Erpnext Permissions

What it does

This skill provides deterministic patterns for managing user roles and permissions within Frappe/ERPNext applications. It allows AI agents to understand and interact with ERPNext's five permission layers: Role Permissions, User Permissions, Perm Levels, Permission Hooks, and Data Masking. The skill enables checking document-level access rights using the frappe.has_permission function, which is crucial for ensuring secure data access control within your business system.

When to use it

• Troubleshooting user access issues in ERPNext.
• Automating permission checks during development or testing of ERPNext customizations.
• Verifying that users have the correct permissions to perform specific actions within ERPNext.
• Auditing existing ERPNext permission configurations for security vulnerabilities.
• Creating scripts to manage and enforce data masking rules (version 16+).

Key capabilities

• Understanding of Frappe/ERPNext's five permission layers.
• Ability to check permissions at the DocType level (e.g., "Sales Order").
• Ability to check permissions at the Document level (e.g., "SO-00001").
• Ability to check permissions for specific users.
• Knowledge of permission types: read, write, create, delete, submit, cancel, select, and mask.
• Understanding of automatic roles like Guest, All, Administrator, and Desk User.

Example prompts

• "Does the user '[email protected]' have write permissions for the Sales Order DocType?"
• "Can a guest user create a new sales order?"
• "Check if I can delete Sales Order SO-00001."
• "Verify that the Administrator role has read access to all documents."

Tips & gotchas

• This skill requires familiarity with Frappe/ERPNext terminology and concepts.
• Data Masking functionality is only available in ERPNext version 16 and above.
• The frappe.has_permission function can throw an error if the user lacks permission; use the throw=True option carefully.