IONIC ERP Tutorial
Users and Permissions
- Adding Users
- Users And Permissions
- Role and Role Profile
- Role Based Permissions
- User Permissions
- Role Permission for Page and Report
- Sharing
- Limited User
- Administrator
- Difference Between System User and Website User
- Change existing user's email ID
- Change User Password
- Disable any user
- Setting Up Email Signature in IONIC ERP
- User Restriction
- Managing Perm Level in Permission Manager
- Field Level Permission Management
- Edit Export/Print permissions for reports
Adding Users
Users can be added by the System Manager. To add users go to:
Home > Users and Permissions > User
There are two main types of users:
Website users: Customers, Suppliers, Students, etc., who have access only to the portal and not to any modules. System Users: People using ERPNext in the Company with access to modules, company data, etc.
Read more about difference between system and website user.
Under User, a lot of info can be entered. For the sake of usability, the information entered for web users is minimal: First Name and Email.
An Email address is the unique key (ID) identifying the Users.
1. How to Create a New User
- Go to the User list, click on New.
- Add an Email address and name of the user.
- Save.
Details like Username and Language can also be changed.
2. Features
2.1 Setting Roles
After saving, you will see a list of roles and checkboxes next to them. Just check the roles you want the user to have and save the document. The roles have pre-defined permissions, to know more about roles, click here. You can set Role profiles to use as a template which selects multiple roles together.
2.2 More Information
More information about the employee can be set from this section:
- Gender
- Phone
- Mobile No
- Birth Date
- Location
- Interests
- Bio
- Banner Image
Ticking on ‘Mute Sounds’ will mute sounds that play on interacting with documents. The user may need to do a Settings > Reload for the changes to take place.
2.3 Change Password
- Set New Password: As a System Manager, you can set a new password for the user if it needs to be changed.
- Send Password Update Notification: Send an email notification to the user that their password has been changed.
- Log out from all devices while changing Password: When changing the user’s password, this logs out the user from PC and any mobile device they may have logged into.
2.4 Document Follow
With this option you can follow various documents in the system and get email notifications when they are updated. Know more here.
2.5 Email Settings
- Send Notifications for Email threads: The user will get notifications for Email conversations that take place in document types like Opportunities.
- Send Me A Copy of Outgoing Emails: Sends the user a copy of the emails they send. This is useful for keeping track if the email got sent.
- Allowed In Mentions: Allow this user’s name to appear in thread conversations so that they can be mentioned using ‘@’.
- Email Signature: Adding an email signature here will set it as default for all outgoing emails for the user. This is different from a footer which is set from the Company master.
2.6 Email Inbox
Subscribe the user to different mailing lists of your company from this section. Add a new row and select the mailing list to assign this user. For example, mailing lists can be jobs, support, sales, etc. To know more about Email Inbox, click here.
2.7 Allow Module Access
Users will have access to all modules for which they have role-based access. If you want to restrict access of certain modules for this user, un-check the modules from this list.
2.7.1 Module Profiles
Role Profiles act as a template to store and select access to multiple modules. This Role Profile can then be assigned to a User. For example, HR Users will have access to multiple modules like HR, Payroll, etc. Role Profiles are useful to provide access to multiple modules at once when adding multiple users.
2.8 Security Settings
- Simultaneous Sessions: Simultaneous login sessions the user is allowed. You can use the same set of credentials for multiple users by allowing more sessions. This can be restricted from System Settings globally. For cloud account, the total number of simultaneous sessions cannot exceed the total number of subscribed users.
- User Type: If the user has any role checked other than Customer, Supplier, Patient, or Student they automatically become a System User. This field is read-only.
- Login After, Login Before: If you wish to give the user access to the system only between office hours, or during weekends, specify it here. For example, if office hours are from 10 am to 6 pm, set the Login After, Login Before hours as 10:00 and 18:00.
- Restrict IP: Restrict user login to the IPs specified here. This can be used so that the user can log in only from office computers. Multiple IPs can be added separated by commas.
