Role access update by Role Tree


problem: its quite lot effort to create proper access rights based on the selected menu tree.

solution idea: create a new process "Role access update by Tree" (or improve existing Role Access Update) - attach it to Role window. User creates a new role, select a tree then select Role Access Update by tree. This process sync - role access records with tree menu items. (add/remove)





Carlos Ruiz
October 15, 2014, 3:37 PM

In the window "ASP Modules" there is a button that calls org.adempiere.process.ASPGenerateLevel
With this button you select a menu node and it generates the acceses to all the objects below (windows, processes, forms, tasks and workflows).
Every time I show this feature people say a similar approach would be worthful for role access, so maybe that can be a start point to develop it easily.

Tomáš Švikruha
October 23, 2014, 11:58 AM

Hi and , I extended Role Access Update process by Menu Tree parameter. If tree is selected, then access records will be updated based on this menu tree. Patch includes also simple migration scripts. Please help me test.

Tomáš Švikruha
October 24, 2014, 12:15 PM

Fixed bug in patch.

Norbert Bede
January 17, 2016, 6:46 PM


i have tested this patch with the next 2 scenarios:

Use case 1. i.) select role ii.)select "Reset Existing Access" - remove old and add all available _access records.
Use case 2 i.) select role ii.) select tree iii.)Run >> Result: in my test case doesn't remove all _access records (then when i remove it in db) - not inserts into _access tables.

in case two exactly we need to remove all _Access records then insert based on tree - when run the process.
please take a look is this concept in the code.


Norbert Bede
January 18, 2016, 10:33 AM

, need yours advice to fix the next two use cases.

after additional tests i have the follow useful behaviour

Issue 1. if i create Master Role (with purpose include then in client) then after save automatically updates User Level to System 'S'. This cause in both cases only application dictionary components with System Will be inserted to _access table. When i manually change it in database to CO (because role is for reuse in customer tenant not in system) then run process includes proper _Access records.

Suggestion: If System Role isMasterRole=Y then allow to set all User Levels also C,CO, S etc. Then admin should creates master role in system for usage in customer tenant.

Issue 2. If i generate Role Access records based on Tree, then logically processes like print order, print invoice - not necessary in tree must be included based on relationship defined on included Windows AD_Tab.AD_Process_ID.

WDYT ? it is stopper for me




Norbert Bede



Tested By