[Openerp-community] Social security issue in OpenERP

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Openerp-community] Social security issue in OpenERP

Alexis de Lattre
Dear OpenERP community friends,

I share with you something that may be interesting for the whole
community. The issue I point out is present in OpenERP 6.0 and 6.1
(probably in other versions too) :

1. Only few groups have write access on res.partner.address : Partner
Manager, Administration / Configuration, HR Manager and Accounting &
Finance / Invoicing & Payments (in v6.1)

2. It means that, if you want your sales, purchase or stock users (not
managers) to be able to update a phone number or an email address on a
Partner Address, you will probably think : he needs write access on
Partner Addresses, so I need to add him to the group "Partner Manager".

3. If you look at the details of the ACLs for the group "Partner
Manager", you will see that this group has write/create access on
res.partner.bank and res.bank.

4. It means that all users that belong to the "Partner Manager" group
can modify the bank account numbers and other bank details on any partner.

5. Imagine one of them replaces the IBAN and BIC of a supplier by his
own bank account.

6. If the company uses OpenERP to generate bank files to pay the
suppliers, the employee will receive the money instead of the supplier !

7. The employee then runs away to the British Virgin Islands... :)

Of course, I know that all OpenERP integrators take the time to review
all ACLs on every deployment of OpenERP to check that nobody has "too
much" rights... :-)

But I wanted to share the light on this issue... the "Partner Manager"
group gives a lot of rights, probably too much for a regular employee...
but you probably want your regular employees to update phone numbers and
e-mail addresses on partners, but there is no native "intermediate"
group to give them such rights.

Regards,

--
Alexis de Lattre

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|

Re: [Openerp-community] Social security issue in OpenERP

Hamza BENHMANI
Hello Alexis,

I agree that this is a predefined groups rights issue, because I believe that such customization should be done by default, but still, the groups and access rights in OpenERP are (more or less) flexibly customizable, which means, for instance, in this case you can :

- whether create a brand new group and give him only the right to write on the address object.
- or start from scratch and make your own structure of groups and access rights.

Kind regards.

2012/5/11 Hamza BENHMANI <[hidden email]>
Hello Alexis,

I agree that this is a predefined groups rights issue, because I believe that such customization should be done by default, but still, the groups and access rights in OpenERP are (more or less) flexibly customizable, which means, for instance, in this case you can :

- whether create a brand new group and give him only the right to write on the address object.
- or start from scratch and make your own structure of groups and access rights.

Kind regards.


2012/5/11 Alexis de Lattre <[hidden email]>
Dear OpenERP community friends,

I share with you something that may be interesting for the whole community. The issue I point out is present in OpenERP 6.0 and 6.1 (probably in other versions too) :

1. Only few groups have write access on res.partner.address : Partner Manager, Administration / Configuration, HR Manager and Accounting & Finance / Invoicing & Payments (in v6.1)

2. It means that, if you want your sales, purchase or stock users (not managers) to be able to update a phone number or an email address on a Partner Address, you will probably think : he needs write access on Partner Addresses, so I need to add him to the group "Partner Manager".

3. If you look at the details of the ACLs for the group "Partner Manager", you will see that this group has write/create access on res.partner.bank and res.bank.

4. It means that all users that belong to the "Partner Manager" group can modify the bank account numbers and other bank details on any partner.

5. Imagine one of them replaces the IBAN and BIC of a supplier by his own bank account.

6. If the company uses OpenERP to generate bank files to pay the suppliers, the employee will receive the money instead of the supplier !

7. The employee then runs away to the British Virgin Islands... :)

Of course, I know that all OpenERP integrators take the time to review all ACLs on every deployment of OpenERP to check that nobody has "too much" rights... :-)

But I wanted to share the light on this issue... the "Partner Manager" group gives a lot of rights, probably too much for a regular employee... but you probably want your regular employees to update phone numbers and e-mail addresses on partners, but there is no native "intermediate" group to give them such rights.