This section also shows other details like Last Login, Last IP, and Last Active time for the user.
2.9 Third Party Authentication
This will allow users to use Facebook, Google, or GitHub to log in. To use this feature, signup for a developer account with Facebook, Google, GitHub, etc. Create an app on their console, specify an app name, the originating URL and callback URL, copy the client ID and client secret info here to start using.
For more details, go to this page.
2.10 API Access
You can generate API Secret keys from this section using the Generate Keys button. This can be used to access your account’s data from another application, for example, an offline POS system.
2.11 After saving
After saving a user, these buttons will be seen on the dashboard area of the User master.
Permissions
- Set User Permissions: Will take you to the User Permissions page of Bruce from where you can restrict Bruce’s access to documents.
- View Permitted Documents: Will take you to the ‘Permitted Documents For User’ report for this user. Here you can see which documents does Bruce have access to. For example, on selected Sales Order, the list of Sales Orders Bruce has access to will be displayed.
Password
- Reset Password: An email with instructions to reset the user’s password will be sent to the user’s Email Account.
- Reset OTP Secret: Reset OTP Secret for logging in via Two Factor Authentication.
Create User Email will let you create an Email Account for the user based on the email entered in the User master.
3. Login Methods
In System Settings, under the Security section, if you check the ‘Allow Login using Mobile No’ checkbox, a mobile number can also be used to log in. While a Mobile No will be unique, it will not be treated as a user ID.
Login with Email:
Login with Email or Mobile:
After adding these details, save the user.
Users And Permissions
In IONIC ERP, you can create multiple users and assign them different roles.
A role is a set of permissions assigned to a user so that they can access the documents they need to. For example, a sales employee will need access to sales transactions but will not have access to approve leaves.
Some users can only access the public-facing part of IONIC ERP (i.e. a portal view). Such users are called “Website Users”. “System Users” will have access to modules and can access documents as per the roles set.
IONIC ERP implements permission control at the User and Role level. Each user in the system can be assigned multiple roles and permissions. The most important role is “System Manager”. Any user having this role can add other users and set roles for all users.
Role and Role Profile
A Role defines the permissions for accessing various documents in ERPNext.
Roles define a set of permissions which can be set from the Roles Permission Manager. Most commonly used roles are already defined in ERPNext, you can use the system with them. If needed, you can add more roles. For example, if you assign the Sales User role to a user, they’ll be able to access documents like Quotations and Sales Orders since the permissions are already set for the role Sales User.
Role profiles store different roles so that multiple roles can be assigned at once.
Role Profiles act as a template to store and select multiple roles. This Role Profile can then be assigned to a User. For example, a Sales Supervisor will have the roles Employee, Sales Manager, Sales User, and Sales Master Manager. Role Profiles are useful to assign multiple roles at once when adding multiple employees.
To access Role, go to:
Home > Users and Permissions > Role
1. How to add a Role
- Go to the Role list, click on New.
- Enter a name for the Role.
- Choose whether the Role has desk access. A role that has desk access can access IONIC ERP modules and the company’s documents. The level of access depends on the roles assigned to the user.
- Save.
You can add two factor authentication for the role and also restrict it to a specific domain. From here, you can go to the Roles Permission Manager and set permissions for the role across different DocTypes.
2. How to add a Role Profile
To access Role Profile, go to:
Home > Users and Permissions > Permissions > Role Profile
- Go to the Role Profile list, click on New.
- Enter a name.
- Select the roles you want to assign to this profile.
- Save.
Role Based Permissions
Permission to different documents can be controlled using Role Based Permissions.
ERPNext has a role-based permission system. It means that you can assign Roles to Users, and Permissions can be set on Roles. The Role Permissions Manager allows you to set which roles can access which documents and with what permissions (read, write, submit, etc.).
Once roles are assigned to a user, their access can be limited to specific documents. The permission structure allows you to define different permission rules for different fields using a concept called Permission Level of a field.
