IRC logs of #tryton for Tuesday, 2016-06-07 #tryton log beginning Tue Jun 7 00:00:01 CEST 2016
-!- JosDzG( has joined #tryton00:07
-!- kstenger( has joined #tryton01:20
-!- cedk(~ced@gentoo/developer/cedk) has joined #tryton01:34
-!- Pilou( has joined #tryton01:37
-!- Pilou( has joined #tryton01:38
-!- Pilou(~Pilou@pdpc/supporter/active/pilou) has joined #tryton01:38
-!- Pilou( has joined #tryton01:39
-!- Pilou(~Pilou@pdpc/supporter/active/pilou) has joined #tryton01:39
-!- Pilou( has joined #tryton01:40
-!- JosDzG( has joined #tryton03:21
-!- JosDzG( has joined #tryton03:26
-!- frispete_( has joined #tryton05:49
-!- ccaz( has joined #tryton07:14
-!- rpit(~rpit@2a02:908:e672:9420:56ee:75ff:fe0d:d3c7) has joined #tryton07:47
-!- Timitos( has joined #tryton08:00
-!- prayashm(~prayashm@ has joined #tryton08:01
-!- prayashm(~prayashm@unaffiliated/prayashm) has joined #tryton08:01
-!- udono( has joined #tryton08:14
-!- cedk(~ced@gentoo/developer/cedk) has joined #tryton08:22
-!- zmijunkie( has joined #tryton08:44
-!- mrichez( has joined #tryton08:56
-!- zmijunkie( has joined #tryton09:04
-!- shrox(shrox@nat/iiit/x-rtksxordnwpftern) has joined #tryton09:49
-!- shrox(shrox@nat/iiit/x-tphlpwqxmlcmqugt) has joined #tryton10:45
-!- meigallodixital( has joined #tryton10:48
-!- nicoe( has joined #tryton11:22
-!- mrichez( has joined #tryton12:45
-!- tbruyere( has joined #tryton12:45
-!- shrox(shrox@nat/iiit/x-ujsxxvqhovnkrfiq) has joined #tryton12:47
-!- shrox(shrox@nat/iiit/x-dswbayogpocowqzc) has joined #tryton12:48
-!- mariomop(~quassel@ has joined #tryton13:06
sisalphello everybody. For a training package, I 'am planning to do the following :13:45
sisalp- limitate admin user to Administration menu13:45
sisalp- create a powerful user called "manager" to administrate the ERP for everything the admin has now reason to know13:46
sisalpAnyone has done this already ?13:46
sisalpif I keep only the group "Administration" for the admin user, can it break module installation at configuration step ?13:56
sisalpIf I add all groups but "Administration" to "manager" user, is he autonomous for setting all the ERP functions, but creating users and installing modules ?13:57
pokolisisalp: I have never done something like this13:58
pokolisisalp: AFAIK admin user is not user for module installation, so it won't break anything. You only have to take in account that groups are added to admin user via xml definition13:58
pokolisisalp: and for the manager user, it should be autonomous of setting all the ERP functions otherwise (IMHO) its a bug and must be fixed13:59
sisalpup to here it says : you are not allowed to delete this record (in French), it is part of base configuration13:59
pokolisisalp: of course, because this is set via xml.14:00
pokolisisalp: I'm wondering if it won't be easier to inactivate the admin user, and create your own user that only belongs to the administration group14:00
sisalppokoli: good idea14:01
sisalppokoli: I would create a "ERP administrator" who is limited to administration.14:03
sisalpTryton accepts that I dis-activate the admin user. Good so far ...14:04
sisalpbut I cannot change admin login14:05
udonosisalp: Hi, watch out that you are not going to jail you out of Tryton by deactivating the admin user.14:07
udonosisalp: I would not touch the internal admin user. Give him a strong password, nobody except you knows.14:08
udonoAnd create a new "adm" odr "Admin" or "administrator" for the other users.14:09
pokolisisalp: yes, login can not be changed because is loaded from xml also, so you have yo user another login as udono suggested14:11
sisalpUdono: thank you. I created "supervisor" and "manager". If supervisor is able to change admin password, I can forget it14:11
sisalphave you any opinion on what I'm doing ? shouldn't it be good practice ?14:12
udonosisalp: Sounds reasonable14:12
udonosisalp: the distiction of supervisor and manager I don't understand, but Iam sure you'll have reasons.14:14
sisalpwords are not the best indeed, the idea is that the technician in charge of opening access/closing access to users has no reason to be allowed to configure key functions, and vice-versa14:16
udonosisalp: so why don't give him the admin password?14:16
sisalpbecause the admin can do everything on all functions14:17
