This OFBiz tutorial is the next part of our earlier tutorial “How to Setup User Permissions”.  See how using ECA’s can extend service permissions.

So far we have seen how to assign security permission to a user which will let the user access a particular application. The level of access to an application will depend on the permission(s) assigned to the user. You may want to allow the user to just view an application or maybe you want to allow them other possible permission options like creating new records, updating the existing records or deleting exiting records in a particular application.

You can also assign an admin permission to a user. This gives the user full access to an application so that the user can View, Create, Update and Delete records in a particular application.

Assigning a permission is not restricted to just one application, you can allow the user to access more then one application by assigning permissions related to other apps.

There are certain cases when a user has admin permission for an application but the user is not allowed to perform certain operation in the application. For example, if you want to view a product lookup screen in the “Asset Maint” application then you would need the permission of the Catalog application. The simplest option is to give the user all the required permissions. The downside of this approach is that this will also allow the user access to the Catalog application.

So in this case if you want the user to have access only to the “Asset Maint” app then you can do this by defining ECA (Event Condition Access) rules which will extend the permission of the other applications while still not allowing the user to access these application(s) other than “Asset Maint.”

The rule can be defined in a file under the sevicedef folder in the component directory tree as following.

OFBiz Tutorial Permissions-2-1a

This also requires the entry of this file in ofbiz-component.xml where secas.xml is the name of the above file.


Whenever the user tries to perform any catalog related operation in the “Asset Maint” application, the catalogPermissionCheck service will run first. We know that the user does not have any explicit permission to the Catalog application hence the service will return hasPermission flag as false. Every permission service implements a generic service interface and hasPermission is one of the boolean attibute that is returned by the permission service. If it is false it means that the user does not have sufficient permission.

Since we want to override the permission we define a permission service in the “Asset Maint” component. This service will check whether the user has permission to access the “Asset Maint” component or not instead of checking for Catalog permission. If the service returns a true for the hasPermission flag (which it will if the user has “Asset Maint” permissions) it means the user can access the catalog related screens in “Asset Maint.”

The code for the permission service will look like this: (Click to expand image.)

ofbiz-tutorial-permissions23a (1)

This way without explicitly assigning the catalog permissions the user will still be able to access the product lookup screen in the “Asset Maint” application.

Similar you can add more rules to the ECA file to override the OFBiz user permissions of other applications in the “Asset Maint” application.


DATE: Jun 16, 2010
AUTHOR: Mike Bates
OFBiz Tutorials, OFBiz Tutorial, OFBiz User Permissions, OFBiz User Setup, OFBiz, OFBiz Tutorials for Beginners