ac-rules-expert

Expert guidance for the Frappe Tweaks AC Rule system - an advanced access control framework that extends Frappe's built-in permissions with fine-grained, rule-based access control.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "ac-rules-expert" with this command: npx skills add kehwar/frappe_tweaks/kehwar-frappe-tweaks-ac-rules-expert

AC Rules Expert

Expert guidance for the Frappe Tweaks AC Rule system - an advanced access control framework that extends Frappe's built-in permissions with fine-grained, rule-based access control.

Overview

The AC Rule system provides:

  • Fine-grained access control: Control access at the record level, not just doctype level

  • Dynamic filtering: Use SQL, Python, or JSON filters to determine access

  • Rule-based logic: Define complex access rules with Permit/Forbid semantics

  • Principal-based: Define who has access (users, roles, user groups, or custom logic)

  • Resource-based: Define what is being accessed (doctypes, reports, or custom resources)

  • Action-based: Control specific actions (read, write, delete, etc.)

Implementation Status

Current State:

  • ✅ DocTypes: Fully implemented - Automatic permission enforcement via Frappe hooks

  • ✅ Reports: Fully functional - Manual integration required (call API and inject SQL)

  • ✅ Workflows: Fully implemented - Automatic transition filtering and permission enforcement

  • 🔄 Migration: Deprecated systems (Event Scripts, Server Script Permission Policy) being phased out

Quick Start

Creating AC Rules

  • Create Query Filter: Define who (principals) or what (resources) the rule applies to

  • Create AC Resource: Define the DocType or Report being controlled

  • Create AC Rule: Tie together principals, resources, and actions

DocType Integration (Automatic)

No code needed - AC Rules are automatically enforced for DocTypes through Frappe permission hooks.

Workflow Integration (Automatic)

No code needed - AC Rules automatically filter workflow transitions and enforce action permissions through Frappe workflow hooks.

Report Integration (Manual)

from tweaks.tweaks.doctype.ac_rule.ac_rule_utils import get_resource_filter_query

def execute(filters=None): result = get_resource_filter_query(report="Your Report", action="read")

if result.get("access") == "none":
    return [], []

ac_filter = result.get("query", "1=1")

data = frappe.db.sql(f"""
    SELECT * FROM `tabDocType`
    WHERE {ac_filter}
""", as_dict=True)

return columns, data

Core Components

The system consists of four main DocTypes:

  • AC Rule: Central component that defines access control rules (Permit/Forbid)

  • Query Filter: Reusable filter definitions (JSON, SQL, or Python)

  • AC Resource: Defines what is being accessed (DocType or Report)

  • AC Action: Defines controllable actions (read, write, delete, etc.)

See references/core-components.md for detailed documentation.

Rule Evaluation

Rules are evaluated through:

  • Rule Map Generation: Organize rules by resource and action

  • Principal Resolution: Determine which users match the rule

  • Resource Resolution: Determine which records match the rule

  • SQL Generation: Convert filters to SQL WHERE clauses

Final Logic: (Permit1 OR Permit2 OR ...) AND NOT (Forbid1 OR Forbid2 OR ...)

See references/rule-evaluation.md for evaluation flow and SQL generation.

Integration

DocTypes (Automatic)

Implemented via Frappe permission hooks - no manual integration needed:

  • Read operations: Filtered automatically in list views and queries

  • Write operations: Filtered automatically for create, write, delete, submit, cancel

Reports (Manual)

Must explicitly call get_resource_filter_query() and inject SQL into report queries.

See references/integration.md for complete integration guide and API documentation.

Usage Examples

Common patterns and complete examples:

  • Sales Team Access Control: Restrict report to user's managed customers

  • Restrict Archived Records: Prevent access to archived data

  • Tenant-Based Multi-Tenancy: Isolate data by tenant

  • Department-Based Access: Access based on user's department with exceptions

  • Complex SQL Filters: Subqueries and multi-table joins

  • Multiple Permit Rules: Combine rules for managers and team leaders

See references/examples.md for complete code examples.

Debugging and Auditing

Available Reports (System Manager role required):

  • AC Permissions - System-wide access audit (who has access to what)

  • Query Filters - Debug filter SQL generation with user impersonation

  • AC Principal Query Filters - See which users match each principal filter

Common Workflows:

  • Why does User X have access? → AC Permissions Report

  • Test a Query Filter → Query Filters Report with impersonation

  • Who matches a Principal Filter? → AC Principal Query Filters Report

See references/debugging-reports.md for detailed documentation and workflows.

Troubleshooting

Common issues:

  • Rules Not Applying: Check enabled status, date range, principal/resource matches

  • Incorrect Filtering: Verify SQL generation, reference doctypes, exception flags

  • Performance Problems: Analyze query complexity, consolidate rules, add indexes

  • Access Denied: Check Forbid rules, verify user/record matches, test with Administrator

See references/troubleshooting.md for debugging techniques and solutions.

Best Practices

  • Use Standard Mode for simple mappings, Bypass for complex operations

  • Validate source/target before syncing

  • Handle missing targets gracefully

  • Use context for runtime parameters

  • Set appropriate timeouts for operation complexity

  • Use specific queues for heavy operations

  • Test with different user roles and edge cases

  • Always escape user input in SQL filters

  • Monitor performance with complex rule sets

  • Document rule logic and purpose

Source Code Locations

  • tweaks/tweaks/doctype/ac_rule/

  • AC Rule DocType

  • tweaks/tweaks/doctype/query_filter/

  • Query Filter DocType

  • tweaks/tweaks/doctype/ac_resource/

  • AC Resource DocType

  • tweaks/tweaks/doctype/ac_action/

  • AC Action DocType

  • tweaks/tweaks/doctype/ac_rule/ac_rule_utils.py

  • Core utilities and API

Reference Files

For detailed information:

  • core-components.md: Detailed documentation on AC Rule, Query Filter, AC Resource, AC Action

  • rule-evaluation.md: Rule map generation, permission evaluation, SQL generation

  • integration.md: DocType and Report integration, API endpoints

  • examples.md: Complete usage examples and code patterns

  • debugging-reports.md: Reports for debugging and auditing permissions

  • troubleshooting.md: Common issues, debugging techniques, solutions

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

open-observe-api-expert

No summary provided by upstream source.

Repository SourceNeeds Review
5-kehwar
General

frappe-ci-expert

No summary provided by upstream source.

Repository SourceNeeds Review
4-kehwar
General

skill-importer

No summary provided by upstream source.

Repository SourceNeeds Review
4-kehwar
General

report-expert

No summary provided by upstream source.

Repository SourceNeeds Review
4-kehwar