I'm trying to modify the access control list of Leave Requests to approve under Leave managements module.
I need to make the Leave Requests to approve menu only accessed by each employee's manager.
ea. if the company has 10 employees under Sales/marketing and 5 employees under IT department. I need the sales manager access his 10 employees' leave requests only and not able to access the rest of company's employees who are not under his authority.
To do it, I modified the record rule domain definition of Leaves officer from [(1,'=',1)] to [('employee_id.parent_id,'=',user.id)]
but it didn't work. How to fix it?
In Your case basically your are totally pass the wrong domain for the record rules.
You are previously using the domain like
[(1,'=',1)] = > Access the all the model record for that model
[('employee_id.parent_id,'=',user.id)] = > Access the Manager parent_id as current user employee only
But in your are accessing only with the manager user only not to access its related user.
so you must have to add the below domain in your record rules:
['|',('employee_id.user_id','=',user.id),('employee_id.parent_id.user_id','=',user.id)]
Basically the manager its self as employee of the company and employee having to attached with its related user.
first Need to understand the following relation :
1. employee_id :
which is indicate the each leave related with one employee.
2. parent_id :
which is indicate the each employee related with one manager for hr.holidays model w[('employee_id.parent_id,'=',user.id)]particular model.hich is called the leave request
3. user_id :
If you want to access the login to the particular employee then and then you must have to set the related user for each employee form.which is labeled as Related User.
4. user :
Which is indicate the global user name means current user which you are currently logged in.
5.id :
means unique id for each record
In your case how the domain will work ?
first it will check the current logged in user as attached current leave employee related user or not.
and then then find the user ids which are having with the same employee attached with the same managers.
It means it will perform the OR operation of SQL Statement for both of the domain.
I hope my answer may helpful for you :)
Related
I am trying to adapt the following query to find out if a user is a member of a specific group (security group) but I do not get it to work and I fail to understand it completely.
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
in my case, the user is XYZ and the security group is called [SecITGroup].
The user is however located under OU=USERS OU=GO OU=AzureSync.
I have tried the following:
(&(objectClass=user)(sAMAccountName=XYZ)
(memberof=CN=SecITGroup,OU=AzureSync,OU=GO,OU=USR,DC=de,DC=domain,DC=int))
yes, I set the domain name to the actual domain and No result is shown is displayed.
What is the return attribute am I supposed to get back?
I found a solution or a workaround to this.
The LDAP Query is rather to say show me users in the specific group:
(&(objectCategory=user)(memberOf=CN=Administrators,OU=Admin,OU=Groups,DC=domain,DC=com))
The attribute is sAMAccountname which displays the user's name.
I am a beginner in Odoo and I would like to create accounts for Managers and Simple Users respecting these conditions:
Manager A (of the Team 1) can see his own records as well as the records of the Users X1 and X2.
Manager B (of the Team 2) can see his own records as well as the records of the Users Y1 and Y2.
Manager A cannot see the records of Team 2.
Manager B cannot see the records of Team 1.
I created Team 1 and Team 2 as Groups using Settings --> Users and Companies --> Groups and I affected the users and the managers to their respective groups but nothing happened. When I created a new event, it was still visible for all the others.
Do I need to add a special record rule or something?
I am using the Events module of Odoo 12.
Generally, groups are defined to have different permissions(read,write,delete,edit) on model level (not on records level). For e.g, User,Manager,Director,Admin,etc. In your case, teams have same permission on event model but you only want subset of records to be visible to respective teams. (I am curious if there is a term for such permission) So, you have to use record rule.
First, add new field team_id in user.
Then, add record rule to make event only visible to respective teams. [('create_uid.team_id', '=', user.team_id.id)]
I am trying to define a Record Rule within OpenERP 7.0 that allows a User who is not in the Officer group to change their own Employee record only, while still keeping the existing global rule allowing users in the Officer group full rights. I've gotten as far as setting up a custom rule with the following details:
Name: User_edit_own_employee_rule
Object: Employee
Apply for Read: checked
Apply for Write: checked
Rule Definition: [('user_id', '=', user.id)]
However, all this seems to do is remove the ability of the User to read any Employee record except for their own. As far as I can tell, I need to combine this rule with a logical OR operator with Group rule applying to users in the Officer group. Can anyone give me any pointers for how to accomplish this?
Edit: My desired behaviour is thus:
All users (Employee group) can search and read all Employee records.
Users in the Employee group can edit their own Employee record, but not others.
Users in the Officer group can edit all Employee records (this is default behaviour for the HR module).
Tried thus far:
Modify the Record Rule described above (User_edit_own_employee_rule) to apply only for Write operations, not Read operations (users can see all Employee records, but not edit any records including their own).