1. How to use the Role Permissions Manager
To start using the Role Permission Manager, go to:
Home > Users and Permissions > Role Permissions Manager
Permissions are applied on a combination of:
- Roles: As we saw earlier, Users are assigned Roles and it is on these Roles that permission rules are applied. For example, a sales user may be given the roles of an Employee and a Sales User.Examples of Roles include Accounts Manager, Employee, HR User, etc.
- Document Types: Each type of document, master or transaction, has a separate list of role-based permissions as seen in the preceding screenshot.Examples of Document Types are Sales Invoice, Leave Application, Stock Entry, etc.
- Permission Levels: In each document, you can group fields by “levels”. Each group of fields is denoted by a unique number (0 to 9). A separate set of permission rules can be applied to each field group. By default, all fields are of level 0.Permission “Level” connects fields with level X to a permission rule with level X. To know more click here.
- Document Stages: Permissions are applied on each stage of the document like Creation, Saving, Submission, Cancellation, and Amendment. A role can be permitted to Print, Email, Import or Export data, access Reports, or define User Permissions.
- User Permissions: Using User Permissions in ERPNext a user can be restricted to access only specific Documents for that Document Type. Eg: Only one Territory from all Territories. User Permissions defined for other Document Types also get applied if they are related to the current Document Type through Link Fields.For example, a Customer is a link field in a Sales Order or Quotation. In the Role Permissions Manager, User Permissions can be set using the ‘Set User Permissions’ button.To set User Permissions based on documents/fields go to:
Home > Users and Permissions > Permissions > User Permissions
- Add a New Rule: In the Role Permissions Manager, to add a new rule, click on the Add a New Rule button and a pop-up box will ask you to select a Role and a Permission Level. Once you select this and click on ‘Add’, this will add a new row to your rules table.
2. How Role Based Permissions Work
Leave Application is a good example that encompasses all areas of a Permission System.
- It should be created by an Employee. For this, Employee Role should be given Read, Write, Create permissions.
- An Employee should only be able to access his/her Leave Application. Hence, User Permissions record should be created for each User-Employee combination.
- If you want an Employee to only select a document in another document and not have read access to that document as a whole, then grant only Select perm to the role, Employee.
- HR Manager should be able to see all Leave Applications. Create a Permission Rule for HR Manager at Level 0, with Read permissions. Apply User Permissions should be disabled.
- Leave Approver should be able to see and update Leave Applications of employees under him/her. Leave Approver is given Read and Write access at Level 0. Relevant Employee Documents should be enlisted in the User Permissions of Leave Approvers. (This effort is reduced for Leave Approvers mentioned in Employee Documents, by programmatically creating User Permission records).
- It should be Approved/Rejected only by HR User or Leave Approver. The Status field of a Leave Application is set at Level 1. HR User and Leave Approver are given Read and Write permissions for Level 0, while everyone else (All) are given Read permission for Level 1.
- HR User should be able to delegate Leave Applications to his/her subordinates. HR User is given the right to Set User Permissions. A User with HR User role would be able to define User Permissions on Leave Application for other users.
In case you have correctly assigned the roles but still you’re getting errors when accessing documents, refer this page.
User Permissions
User permissions is a way of restricting user access to particular documents.
Role based permissions allow setting complete (by default) access to a document type (doctype) like Sales Invoice, Orders, Quotation, etc. This means that when you assign a Sales User role to a user, they can access all the Sales Orders and Quotations.
User Permissions can be used to restrict access to select documents based on the link fields in the document. For example, consider that you do business with multiple territories and you want to restrict access of certain Sales Users to Quotations/Sales Order belonging to a particular territory. This can be done via User Permissions. The restrictions can be set on Customer, Supplier, Customer Group, Supplier Group, etc.
Setting User Permissions are particularly useful when you want to restrict based on:
- Allowing user to access data belonging to one Company
- Allowing user to access data related to a specific Customer or Territory
To access User Permissions, go to:
Home > User and Permissions > User Permissions
1. How to create User Permissions
- Go to the User Permissions list, click on New.
- Select the user for which the rule has to be applied.
- Select the type of document to be allowed (for example “Company”).
- Under For Value, select the specific item that you want to allow (the name of the “Company).
- If you check ‘Is Default’, the value selected in ‘For Value’ will be used by default for any future transactions by this user. That is if company ‘Unico Plastics Inc.’ is selected as ‘For Value’, this Company will be set as default for all future transactions by this user.
Note: Only a single user permission can be set as default for a particular document type for a specific user.
2. More User Permission actions
2.1 Advanced Control
In Advanced Control, you can have better command over where the User Permission is applied.
2.1.1. Applicable For
You can optionally apply user permissions only for specific document type by setting the Document Type after unchecking the Apply To All Document Types checkbox. Setting Applicable For option will make the current user permission applicable only under the selected Document Type master.
In the above User Permission, the user will be able to access only Sales Orders of the selected company.
Note: If Applicable For is not set, User Permission will apply across all related Document Types.
2.1.2. Hide Descendants
The value of Allow could be a DocType with a Tree View, which will have records with a parent-child or ancestor-descendant relationship.
Let’s assume For Value, ‘Unico Plastics Inc.’, has a child company ‘Unico Toys’. When a User Permission is created for ‘Unico Plastics Inc.’, permissions for its descendants are granted as well.
Hide Descendants is visible only on selecting a Tree View DocType. By enabling this checkbox, permissions for descendants of For Value will not be granted.
A user that can view records of ‘Unico Plastics Inc.’ will not be able to view those of ‘Unico Toys’.
2.2 Ignoring User Permissions on Certain Fields
Another way of allowing documents to be seen by everyone that have been restricted by User Permissions is to tick “Ignore User Permissions” on a particular field by going to Customize Form.
For example, you don’t want Assets to be restricted for any user, then select Asset in form type. Under the fields table, expand the Company field and tick on “Ignore User Permissions”.
2.3 Strict Permissions
This restricts user access to documents in a stricter way.
To know more, go to the System Settings page.
2.4 Checking How User Permissions are Applied
Finally, once you have created your air-tight permission model, and you want to check how it applies to various users. You can see it via the Permitted Documents for User report. Using this report, you can select the User and document type and view which documents a particular user can access.
Ticking on the Show Permissions checkbox will show the read/write/submit and other access levels.
Note: If you cannot access Sales Order or any other document type in this list, make sure you’ve set the roles correctly.
For example, the user, Bruce is restricted to Company ‘Unico Plastics Inc.’ 
Role Permission for Page and Report
Access to different pages and reports can be controlled in Role Permission for Page and Report.
Document types are Sales Order, Customer, Supplier, etc. They are a document type meaning they can contain multiple documents of that type. A Page is a single page like Selling Settings. You cannot create multiple Selling Settings, but you can create multiple Sales Orders.
In ERPNext, user can make a custom user interface using Page and a custom report using Report Builder or Query Report. ERPNext has a role-based permission system where you can assign roles to the user. The same role can be assigned to the page and report to access them.
If the user has enabled developer mode, then they can add the roles directly in the page and report record. In that case, the permissions will also be reflected in the JSON file for the page/report. Consider you want to restrict the roles that can access certain pages and reports in ERPNext, this can be done via the Role Permission for Page and Report.
To access Role Permission for Page and Report, go to:
Home > Users and Permissions > Role Permission for Page and Report
1. How to use Role Permission for Page and Report Tool
If developer mode is disabled, the user can assign the roles to the page and report, using “Role Permission for Page and Report” page.
1.1 Reset to defaults
Using the “Reset to Defaults” button, the user can remove the custom permissions applied on a page or report. Then default permissions will be applicable on that page or report.
Setting Role Permissions from the Page/Report as a Developer
Role Permissions For Page
- Go to: Home > Developer > Page.
- Add a row and select which other roles can access the Page.
Role Permissions For Report
- Go to: Home > Developer > Report.
- Add rows with roles who can access the Report.
Sharing
You can share documents with other users via sharing in ERPNext.
In addition to user and role permissions, you can also share a document with another user if you have sharing rights for that document. Note that, a shared document will be visible to the other user even if the document is restricted via User Permissions.
To share a document, open the document, click on the “+” icon under sharing and select the user with whom you want to share:
In the popup window, you can either select all users or one particular user.
Read, write, submit, and share access can be granted to the user for this document.
Limited User
The user will get limited access to the system.
Limited users can access only specific documents of the specific modules. Certain users don’t use all the modules and need only specific modules. For example, in the company, to record the daily attendance or leave application every employee was given required system access. But assume 500 people are working in the company out of which only 100 use all documents and the remaining 400 need only documents for daily attendance or leave applications. Such users are limited users.
The User Type document plays an important role to handle this use case. There are default User Types, “System User” and “Website User”, the System User can access the desk and website portal whereas the Website User can only access the website portal. To handle the case of limited access of documents for the employees by default ERPNext has added a new user type ‘Employee Self Service’.
User Type
To access the User Type document, go to:
Users > User Type
Website User and System User will be standard user types and these cannot be deleted or edited. However, non-standard (Custom) user types can be deleted, created, edited. By default, delete rights are not given to any user.
Non-Standard User Type
1) For the non standard user type, user has to select the Custom Role, document on which they want to apply the user permission, and the fieldname of the user.
In the above image, Employee has the link field User ID which is linked to the User document. As the “Apply User Permission on” has been set as “Employee”, then the respective employee’s user can only view the documents in which the respective employee field is linked. For example, the employee can only able to view the salary slip which has been created against their employee id.
2) Document Types:
The non-standard user type users can only access the documents which have been mentioned in the user type.
The above table also acts as the Role Permission Manager for this particular User Type (Employee Self Service in our case). Employee Self Service as a role won’t be accessible in the general Role Permission Manager.
3) Document Types (Select Permissions Only):
In this table, you need to list down all the doctypes that you want the Employee Self Service User to have SELECT access to. There is no limit to the number of doctypes you can add here. Users will not be able to create the records for the documents to which they have Select perm access.
Adding non-standard User
While adding the new user, the user needs to select the user type. In case of a non-standard user type, the respective user should be linked to the document which has been set in the field “Apply User Permission On”.
Administrator
The administrator is above the System Manager and has all the rights and permissions for an IONIC ERP account.
A System Manager also has permissions to most items in the system, but the Administrator has unrestricted access.
- If your IONIC ERP account is cloud-hosted with us (IONIC Corporation), then you won’t be able to access your IONIC ERP account as an Administrator.
- For cloud-hosted account, upgrades are managed from the backend. We reserve admin login credentials with us so that we can upgrade all the customer’s IONIC ERP accounts from the backend.
- Since on a single server, we may host many customer’s IONIC ERP accounts, as a security measure, we cannot share the credentials for administrator account with any cloud-hosted user. (an exception would be if you purchase a large number of users and your account is exclusively hosted on one server).
- For self-hosted on-premises accounts, the admin credentials are with the account user.
Difference Between System User and Website User
Question: I have added my Employee as a User and have assigned them Roles as well. Still, they are not able to view Dashboard on the login.
Answer:
There are two type of Users in IONIC ERP.
- System User: They are Employees of your company. Example of Roles assigned to System Users are Account User, Sales Manager, Purchase User, Support Team etc.
- Website User: They are to parties (like Customer and Suppliers) of your Company.
Example Website User Roles are Customer and Suppliers.
How to check if Role is for System User or Website User?
In the Role master, if field “Desk Access” is checked, that Role is for System User. If Desk Access field is unchecked, then that Role is for Website User.
Change existing user’s email ID
To change a User’s Email Id, follow the steps:
User List -> Open the User (the one which requires the change) -> Click on Menu -> Rename -> Enter the New Email Id and Save it.
Refer to the GIF here illustrating the same:
Change User Password
Each ERPNext user can customize password for his/her ERPNext account. Also user with System Manager role will be able to reset password for himself as well as for other users. Following are the steps to go about changing your password.
1) Go to User list
2) Open the user for whom you wish to change the password
3) Go to ‘Change Password’ section, enter the new password and save the form to save the changes
Disable any user
To disable an ERPNext user who has left your company from accessing the system, follow the below given steps.
- Type ‘User List’ in the awesome bar or search bar
- Select the user you want to disable
- Uncheck the ‘Enabled’ checkbox for the selected user
- Save your changes
Setting Up Email Signature in IONIC ERP
Q. How do I add my Email Signature in IONIC ERP?
User Restriction
Following are the steps to restrict User to a document based on Owner/creator.
Step 1: Role Permission Manager
Home > Users and Permissions > Permissions > Role Permissions Manager
Step 2: Select Document Type
Select Document Type for which you want to set user permission. After permissions are loaded for selected document, scroll to role for which you want to set restriction.
Step 3: Apply User Permission
For Role to be restricted (Sales User in this case), check “Only If Creator”.
Managing Perm Level in Permission Manager
Perm Level is way of reducing the amount information visible or changeable in a specific DocType for certain User Groups. Where as you can define visibility or changability for each DocType by customizing the DocType-specific Permissions Rule, with the Perm Level you can change these for specific Sections or Fields.
In each document, you can group fields by “levels”. Each group of fields or field group is denoted by a unique number (0, 1, 2, 3 etc.). A separate set of permission rules can be applied to each field group. By default all fields are of level 0.
Perm Level (Abbreviated form of Permission Level) for a field can be defined in the Customize Form.
If you need to assign different permission of particular field to different users, you can achieve it via Perm Level. Let’s consider an example for better understanding.
Delivery Note is accessible to Stock Manager as well as Stock User. You don’t wish Stock User to access Amount related field in Delivery Note, but other field should be visible just like it is visible Stock Manager.
For all related fields, that should not be seen, you can set Perm Level as (say) 2.
For Stock Managers, they will have permission on fields on Delivery Note with Perm Level 2, whereas a Stock User will not have any permission on Perm Level 2 for Delivery Note, because their role has not been assigned with a rule allowing them to read or write in Field with Perm Level of 2, as shown below.
Considering the same scenario, if you want a Stock User to access a field at Perm Level 2, but do not want to give permission to edit it, the Stock User will be assigned with permission to only be able to read on Perm Level 2, but not to write/edit.
Perm Levels (1, 2, 3 or 2, 1, 3 or 3,2,1) do not need to be in any particular order. They do not imply hierarchy. Perm Level is primarily used for grouping number of fields together, and then assigning permission to Roles for that group. Hence, you can set any perm level for an item, and then do permission setting for it.
If you want to change permissions for all fields in a section, you can simply change the perm level for the section field and it will be applied to all fields in the section.
Field Level Permission Management
Restricting a field based on Roles can be easily configured using Perm Level, which is required by most organizations. To define a Perm Level, you can go to the respective form and Customize it.
Let’s take a scenario where the organization doesn’t want its Employee (Accounts User) to edit the Rate of the item while creating a Sales Invoice. To do that, we can simply make the Item Rate field a read-only.
1. To achieve this, go to Customize Form, select DocType as Sales Invoice Item, scroll to the Item Rate field and expand it.
2. Search for the Perm Level, enter the number (0, 1, 2, 3, etc), and Save it.
3. Once saved, click on Add a New Rule in Role Permission Manager and select the Document Type and the Role, in our case, Accounts User, set the Perm Level as 2 and grant the Employee Read access.
This is how the Role Permissions Manager will display the newly created Rule with Perm Level as 2:
4. Now, as you can see in the Sales Invoice the User can only read the Item Rate field which will be fetched automatically from the Price List.
To know more about Perm Level, click here and for any further assistance, click here.
Edit Export/Print permissions for reports
To handle Export/Print permissions for a report, use Role Permission Manager of the DocType the report is created from.
Step 1: Find out from which Document Type the Report is generated from
Step 2: Go to Role Permission Manager, filter using the same Document Type (Sales Invoice in our example) and edit the permissions based on Roles
