In OFBiz, every application has a base permission (except a few like ecommerce, ofbizwebsite etc.) and users should have at least base OFBiz permission view or base permission admin to login in the application. Sometime base permission may consist of more then one permission and in that case both are required to login/access the application.
The base permission is defined in the ofbiz-component.xml file of each component. If the base permission consists of more then one permission then they are separated by a comma.
Below is a code snippet taken from Asset Maint component ofbiz-component file.
We will now learn how to setup permissions for a new user to gain access to a back-end application while using an Asset Maint component as an example throughout the tutorial.
Just a note that we will not focus on the internal details of this component and we will only visit a couple of screens to see whether we have setup correct permission levels for the user or not.
Step by Step Guide
Lets first create a new user in the system. Login to the party manager application with username: admin and password: ofbiz and click on Create New link located at the top of the main screen.
The screen will provide a variety of options to choose from. Click on Create New Person.
Enter the required fields and save the form.
This will take you to the user profile screen.
Our next step is to create a user login for the new user. Click on Create New link on User Name(s) screen in the right column on the profile page.
Enter the details as below and save the form.
User Login Id: joe.will
Current Password: ofbiz
Current Password Verify: ofbiz
Now coming back to the profile screen you will see that the new user login has appeared under the User Name(s) screen in the right column on the profile page.
Now click on the Security Group link. This will present you with a screen where you can add a security group to the user account. Security Group is basically a set of permissions where permissions are classified as VIEW, CREATE, UPDATE and DELETE. An admin security group contains all of these permissions. Select Asset Maint Admin group from the drop-down list. The From Date field is optional and if user does not enter it then the application will use the system’s current timestamp for this field. Thru Date is also optional but if specified then the security group will be valid for the user till the thru date has passed. You can also assign multiple security groups at the same time to the user. Save this form.
Now you have granted sufficient permission to the user to access the Asset Maint application.
Note: The admin user is available only if demo data is installed. If only seed data is installed then you have to create the admin user explicitly through the command line with an ant target defined in the build file which is present at the root of the project. Run command create-admin-user-login from the terminal and follow onscreen instructions to complete this wizard.
Testing User’s Permissions
Logout from the party manager application and then you can login to the Asset Maint application with the new user. The user should be able to login in to this application without any issues and this signifies that the user has permission to VIEW this application.
Lets try to check whether the user has permission to perform CREATE operation in the application. Go to the Fixed Assets tab and click on New Fixed Asset link. Fill in the basic details as shown in the screenshot and click on update button. The user should be able to create new fixed asset record. This signifies that user has permission to perform create operation in the application.
Similar you can check whether the user has UPDATE or DELETE permissions by updating or removing the fixed asset record.
Lets try to login into any other application (for example catalog) with the same user to check whether the system permits the user to access an application other than Asset Maint. As it would be obvious from the screenshot below that the security permissions assigned to the user is just enough to login and access Asset Maint application and not any other application.
Similar you can try to login into any other application with the same user and you will see the same result.
So far we have learned the basics of security permission in OFBiz and how we can assign these permissions to the user.