I am looking for, what would be the way to go to get the "User" Business Component of a corresponding "Employee" Business Component?
Many questions of a Siebel newb...Thanks for your patience.
Nang. An easy way to approach this (and to learn it) is to figure out how you'd do it in the UI. Then move onto figuring out how to do the same thing in script.
When you say, "get all account of an employee," do you really mean get all accounts where a particular employee is on the account team? In the UI, that would be done by going to: Accounts > All Accounts Across Organizations, and querying for that specific user in the "Account Team" multi-value field.
From that same view, go to Help > About View in the application menu. You'll see in the popup that the view uses the Account business object and the Account business component. A quick examination of the applet you queried on will show you that the "Account Team" field on the applet is really the "Sales Rep" field on the Account business component. Here's how to mimic what we did in the UI, in script:
var boAccount = TheApplication().GetBusObject("Account");
var bcAccount = boAccount.GetBusComp("Account");
bcAccount.SetViewMode(AllView); // like All .. Across Orgs
bcAccount.ClearToQuery();
bcAccount.SetSearchSpec("Sales Rep", "NANG");
bcAccount.ExecuteQuery();
Then you can walk through the list of accounts and do something with each one like this:
// for each account
for (var bIsRowActive = bcAccount.FirstRecord();
bIsRowActive; b = bcAccount.NextRecord())
{
// do something here
}
I hope you're enjoying Siebel.