Screen and Control Permissions
==============================================================================

This customization adds fine-grained create, read, and update permissions
to Sage screens and controls.

.. toctree::
   :maxdepth: 2
   :hidden:

   viscreen

.. contents::
   :depth: 3

Installation
------------------------------------------------------------------------------

The customization is installed using `Customization Manager`_.  Check out the
instructions for downloading Customization Manager and managing
customizations in the `documentation`_.

The customization is packaged as ``poplar_screenperms``.

.. _Customization Manager: https://customization-manager.readthedocs.io/
.. _documentation: https://customization-manager.readthedocs.io/en/latest/howtos.html

Configure Permissions
-------------------------------------------------------------------------------

Permissions come in two flavours: screen and control. **Screen** permissions
stop the screen from opening when the user does not have ``read`` permission.
**Control** permissions support ``create``, ``read``, and ``update`` 
permissions.

The instructions below are for built-in Sage screens. If you're working with an
Extender Screen, see the :ref:`Extender Screens` instructions.

Screen Permissions
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Any permission that does not define a control is a screen permission.
The only meaningful flag is the ``read`` flag.  If it is true the user can open
the screen.  Otherwise, the screen will open, an error displayed, and 
immediately closed.

To define a new screen permission that stops users from opening the O/E Order
Entry screen:

1. Identify the screen ID.  This can be done from the Desktop.

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/screen_id.png
   :width: 300px

   The screen ID of the O/E Order Entry screen is ``OE1100``.

2. Open :guilabel:`Extender --> Setup --> Custom Table Editor`.
3. Load the ``Permission Definitions`` table.
4. Define a new permission, setting:

   - Screen ID: OE1100
   - Default Read: True

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/oeorderscreen.png

   A permission to stop users from opening the OE1100 screen.

5. :guilabel:`Add` the permission.

Control Permissions
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Control permissions determine whether a user can read, create, or update a 
field.

If a user can read a field, they can see it on screen.  If they cannot read the
field, it will not appear on screen.

If a user can create a field, they can change it until the document in the 
associated datastore is saved for the first time.  Otherwise, the user cannot
edit the field on documents that have not been inserted.

If a user can update a field, they can change it on documents that have
previously been saved.  

To define a new screen permission that stops users from seeing the PO Date
field:

1. Identify the screen ID.  This can be done from the Desktop. The screen ID
   for Purchase Order Entry is ``PO1210``.
2. Identify the control ID:

   - Open :guilabel:`%SAGEROOT%/runtime/AccpacInfo.exe`
   - Open the :guilabel:`PO` section and select :guilabel:`PO1210`
   - Identify the header datastore that is used to determine if the document 
     has been created.  In this case, it is the P/O Header, ``dsPOPORH``.
   - Identify the control for the PO Date field. This can be challenging,
     but the description often gives it away. In this case,
     ``afePOPORH_PODate``.

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/accpacinfo.png

   The PO Date field is highlighted and the datasource name can be found at the
   very beginning of the list.

3. Open :guilabel:`Extender --> Setup --> Custom Table Editor`.
4. Load the ``Permission Definitions`` table.
5. Define a new permission, setting:

   - Screen ID: PO1210
   - Control: afePOPORH_PODate
   - Datastore: dsPOPORH
   - Default Read: True
   - Default Create: True
   - Default Update: True

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/podatefield.png

   A permission to restrict access to the PO Date field.

5. :guilabel:`Add` the permission.

Disabling Buttons
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To disable an action, like deleting an order, create a permission for the
button that triggers the action.  Any user that cannot read the control will
not be able to see or push it.  This is an application of a Control Permission.

To define a new permission that stops users from Deleting an O/E Order:

1. Identify the screen ID.  This can be done from the Desktop. The screen ID
   for O/E Order Entry is ``OE1100``.
2. Identify the delete button control ID:

   - Open :guilabel:`%SAGEROOT%/runtime/AccpacInfo.exe`
   - Open the :guilabel:`OE` section and select :guilabel:`OE1100`
   - Identify the header datastore that is used to determine if the document 
     has been created.  In this case, it is the P/O Header, ``adsOEORDH``.
   - Identify the control for the button. This can be challenging,
     but the description often gives it away. In this case,
     ``APP_Delete_Button``.

2. Open :guilabel:`Extender --> Setup --> Custom Table Editor`.
3. Load the ``Permission Definitions`` table.
4. Define a new permission, setting:

   - Screen ID: OE1100
   - Control: APP_Delete_Button
   - Datastore: adsOEORDH
   - Default Read: True
   - Default Create: True
   - Default Update: True

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/oeorderdelete.png

   A permission to restrict access to the O/E Order Entry Delete button.

5. :guilabel:`Add` the permission.

Assigning Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once permissions have been created, use the Permissions Management UI to
assign them to users.  

1. Start the Permissions Management UI using the icon on the desktop.

   - If the icon doesn't exist, open :guilabel:`Extender --> Setup --> Scripts`
     screen, highlight ``PPSCPERM.PermissionsUI`` and click :guilabel:`Run`.

2. Navigate to the user to change permissions for. In this example, the user
   ``CHRIS``.

3. By default all users are assigned the default actions from the permission.
4. To stop Chris from accessing the OE Order Entry screen, double click
   the :guilabel:`Read` column for the :guilabel:`OEORDERSCREEN` entry.

.. note:: 

    All changes are saved immediately and take effect the next time the user
    opens the screen.

5. To allow Chris to input new POs with a PO Date, but not ot update the Date 
   on any saved PO, set the :guilabel:`Create` column to ``Yes`` and the 
   :guilabel:`Update` column to No.

.. figure:: https://s3.amazonaws.com/dev.expi/content/poplar_screenperms/chris_permissions.png

    Chris can open O/E Order Entry but can't use the Delete button and can only
    set the date on new POs, not existing ones.