Prevent Users in Given Security Group from Deleting Customer Contacts

spaceage · December 20, 2022, 10:19pm

Good afternoon! I’m trying to figure out how prevent users from deleting Customer Contacts if they’re not in a particular security group.

I’ve tried putting a pre-processing BPM on the DeleteByID method in Erp.BO.CustCnt, but that didn’t prevent deletion. So I opened up Kinetic in the browser, enabled debugging, and watched the waterfall. It looks to me like the Update method is what’s called when a Customer Contact is deleted, not DeleteByID. I have no idea how I’d determine if the Update method is being called to delete a contact or just update the record, so that was a dead end.

Even though I’d much prefer to use the server to do this, my next thought was to open Application Studio and try to remove the Delete button from the UI overflow menu, however Delete is not even showing as a Tool option. It appears that every tool EXCEPT Delete and New are explicitly added as Tools.

I’m at a loss, so any tips are greatly appreciated!

klincecum · December 21, 2022, 1:49am

In update, the rowmod on the ds.CustCnt is “D”.

klincecum · December 21, 2022, 2:25am

Add a condition widget to update
Use condition
“The user who called the method belongs to specified group”

Configure appropriately, add a custom code block and use something similar to the following:

var deletedRows = from custRow in ds.CustCnt
                    where
                      custRow.RowMod == "D"
                    select
                      custRow;

if(deletedRows.Count() > 0)
{
    ds.CustCnt.Clear(); //Just in case the base method wants to fire even after an exception. (Deprive it of data!)
    throw new Ice.BLException($"User: {Session.UserID} is not allowed to delete Customer Contacts.");
}

There is probably some other stuff to check, like is this a customer contact or some other,
but you get the gist.

spaceage · December 21, 2022, 3:32pm

@klincecum Thank you - that worked perfectly!

klincecum · December 21, 2022, 3:46pm

You’re welcome, but remember, that table/business object is used for more than just customer contacts, so you probably want to check for where it is called from or why.

Unless you just want to prevent that group from doing any contact management globally, then this should work as is.

spaceage · December 21, 2022, 3:52pm

Yes, that is the strategy (no contact management for these groups). They only have access to trackers for person/contact, but they had the ability to delete contacts from within the Customer app and that’s what I was looking to prevent.