Speaker 1: Welcome back to Frappe Academy. Hope you are enjoying setting up ERPNext so far. At Frappe Furniture, with the past few videos, we have been able to set up our masters, create our own custom dock types and even customize them. All my employees have started to feel more comfortable using ERPNext. I am however concerned with the accessibility of company information to the different users in my organization. I want that all my operational tasks, even as small as order deliveries, should be recorded in the system. At the same time, I do not want my delivery associates to be able to view confidential customer information. I do not want my customer relationship manager to be able to view confidential company information. This is what I am going to set up in this video. The permission management in ERPNext is typically done on three levels. Based on a role wherein the users will be assigned certain roles with pre-decided permissions. Based on documents wherein a user will have no access to any documents containing information that he or she is not directly involved with. Based on fields within dock types wherein users will be restricted to view only certain elements of a dock type. We are first going to see how permissions can be managed based on a role. Anna is an employee that I have just recruited at Frappe Furniture. She is a customer account manager and is going to be in charge of handling all the queries, feedback and issues from our assigned customers. I will first create a user in the system by adding her email and name. All the other details can be added later. The moment the user is saved, a section appears here called roles. In any organization, every employee has certain roles based on their job profile. This section will have a list of all such roles. You can also create a new role if needed. I have created a role called customer account manager. I am going to assign Anna the roles of a sales manager and customer account manager at Frappe Furniture. I will select Anna's roles here. The rights given to each role can also be checked here. There can also be certain users that are not a part of the organization, say customers or auditors. Their specific roles can be assigned to them with limited permissions to system usage. Now how do we manage the permissions for any role? This can be done using the role permissions manager. Here, you can define the permissions that users under every role will have on a dock type. For example, I want my sales user to have rights to certain dock types like customer, sales order, opportunity and quotation. But the set of permissions is going to be different for each dock type. I can define this under role permissions manager. Here, I can select the role and the dock type to which I want to assign these permissions. The sales user already has a set of permissions for a sales order. These permissions will allow the user to read, create, edit, submit, delete, cancel, amend, share or print a dock type. The users can also be allowed to import or export the dock type, send it as an email or be able to set user permissions for this dock type. I can select or deselect the permissions that I want to be defined here. I will do the same for all the other dock types like customer, opportunity, quotation etc. Using the role permissions manager, I can also set up permissions for a new role like for customer account manager. Like Anna, I have different customer account managers for different customers. Each of them have been assigned a similar set of roles. Every time a new customer account manager joins the team, I have to assign these set of roles to them. A bit tedious, no? I have instead created a role profile here and selected the roles that have to be assigned to every customer account manager. So now, I can simply assign a role profile to each user at the time of their joining and all the roles under that profile will be automatically assigned to them. We have seen how the permissions can be assigned using roles. Next, we will move on to record based permissions. Since I have given Anna the role of a sales user, she has all the relevant permissions to the dock types in the system. She can access the data related to customers. Like in this case, she is able to view sales orders sent to all the customers. But she only handles two customers, Plethora Lifestyle Solutions and Global Builders. She shouldn't be able to see records related to other customers. To implement this, I am going to add a user permission for her. Here, I will add the user and under allow, I will add the dock type on which the data will be restricted. Under value, I will add the customer whose records she needs to access. Now, when Anna logs in, she will be able to see the sales transactions only with Plethora Lifestyle Solutions and Global Builders. We can also see a restricted button here. When she clicks on restricted, Anna sees that her access is restricted to transactions from Plethora Lifestyle Solutions and Global Builders. This kind of access control is done for all the customer accounts that she will be managing in future. In a similar way, advanced controls can be used to restrict access only to certain dock types. So, if we want Anna to be able to see only the sales orders from another customer, Tranquil Hotels, that can be defined under advanced controls. After setting up role-based and record-based permissions, I will set up field-level permissions for my users. Sometimes, we may not want users to view all the details in a record. For example, Anna can see all the details of a customer feedback form. But I also have Tom, a delivery associate who will need access to the same. A lot of my customers have some feedback on the delivery execution. Tom only needs to see the feedback on his delivery. He does not need to know the feedback rating and the total order value. I will configure this using perm level. Since this field appears in the table, we will first go to the customer feedback order details dock type, which is the dock type for the child table. Here, for the field total order value, I will add a perm level 1. Similarly, I will add perm level 1 for rating field in the customer feedback dock type. Next, I will add role permissions for customer feedback dock type. For the delivery associate, I will add perm level 0 with only read permissions. Now, Tom cannot see the total order value and the feedback rating on the customer feedback. On the other hand, I want Anna to be able to see the total order value. So, I will add the role permissions for her with perm level 1 and read and write permissions. When Anna logs into the system, she can see everything that Tom could see along with the fields that had perm level 1. After setting up permissions in the three ways shown, we also have something called role permission for pages and reports. At Frappe Furniture, there are certain reports that carry financial information. I don't want anybody except my CXOs and directors to see these reports. For this, I will look for role permission for page and reports via the awesome bar. Herein, I will first select if the dock type is a page or a report. Next, I will select the report, say balance sheet. I will select the roles that will have access to this report and save. Now, I have been assigned the system manager role and since I do not have access to the balance sheet, I will not be able to find it in the system. Lastly, let me introduce you to the share button for documents using which you can allow a document to be temporarily shared with the user. Let's say Tom needs to make a delivery where he has to take payment from the customer after he completes the delivery. Now, as per the permissions granted to his role, he will not be able to see any of the sales invoices. Though, for this delivery, he will need to access the sales invoice of this order so that he knows the order value. Here, instead of configuring the role permissions only for this particular scenario, I will use the share button. A list of all the users will be available here and you can select one to view or record. I will select Tom and give him read permissions. Now, when Tom logs in, he will be able to see the sales invoice and complete his delivery. Once the delivery is done, I can remove him from the sharing list. This way, the share button can be used to temporarily share specific documents with specific users in the organization. For all the other permission-related requirements, the other options that we discussed previously can be used. We hope with this video you got a fair idea of how the user roles and permissions work in ERPNext. In the upcoming videos, we will explore the default settings in ERPNext. Meanwhile, you can go through our user manual to have a deeper understanding of ERPNext. Drop a comment to let us know your thoughts about the video. Hit the bell icon to subscribe to our channel and get notified about our upcoming videos.