Cannot Restrict Master role in client
Description
Environment
Activity
Carlos Ruiz December 4, 2019 at 10:17 PM
Hi @Pritesh Shah, OK, if I understand better now, your case is not about a non-master role against a master role, but about two master roles.
In such case the proposal makes sense, as you can manage the precedence based on the SeqNo. Is that the case? Is SeqNo still considered even if the roles are in System and Client?
Pritesh Shah December 4, 2019 at 7:41 PM
Hi,
As per my understanding from above, you are saying if I remove the b2 == true && b1 == false, then as per the sequence of included, permission will get overided. If my understanding is correct, then I believe that how it should be. If we including role then we need manage the sequence accordingly and if 2 roles are included one has write permission and one as read permission, whichever come later should prevail. Same goes with substitue role.
If you any suggestion in case not above then please let me know we can think of changing the behavior that way. Currently due this restriction, we cannot setup micro roles at system level and override at client level.
Carlos Ruiz December 4, 2019 at 4:53 PM
Hi - reviewed the code and understood what you mentioned.
However I think the suggested patch won’t work for all cases.
From what I see this was developed in a way where included roles take precedence over the actual role, and they are processed ordered by SeqNo, and it was intended just to override a non-access with a yes-access (and not the opposite).
If you add to your case the possibility to process multiple included records with order by, then you’ll have problems with the “if (override)” logic.
Add to the equation that the process also includes the “substitute” roles, apparently at the end of the list with a SeqNo=-1 (so, not tested, if I read correctly they’ll be processed at the end without overriding what was configured in the included roles).
In principle I would say this is not a bug, but the functionality was developed with such restriction in mind, and to change the behavior you would need to take into account the seqno of multiple included roles plus the substitute roles (which don’t have a seqno).
Regards,
Carlos Ruiz
Create a master role in system client
Add window access for Sales Order window as ReadWrite true
Create a "Sales - view only" role in GardenWorld client
Add included role as above master role
Add window access for Sales order window as ReadWrite false (try to override master role's access by restricting it to read only from read/write)
Above configuration would not work and user will still have Read/Write access in "Sales - View only" role
Reason,
if (override && b2 == true && b1 == false) { map.put(key, b2); }In above code, b2 is later role and b1 is parent or previous in sequence and if the later role or child role has window access is read/write then only it would override else it will keep the permission defined in previous or parent or master role.
Resolution may be, override whatever permission is in child or later role in sequence,
if (override) { map.put(key, b2); }