Regards,

--
Alexis de Lattre

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp



--




--
Hamza BENHMANI
Consultant technique Open Source
Bureau : +212 (0) 522 23 54 44
Portable : +212 (0) 664 38 27 79
Skype :   hamza.ben7


10, rue Ibnou Al Arif
20 100 Casablanca - Maroc
[hidden email]
www.kazacube.com


_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|

Re: [Openerp-community] Social security issue in OpenERP

Daniel Reis (SECURITAS SA)-2
Yes indeed. Why having it out of the box if you can configure it yourself on each installation ?

No dia 11/05/2012, às 18:10, "Hamza BENHMANI" <[hidden email]> escreveu:

Hello Alexis,

I agree that this is a predefined groups rights issue, because I believe that such customization should be done by default, but still, the groups and access rights in OpenERP are (more or less) flexibly customizable, which means, for instance, in this case you can :

- whether create a brand new group and give him only the right to write on the address object.
- or start from scratch and make your own structure of groups and access rights.

Kind regards.

2012/5/11 Hamza BENHMANI <[hidden email]>
Hello Alexis,

I agree that this is a predefined groups rights issue, because I believe that such customization should be done by default, but still, the groups and access rights in OpenERP are (more or less) flexibly customizable, which means, for instance, in this case you can :

- whether create a brand new group and give him only the right to write on the address object.
- or start from scratch and make your own structure of groups and access rights.

Kind regards.


2012/5/11 Alexis de Lattre <[hidden email]>
Dear OpenERP community friends,

I share with you something that may be interesting for the whole community. The issue I point out is present in OpenERP 6.0 and 6.1 (probably in other versions too) :

1. Only few groups have write access on res.partner.address : Partner Manager, Administration / Configuration, HR Manager and Accounting & Finance / Invoicing & Payments (in v6.1)

2. It means that, if you want your sales, purchase or stock users (not managers) to be able to update a phone number or an email address on a Partner Address, you will probably think : he needs write access on Partner Addresses, so I need to add him to the group "Partner Manager".

3. If you look at the details of the ACLs for the group "Partner Manager", you will see that this group has write/create access on res.partner.bank and res.bank.

4. It means that all users that belong to the "Partner Manager" group can modify the bank account numbers and other bank details on any partner.

5. Imagine one of them replaces the IBAN and BIC of a supplier by his own bank account.

6. If the company uses OpenERP to generate bank files to pay the suppliers, the employee will receive the money instead of the supplier !

7. The employee then runs away to the British Virgin Islands... :)

Of course, I know that all OpenERP integrators take the time to review all ACLs on every deployment of OpenERP to check that nobody has "too much" rights... :-)

But I wanted to share the light on this issue... the "Partner Manager" group gives a lot of rights, probably too much for a regular employee... but you probably want your regular employees to update phone numbers and e-mail addresses on partners, but there is no native "intermediate" group to give them such rights.

Regards,

--
Alexis de Lattre

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp



--




--
Hamza BENHMANI
Consultant technique Open Source
Bureau : +212 (0) 522 23 54 44
Portable : +212 (0) 664 38 27 79
Skype :   hamza.ben7


10, rue Ibnou Al Arif
20 100 Casablanca - Maroc
[hidden email]
www.kazacube.com

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|

Re: [Openerp-community] Social security issue in OpenERP

Alexis de Lattre
In reply to this post by Alexis de Lattre
Le 11/05/2012 18:08, Alexis de Lattre a écrit :
> 2. It means that, if you want your sales, purchase or stock users (not
> managers) to be able to update a phone number or an email address on a
> Partner Address, you will probably think : he needs write access on
> Partner Addresses, so I need to add him to the group "Partner Manager".

Just figured out that, by default, a new user is part of the "Partner
Manager" group (cf server-6.1/openerp/addons/base/res/res_users.py line
351). So, by default, all new users have write access on
res.partner.bank and res.bank on OpenERP 6.1 !

--
Alexis


_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp