0030253: Automatic roles and initial organization setup inconsistency

Description

A role can be defined as Manual = N, which means that the role automatically gets all standard user plus admin privileges, even when new elements such as windows, processes, forms, widget classes, organizations are added. http://wiki.openbravo.com/wiki/Role [^]

When you run an Initial Org Setup, you have the ability to create a new role which is associated only to the newly created organization. This is working fine. http://wiki.openbravo.com/wiki/Initial_organization_setup [^]

However, if you create another organization, the system will automatically add this new organization to the role previously created in the first Initial Organization Setup run.
This could be considered a security issue for the first role, because probably the user expects that this role only has access to the organization created for it.

The inconsistency comes from the definition of the 2 processes that might create conflicts:
* Initial Org Setup creates an Automatic Role (Manual=N) with access only for the selected organization
* New organizations are automatically added to roles with Manual=N

This behavior is controlled into the AD_ORG_TRG trigger:

IF(INSERTING) THEN
    -- Add to all roles of the client
    INSERT
    INTO AD_Role_OrgAccess
      (
        AD_Role_OrgAccess_ID, AD_Role_ID, AD_Client_ID, AD_Org_ID,
        IsActive, Created, CreatedBy,
        Updated, UpdatedBy, is_org_admin
      )
    SELECT get_uuid(), AD_Role_ID, :new.AD_Client_ID, :new.AD_Org_ID,
       'Y', now(), :new.CreatedBy,
      now(), :new.CreatedBy, 'Y'
    FROM AD_Role
    WHERE AD_Client_ID=:new.AD_Client_ID
      AND IsManual='N';

Steps To Reproduce

As System Admin
Create a new client
Log into the new client
Run Initial Organization Setup
   Name: o1
   Org user name: 01
Go to Role window
   Verify a new role for o1 organization only has been created
Run Initial Organization Setup
   Name: o2
   Org user name: 02
Go to Role window
   Verify a new role for o2 organization only has been created
   Verify the previous role for organization o1 has now access to o2 too. This situation could create a security problem

Proposed Solution

1. Study the situation and decide a solution. Idea: Add a new flag at role level to control whether to add new organizations to the role. AD_ORG_TRG should be adapted

2. On the other hand, AD_ORG_TRG should only run this code for Client/Organization or Organization only access level roles. Right now it adds the organization to other access levels (like Client or System) and that's not needed at all.

Issue History
Date Modified	Username	Field	Change
2015-06-26 09:12	vmromanos	New Issue
2015-06-26 09:12	vmromanos	Assigned To	=> platform
2015-06-26 09:12	vmromanos	Modules	=> Core
2015-06-26 09:12	vmromanos	Triggers an Emergency Pack	=> No
2015-06-26 09:15	vmromanos	Proposed Solution updated
2015-06-26 09:16	vmromanos	Relationship added	related to 0030057
2015-06-26 09:17	vmromanos	Relationship added	caused by 0010548
2022-02-01 08:09	alostale	Assigned To	platform => Triage Platform Base

Notes
There are no notes attached to this issue.