Modify the hr.employee system user Access Control rule to allow Write operations (users can now edit all Employee records).
One clue I have is that, using the API to return an employee's user_id in the shell, OpenERP returns [5, 'Joe Bloggs']. I wonder whether my Record Rule is querying the foreign key relationship properly?
Providing access rule is one part of the solution. If you look at "Access Control List" in "Settings > Technical > Security > Access Controls Lists", you can see that the group Hr Employee has only read access to the model hr.employee. So first you have to provide write access also to model hr.employee for group Employee.
After you have allowed write access to the group Employee for model hr.employee,
Create a new record rule from Settings > Technical > Security > Record Rules named User_edit_own_employee_rule (As you wish).
Provide domain for this group User_edit_own_employee_rule as [('user_id', '=', user.id)]. And this domain should apply for Read and Write. ie; by check "Apply for Read" and "Apply for Write" Boolean field.
Create another record rule named User_edit_own_employee_rule_1
Provide domain for this group User_edit_own_employee_rule as [('user_id', '!=', user.id)]. And this domain should apply for Read only. ie; check "Apply for Read".
Now by creating two record rule for the group Employee, we can provide access to read and write his/her own record but only to read other employee records.
Let me summarize:
Provide write access in access control list to model hr.employee for group Employee. Create two record rule:
User_edit_own_employee_rule :
Name : User_edit_own_employee_rule
Object : Employee
Apply for Read : Checked
Apply for Write : Checked
Rule Definition : [('user_id', '=', user.id)]
Groups : Human Resources / Employee
User_edit_own_employee_rule_1 :
Name : User_edit_own_employee_rule_1
Object : Employee
Apply for Read : Checked
Apply for Write : Un Checked
Rule Definition : [('user_id', '!=', user.id)]
Groups : Human Resources / Employee
Hope This Helps....
I'm using Sun Directory server v5.2.
I have three attributes: designation, role.
I am using a tool using which when i create a create/modify user entry with designation filled, a unique member is added to a group 'Members'.
Now, there are circumstances where
Scenario1:
* Creating/ Modifying user entry is not done via the tool and so unique member for this user entry is not added to the group 'Members'.
Scenario2:
* When user the designation attribute is deleted, group entry is not deleted.
This is causing inconsistency in the users and the group.
How can i resolve this?
Thanks,
Sash.
Scenario 1
In my web application say for there is a screen for adding an employee to system. As soon as user tabs after entering name of the employee, it generates the employee code automatically (which is the next field) based on some logic and already present records in the database.
Now I want to expose rest API for this application so that third party devs can build on top of it. So, I will have a resource called as /Employee which will respond for GET, PUT and DELETE verbs. But when a client needs to autofill the code, which is a GET operation, it will be on what resource? Should I make a new resource /EmployeeCodeFor/{Name} or I should get it on /Employee/{Name}/GenerateCode? If I go with /Employee/{Name}/GenerateCode then what about my resource to GET, PUT and DELETE for Employee i.e. actually /Employee/{Id}?
Scenario 2
Here lets take the case of a stackoverflow post. So lets say the resource would be /Post/{Id}. In the same way as in the previous example it lists me possible duplicate question as soon as I tab out of the Title field.
Again on what URL I should get those possible duplicates?
I can't think of more scenarios just now. But many such kind of scenarios may come up in real life application development. How to implement them in RESTful way?
Update on scenario 1
Code and Id are two different fields. Id is primary key, code can be duplicate across departments just to illustrate. Also to generate a code, name should be provided first. So, if user types a name "FirstName LastName" then server might generate FL003 as code assuming that there are already two more employees with firstname starting from F and lastname starting from L in the said department. Department can be identified based on the logged in user.
One way to allow the server an opportunity to pre-fill a bunch of elements in a new resource is to do
POST /Employees
{with empty body}
=>
201 Created
Location: http://example.org/employee/3443
<Employee Id="3443">
<Code>E1001</Code>
<FirstName></FirstName>
<LastName></LastName>
</Employee>
This gives the server one chance to provide default values. If you are looking for a more interactive way for the server to provide feedback during the input, I have another approach but it will take quite a bit more explaining.
Scenario 1
Let say your employee code is a unique identifier. In this case, to get it, you would allow the user to complete any field for the new employee and then make a POST. The server would generate the code and respond to the POST with a link to /Employee/{generated_code} which is the record for your newly created employee.
A GET on /Employee would return a list of all employees. A GET on /Employee/{a_code} will give you the employee detail.
Scenario 2
You could have some kind of query on the /Post collection like /Post?title_like={question_title}. A GET /Post?title_like=REST How to would return you a list of all questions containing "REST How to".