ac-rules-expert
npx skills add https://github.com/kehwar/frappe_tweaks --skill ac-rules-expert
Agent 安装分布
Skill 文档
AC Rules Expert
Expert guidance for the Frappe Tweaks AC Rule system – an advanced access control framework that extends Frappe’s built-in permissions with fine-grained, rule-based access control.
Overview
The AC Rule system provides:
- Fine-grained access control: Control access at the record level, not just doctype level
- Dynamic filtering: Use SQL, Python, or JSON filters to determine access
- Rule-based logic: Define complex access rules with Permit/Forbid semantics
- Principal-based: Define who has access (users, roles, user groups, or custom logic)
- Resource-based: Define what is being accessed (doctypes, reports, or custom resources)
- Action-based: Control specific actions (read, write, delete, etc.)
Implementation Status
Current State:
- â DocTypes: Fully implemented – Automatic permission enforcement via Frappe hooks
- â Reports: Fully functional – Manual integration required (call API and inject SQL)
- â Workflows: Fully implemented – Automatic transition filtering and permission enforcement
- ð Migration: Deprecated systems (Event Scripts, Server Script Permission Policy) being phased out
Quick Start
Creating AC Rules
- Create Query Filter: Define who (principals) or what (resources) the rule applies to
- Create AC Resource: Define the DocType or Report being controlled
- Create AC Rule: Tie together principals, resources, and actions
DocType Integration (Automatic)
No code needed – AC Rules are automatically enforced for DocTypes through Frappe permission hooks.
Workflow Integration (Automatic)
No code needed – AC Rules automatically filter workflow transitions and enforce action permissions through Frappe workflow hooks.
Report Integration (Manual)
from tweaks.tweaks.doctype.ac_rule.ac_rule_utils import get_resource_filter_query
def execute(filters=None):
result = get_resource_filter_query(report="Your Report", action="read")
if result.get("access") == "none":
return [], []
ac_filter = result.get("query", "1=1")
data = frappe.db.sql(f"""
SELECT * FROM `tabDocType`
WHERE {ac_filter}
""", as_dict=True)
return columns, data
Core Components
The system consists of four main DocTypes:
- AC Rule: Central component that defines access control rules (Permit/Forbid)
- Query Filter: Reusable filter definitions (JSON, SQL, or Python)
- AC Resource: Defines what is being accessed (DocType or Report)
- AC Action: Defines controllable actions (read, write, delete, etc.)
See references/core-components.md for detailed documentation.
Rule Evaluation
Rules are evaluated through:
- Rule Map Generation: Organize rules by resource and action
- Principal Resolution: Determine which users match the rule
- Resource Resolution: Determine which records match the rule
- SQL Generation: Convert filters to SQL WHERE clauses
Final Logic: (Permit1 OR Permit2 OR ...) AND NOT (Forbid1 OR Forbid2 OR ...)
See references/rule-evaluation.md for evaluation flow and SQL generation.
Integration
DocTypes (Automatic)
Implemented via Frappe permission hooks – no manual integration needed:
- Read operations: Filtered automatically in list views and queries
- Write operations: Filtered automatically for create, write, delete, submit, cancel
Reports (Manual)
Must explicitly call get_resource_filter_query() and inject SQL into report queries.
See references/integration.md for complete integration guide and API documentation.
Usage Examples
Common patterns and complete examples:
- Sales Team Access Control: Restrict report to user’s managed customers
- Restrict Archived Records: Prevent access to archived data
- Tenant-Based Multi-Tenancy: Isolate data by tenant
- Department-Based Access: Access based on user’s department with exceptions
- Complex SQL Filters: Subqueries and multi-table joins
- Multiple Permit Rules: Combine rules for managers and team leaders
See references/examples.md for complete code examples.
Debugging and Auditing
Available Reports (System Manager role required):
- AC Permissions – System-wide access audit (who has access to what)
- Query Filters – Debug filter SQL generation with user impersonation
- AC Principal Query Filters – See which users match each principal filter
Common Workflows:
- Why does User X have access? â AC Permissions Report
- Test a Query Filter â Query Filters Report with impersonation
- Who matches a Principal Filter? â AC Principal Query Filters Report
See references/debugging-reports.md for detailed documentation and workflows.
Troubleshooting
Common issues:
- Rules Not Applying: Check enabled status, date range, principal/resource matches
- Incorrect Filtering: Verify SQL generation, reference doctypes, exception flags
- Performance Problems: Analyze query complexity, consolidate rules, add indexes
- Access Denied: Check Forbid rules, verify user/record matches, test with Administrator
See references/troubleshooting.md for debugging techniques and solutions.
Best Practices
- Use Standard Mode for simple mappings, Bypass for complex operations
- Validate source/target before syncing
- Handle missing targets gracefully
- Use context for runtime parameters
- Set appropriate timeouts for operation complexity
- Use specific queues for heavy operations
- Test with different user roles and edge cases
- Always escape user input in SQL filters
- Monitor performance with complex rule sets
- Document rule logic and purpose
Source Code Locations
tweaks/tweaks/doctype/ac_rule/– AC Rule DocTypetweaks/tweaks/doctype/query_filter/– Query Filter DocTypetweaks/tweaks/doctype/ac_resource/– AC Resource DocTypetweaks/tweaks/doctype/ac_action/– AC Action DocTypetweaks/tweaks/doctype/ac_rule/ac_rule_utils.py– Core utilities and API
Reference Files
For detailed information:
- core-components.md: Detailed documentation on AC Rule, Query Filter, AC Resource, AC Action
- rule-evaluation.md: Rule map generation, permission evaluation, SQL generation
- integration.md: DocType and Report integration, API endpoints
- examples.md: Complete usage examples and code patterns
- debugging-reports.md: Reports for debugging and auditing permissions
- troubleshooting.md: Common issues, debugging techniques, solutions