sisalpand I cannot depopulate admin user14:19
udonosisalp: ok, understand. But I think you need some additional Groups to restrict the technican, because when you give him the group "Internal Administration" she has something like full access.14:19
cedksisalp: but a user that can create users and set access rights, has by definition access to everything he wants14:21
sisalpyes I agree. Adding modules too is very powerful. and he can can create any user for himself14:21
sisalpcedk: this is my point, yes14:21
cedkadmin is like root so of course it is better to use for daily work a limited user14:22
sisalpthe idea is to organize things a little better to encourage reasonable practices, in particular, not managung a company from admin user14:22
sisalpso it is a matter of first proposition at system setup, then the admin user can do what he wants14:23
sisalpcedk : if my supervisor has access to module install, but not to account configuration, will the installation/initial setup of account fail ?14:26
udonosisalp: maybe you can use record rules to filter the internal administration group for the technican, so when he creates ne users he can not choose it to get full access. You can forbid the access to the modules and many other internal settings via model and menu access. But I think it is a little bit work to set it up.14:28
cedksisalp: normally not14:28
sisalpcedk: so probably I can succeed in just creating two additional users, one for Administration menu, the other for all other menus as suggested by pokoly:, then propose to users to refrain using admin when not necessary14:31
cedksisalp: yes like you do on UNIX14:33
sisalpcedk: I thought UNIX was better because here I just hide menus, not sure it is enough to enforce security14:34
cedksisalp: if the supervisor user is only in admin group, he can not access account, sale, purchase etc.14:37
cedksisalp: but yes it is a user who has by default the right to create users14:37
cedksisalp: so it is like a user on UNIX who has the right to write on /etc/password14:38
sisalpcedk: so it is better than I tought14:38
sisalpmy Administration only users has party and products menus per default14:58
cedksisalp: because they are readable by everybody14:59
Timitossisalp: this is due to the fact that by default everybody can see products and parties. you need to add default permissions for these classes14:59
sisalpwell, parties may be useful also to set-up a user15:01
sisalplet 's say it is simple and acceptable as is ;-)15:02
sisalpudono : I had to restore my database because I got jailed out as you warned me ;-)15:03
pokolisisalp: you can reactivate the admin user via and sql update from the database in case you got jailed :)15:04
cedkalso it will be good to be able to reset admin password from trytond-admin15:05
udonosisalp: :-) so it goes15:07
udonocedk: +1 would be a great feature15:07
cedkudono: I think there is an issue for that15:20
udonocedk: thanks15:33
-!- JosDzG( has joined #tryton17:26
-!- shrox(shrox@nat/iiit/x-rqdngrgdxawvzoaq) has joined #tryton18:04
-!- kstenger( has joined #tryton18:37
-!- shrox(shrox@nat/iiit/x-nrgtivyxljblhirz) has joined #tryton18:54
-!- prayashm(~prayashm@ has joined #tryton18:58
-!- prayashm(~prayashm@unaffiliated/prayashm) has joined #tryton18:58
-!- Telesight( has joined #tryton19:11
shroxcedk: Any idea how I can set the xlink options in <draw:image>? Like they are in this -
-!- kstenger( has joined #tryton19:31
-!- leio(~leio@gentoo/developer/leio) has joined #tryton19:43
-!- kstenger( has joined #tryton19:44
cedkshrox: it is an href attribute but in the namespace xlink19:44
cedkshrox: look for example at the method _handle_images of relatorio19:45
shroxcedk: Cool. Having a look at it right now. Thanks!19:50
-!- shrox(shrox@nat/iiit/x-ujnmtespmldmrvog) has joined #tryton20:37
-!- kstenger( has joined #tryton20:38
-!- prayashm(~prayashm@ has joined #tryton21:01
-!- prayashm(~prayashm@unaffiliated/prayashm) has joined #tryton21:01
-!- Pilou( has joined #tryton21:06
-!- Pilou(~Pilou@pdpc/supporter/active/pilou) has joined #tryton21:06
-!- nicoe(~nicoe@ has joined #tryton21:13
-!- zmijunkie( has joined #tryton21:26
-!- zmijunkie( has joined #tryton21:51

Generated by 2.11.0 by Marius Gedminas - find it at!