Appendix E Listing of application roles

Application roles specify the right (privilege) to execute one or more tasks in the application. LedgerSMB enforces these roles by allowing a user to select (list, read) data from or to insert (create), update (edit) or delete (delete) data in the tables holding the data related to the execution of these tasks.

These roles definitions are generated directly from a running database using gather-db-info.pl.

Auto generated using LedgerSMB version 1.13.0-dev on November 23, 08:01:18 2024 CST.

account_all

This role combines all General Ledger (GL) account and GIFI code rights.

account_create

This role allows creation of new GL accounts.

account_delete

This role allows deletion of GL accounts. Please note that there are only very few circumstances where a GL account can be deleted. Instead of deleting the account, the user is advised to mark the account as ’obsolete’.

account_edit

This role allows modification of GL accounts.

account_link_description_create

This role allows creating new use-cases for GL accounts (so called ”account link descriptions”).

ap_all

This role combines all (batches of) purchase transaction and invoices permissions.

ap_invoice_create

This role allows creation of new purchase invoices (not purchase transactions).

ap_invoice_create_voucher

This role allows creation of batches of new purchase invoices (not purchase transactions).

ap_transaction_all

This role allows creating and viewing purchase transactions and accounts as well as creating attachments.

ap_transaction_create

This role allows creation of purchase transactions (not invoices).

ap_transaction_create_voucher

This role allows creation of batches of new purchase transactions (not invoices).

ap_transaction_list

This role allows viewing of purchase transactions and invoices.

ap_voucher_all

This role allows creation of batches of both purchase transactions and invoices.

ar_all

This role combines all (batches of) sales transaction and invoices permissions.

ar_invoice_create

This role allows creation of new sales invoices (not sales transactions).

ar_invoice_create_voucher

This role allows creation of batches of new sales invoices (not sales transactions).

ar_transaction_all

This role allows creating and viewing sales transactions and accounts as well as creating attachments.

ar_transaction_create

This role allows creation of new sales transactions (not nvoices).

ar_transaction_create_voucher

This role allows creation of batches of new sales transactions (not invoices).

ar_transaction_list

This role allows viewing of sales transactions and invoices.

ar_voucher_all

This role allows creation of batches of both sales transactions and invoices.

assembly_stock

This role allows triggering a stocking action on assemblies.

Stocking assemblies means converting labor and parts to stocked assemblies.

assets_administer

This role combines all assets rights.

assets_approve

This role allows approving the output of the depreciation procedure.

assets_depreciate

This role allows running the asset depreciation procedure.

assets_enter

This role allows creation of new assets.

audit_trail_maintenance

This role grants delete access to the audit trail table.

auditor

This role grants read access to the audit trail table.

base_user

Users need to be given this role in order to be granted access to the database schema which holds all LedgerSMB objects.

This role only allows access to menu items Preferences, Logout, and New Window. The user basically cannot do anything without added additional roles.

batch_create

This role allows creation of new batches and vouchers.

batch_list

This role allows listing existing batches.

batch_post

This role allows posting batches of e.g. transactions, payments and invoices.

budget_approve

This role allows searching, viewing and approving of budgets.

budget_enter

This role allows creation and updating of budgets.

budget_obsolete

This role allows searching and viewing budgets as well as marking them obsolete (=no longer applicable).

budget_view

This role allows searching and viewing of budgets.

business_type_all

This role combines the create and edit righs for ’type of business’ classes.

business_type_create

This role allows creation of new ’type of business’ classes.

business_type_edit

This role allows modification of ’type of business’ classes.

business_units_manage

This role allows searching, viewing, creation and editing of business (reporting) classes and their members.

cash_all

This role combines the all reconciliation rights with the rights to enter payments and receipts.

contact_all_rights

This role combines all ’contact_class_’ and ’contact_’ roles and grants all access rights to all contact classes.

contact_class_cold_lead

This role allows access to cold sales lead contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_contact

This role allows access to contact data (e-mail, phone, etc) of all kinds of contacts (customer/vendor/…). Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_customer

This role allows access to customer contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_employee

This role allows access to employee contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_hot_lead

This role allows access to hot sales lead contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_lead

This role allows access to sales lead contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_referral

This role allows access to referral contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_robot

This role allows access to robot (automated process, acting on behalf of…) contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_sub_contractor

This role allows access to subcontractor contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_class_vendor

This role allows access to vendor contact data. Combine with ’contact_read’, ’contact_create’, ’contact_edit’ and/or ’contact_delete’ to determine the type of access granted.

contact_create

When paired with one or more ’contact_class_’ role/-s, this role allows creation of new entities, persons and companies (contacts).

Each contact_class_<resource> role, when paired with contact_read, enables this access for the specific <resource>. On it’s own, the contact_create-role does not provide any rights.

contact_delete

When paired with one or more ’contact_class_’ role/-s, this role allows removal of existing entities, persons and companies (contacts).

Note that in order to be able to search for contacts to be deleted, the user needs to be assigned the ’contact_read’ role.

Each contact_class_<resource> role, when paired with contact_read, enables this access for the specific <resource>. On it’s own, the contact_delete-role does not provide any rights.

contact_edit

When paired with one or more ’contact_class_’ role/-s, this role allows editing of existing entities, persons and companies (contacts).

Each contact_class_<resource> role, when paired with contact_read, enables this access for the specific <resource>. On it’s own, the contact_edit-role does not provide any rights.

contact_read

When paired with one or more ’contact_class_’ role/-s, this role allows searching and viewing entities, persons and companies (contacts).

