Re: [Health] Tryton Access Rules | Defaults for defined user groups

[Christoph H. Larsen]

Hi Ronald,

Thanks a lot for your prompt reply.

On 22/01/12 02:38, ronald munjoma wrote:
> Hi Chris,
> 
> On 21 January 2012 13:38, Christoph H. Larsen
> <address@hidden <mailto:address@hidden>>
> wrote:
> 
>     Dear Crowd,
> 
>     The problem: I have set up a range of "Parties", including patients,
>     employees , insurance companies and institutions.
>     Likewise, I have a number of user groups, such as "Human Resources",
>     "Patient Registration", etc.
>     Evidently, we want to make sure that the guys in Human Resources canot
>     snoop on the patient core daty put down by "Patient Registration' in
>     Parties.
>     Hence, I used the access model "Party" for both "Human Resources" and
>     "Patient Registration", and defined access rules like:
>     Human Resources can see those objects in the Party model, if the field
>     is_institution = False AND if the field is_insurance_company = False AND
>     if the field is_patient = False. Sounds easy, but it is not: The Rules
>     in the Access Permissions tab of Groups can only do OR, not AND, or this
>     is what I believe, as I cannot string conditions together. It does not
>     make any difference, whether I put all conditions into ONE rule, or have
>     sequential rules with single conditions set up. Any ideas?
In a nutshell, my question is: How can I do AND conditional roles for
access to an object specified in -> Groups -> Access Permissions ->
Access Model or Access Field? The mechanism in -> Groups -> Access
Permissions -> Rules seems to do only OR, i.e. becomes effective,
whenever ANY of the rules I set is satisfied. This is a bit of a weird
restriction, and bad for record safety ;-). Have I missed something? It
seems that the threads you mentioned do not address this issue.
> 
>     Also, for the group "Patient Registration", I would love to have the
>     fields is_patient and is_person set to TRUE, both to make life easier,
>     and to prevet the locking the patient registration staff from locking
>     themselves out of party records, when they forget to set is_patient to
>     TRUE. Any way how to define default values in Tryton?
Any ideas regarding how to set default values for specific fields? Here
you can see my glaring lack of knowledge ;-)
> 
> 
> Some what similar requirements were discussed on the list before, there
> is a proposal to have acess roles by default, see task
> #11368: http://savannah.gnu.org/task/?11368 
> 
> Find below previous discussions (hope they address your issues):
> http://lists.gnu.org/archive/html/health/2011-11/msg00110.html 
> and
> http://lists.gnu.org/archive/html/health/2011-11/msg00115.html 
Yes, I am well aware of the old OpenERP heritage of even denying access
rights to admin, once access to an object has been modified. Hence, I
always create universal access to the respective object for admin FIRST,
and then restrict it further for the group(s) in question. No worries
about that one...
> 
> Regards
> Ronald 
> 
> 
>     Thanks a millions, and best regards from Kabul -
As always, thanks a lot, indeed!
> 
>     Chris