Each contact_class_<resource> role, when paired with contact_read, enables this access for the specific <resource>. On it’s own, the contact_read-role does not provide any rights.

country_all

This role combines all rights for countries.

country_create

This role allows creation of new countries.

country_edit

This role allows modification of countries.

draft_modify

This role allows modification of existing draft (= saved) transactions.

draft_post

This role allows posting of saved transactions to the ledger.

employees_manage

This role allows creation, updating and searching of employees.

exchangerate_edit

This role allows searching, viewing and editing of currencies, exchange rates and exchange rate types.

file_attach_eca

This role allows attaching files to entity credit accounts (customers/vendors).

file_attach_entity

This role allows attaching files to entities (contacts).

file_attach_order

This role allows attaching files to orders and quotes.

file_attach_part

This role allows attaching files to goods and services.

file_attach_tx

This role allows attaching files to transactions and invoices.

file_read

This role allows reading of files attachments and files uploaded through the system menu.

file_upload

This role allows uploading of files through the system menu.

financial_reports

This role allows running of financial reports: Income Statement, Balance Sheet, Trial Balance and Inventory & COGS.

gifi_create

This role allows creation of new GIFI codes.

gifi_edit

This role allows modification of GIFI codes.

gl_all

This role combines GL transaction and batch creation with GL reporting and year-end processing.

gl_reports

This role allows searching transactions in the general ledger.

gl_transaction_create

This role allows creation of new and updating of saved GL transactions.

gl_voucher_create

This role allows creation of batches of GL transactions.

inventory_adjust

This role allows adjusting inventory by creating inventory adjustment reports.

inventory_all

This role grants all rights to manage warehouse configuration, stock receipt, shipping and transfer.

inventory_approve

This role allows confirmation of inventory adjustments by approval of inventory adjustment reports.

inventory_receive

This role allows receiving of parts into stock.

inventory_reports

This role allows searching for and reading existing inventory adjustment reports.

inventory_ship

This role allows shipping of stocked parts.

inventory_transfer

This role allows moving stock between warehouses.

language_create

This role allows creation of new languages.

language_edit

This role allows modification of languages.

orders_generate

This role combines the rights to generate orders from time cards, purchase orders from sales orders and consolidate (purchase and sales) orders.

orders_manage

This role combines all order generation and consolidation rights.

orders_purchase_consolidate

This role allows generating consolidated purchase orders from multiple outstanding purchase orders.

orders_sales_consolidate

This role allows generating consolidated sales orders from multiple outstanding sales orders.

orders_sales_to_purchase

This role allows generating purchase orders from sales orders.

part_create

This role allows creation of new parts.

So as to let the user of this role see/manage pricing per customer, this role includes the ability to read contacts.

part_delete

This role allows deletion of existing parts.

part_edit

This role allows changing existing parts.

payment_process

This role allows entry of payments to vendors.

pricegroup_create

This role allows creation of new price groups.

pricegroup_edit

This role allows changing existing price groups.

purchase_order_create

This role allows creating purchase orders.

purchase_order_delete

This role allows (searching for and) deleting existing purchase orders.

purchase_order_edit

This role allows (searching for and) modifying existing purchase orders.

purchase_order_list

This role allows searching and viewing sales orders.

receipt_process

This role allows entry of receipts from customers.

reconciliation_all

This role combines creation, updating and approval rights for reconciliation reports.

reconciliation_approve

This role allows approval of reconciliation reports.

reconciliation_enter

This role allows creation and updating of reconciliation reports.

recurring

This role allows access to the Recurring Transactions menu; it does not grant rights to list or create transactions.

rfq_create

This role allows creating (purchase) requests for quotation.

rfq_delete

This role allows (searching for and) deleting existing requests for quotation.

rfq_list

This role allows searching and viewing (purchase) requests for quotation.

sales_order_create

This role allows creating sales orders.

sales_order_delete

This role allows (searching for and) deleting existing sales orders.

sales_order_edit

This role allows (searching for and) modifying existing sales orders.

sales_order_list

This role allows searching and viewing sales orders.

sales_quotation_create

This role allows creating sales quotations.

sales_quotation_delete

This role allows (searching for and) deleting existing sales quotations.

sales_quotation_list

This role allows searching and viewing sales quotations.

sic_all

This role combines all rights for Standardized Industry Codes (SIC).

sic_create

This role allows creation of new Standardized Industry Codes (SIC).

sic_edit

This role allows modification of Standardized Industry Codes (SIC).

system_admin

This role combines the rights to manage settings, GL accounts, types of business, SIC, users and tax forms.

system_settings_change

This role allow changing items in the System > Defaults menu.

system_settings_list

This role allows viewing items in the System > Defaults menu.

tax_form_save

This role allows modification of tax forms.

taxes_set

This role allows changing tax rates on tax accounts.

template_edit

This role allows modification of document (e.g. invoice) templates.

timecard_add

This role allows adding time cards for which it needs read access to customers.

timecard_list

This role allows viewing the list of time cards; for which it needs read access to customers.

timecard_order_generate

This role allows generating orders from time cards.

transaction_template_delete

This role allows deletion of template (i.e. unposted) transactions.

translation_create

This role allows creation of translations for parts, parts groups and reporting units.

users_manage

This role allows addition and removal of users to the current company.

voucher_delete

This role allows deletion of vouchers (i.e. groups of e.g. payments).

warehouse_create

This role allows creation of (configuration of) new warehouses.

warehouse_edit

This role allows updating of (configuration of) existing warehouses.

yearend_reopen

This role allows undoing a prior year-end run by reversing the year-end transaction.

yearend_run

This role allows running the year-end process, i.e. clearing the P&L.