A build-to-order Frappe app that extends ERPNext permissions with field-level read/write masking, record-level rules and role-scoped workspace visibility. ECOSIRE scopes, builds, installs and supports it on your ERPNext v15/v16 bench. Built to order by ECOSIRE for ERPNext v15, v16 — indicative price from $249.00 USD; request a quote for a scoped proposal.

A build-to-order Frappe app that extends ERPNext permissions with field-level read/write masking, record-level rules and role-scoped workspace visibility. ECOSIRE scopes, builds, installs and supports it on your ERPNext v15/v16 bench.
No payment now. This sends a quote request to our team — we'll follow up by email with pricing and next steps.
Standard ERPNext permissions are role-and-DocType shaped: you grant a role read/write/create/delete on a DocType, add User Permissions to fence off records by link field, and lean on Permission Level (permlevel) fields for coarse column control. That works until Finance can see a customer record but must never see its credit_limit, until a regional manager should only touch leads in their own territory group, or until a whole workspace of reports needs to disappear for contractors. At that point admins resort to duplicating DocTypes, hiding fields with brittle client scripts (which never actually secure the data server-side), or over-granting roles and hoping nobody notices. ERPNext core simply runs out of road for least-privilege, per-field, per-record governance.
Role-profile-aware workspace visibility that shows or hides Frappe Workspaces, shortcuts and cards per user without cloning workspaces
Field-level read/write/mask rules driven by a `Field Permission Rule` DocType instead of scattered `permlevel` hacks
Server-side enforcement in `hooks.py` doc events (`validate`, `before_save`, `onload`) so masked values never reach the client
Masking applied at the field-fetch layer so hidden values are also stripped from the Frappe REST API (`/api/resource`, `frappe.client.get`) and report builder
Record-level rules via `get_permission_query_conditions` so filtering happens in the SQL `WHERE` clause, not just in the UI
`has_permission` hook for per-document allow/deny beyond ERPNext's User Permission link matching
We build a proper Frappe app (its own module, DocTypes, hooks.py and fixtures) that layers structured, auditable access control on top of ERPNext's native permission engine rather than fighting it. A Field Permission Rule DocType maps role profiles to per-field read/write/mask behavior; enforcement runs server-side in hooks.py doc events (before_save, validate, onload) and in an override of the controlled DocTypes' get_valid_columns/field-fetch path, so masked values never leave the server even via the Frappe REST API, frappe.client.get, list view, or report builder. Record-level rules are evaluated with a whitelisted get_permission_query_conditions hook and a has_permission hook, so filtering happens in the SQL WHERE clause — a user cannot enumerate hidden records by guessing names or paging the /api/resource endpoint. Workspace visibility is driven by role-profile-aware logic that hides or shows Frappe Workspaces and their shortcuts per user without cloning them.
On top of enforcement we build the operational surface admins actually need: a Permission Audit report (Query/Script Report) that resolves, for any user, the effective read/write/mask matrix across the governed DocTypes and flags conflicts; private comments and tagged-visibility controls so notes on a record are only visible to named users or groups; and a scheduled digest (registered as a scheduler_event) that emails owners a weekly summary of permission changes and access-denied events. Every rule change and every enforced denial is written to a log DocType so you have a defensible trail for audit and compliance reviews. Client scripts are used only for UX affordances (greying out masked fields, hiding tabs) — never as the security boundary, which always lives on the server.
Because this is built-to-order, nothing here is a generic download. We start from your real role profiles, the exact DocTypes and fields you need to govern, and your ERPNext version (v15 or v16), then deliver an app tailored to that scope. Typical delivery is 2 to 4 weeks from confirmed scope. You get the installable source code for your build, installation and configuration on your bench, technical and end-user documentation, a training session, UAT on a staging site with a tested rollback plan, and a post-go-live support window. ECOSIRE builds it, installs it, and supports it — you are not left to reverse-engineer someone else's marketplace app.
Owns least-privilege access and needs field-level masking, record-level scoping and a defensible audit trail that ERPNext core cannot express through roles and User Permissions alone.
Manages role profiles across Finance, Sales and Operations and wants structured permission rules and an effective-access report instead of duplicated DocTypes and brittle client-script hiding.
Should only see and edit records within their own territory, company or team, enforced in the query layer so hidden records never surface via list views, reports or the REST API.
Needs proof that sensitive fields (salary, cost, credit limit, PII) are masked server-side and that every permission change and denial is logged for reviews.
Buy the license on ecosire.com and download the Workspace & Field-Level Permissions Manager app ZIP from your account dashboard.
Extract the ZIP into your bench's apps folder, or run `bench get-app` with the path to the extracted app.
Run `bench --site SITE_NAME install-app APP_NAME` followed by `bench migrate` to install Workspace & Field-Level Permissions Manager and apply its schema.
Open the ECOSIRE License settings on your site and activate your license key. Requires the free ecosire_connect and ecosire_license_client apps.
| Criterion | ECOSIRE | Custom Build | Competitor | Odoo Native |
|---|---|---|---|---|
| Field-level masking | Server-side read/write/mask per field via rule DocType | Possible but hand-coded per field | Often UI-only hiding, not enforced | |
| Record-level rules | SQL `WHERE`-level filtering via query hook | Achievable with deep Frappe knowledge | Usually limited to link-based filters | |
| REST API / report leakage | Masked and filtered on API, list and reports | Must remember every access path | Frequently leaks via API or report builder | |
| Workspace visibility | Role-profile-aware show/hide, no cloning | Manual per-user workspace juggling | Rarely covered | |
| Audit & change log | Effective-access report + immutable change log | Build it yourself | Seldom included | |
| Fit to your org | Built to your roles, DocTypes and dimensions | Fully bespoke, higher risk/cost | Generic, configure to fit | |
| Support & handover | Post-go-live window + git repo + docs | Depends on the developer | Vendor forum/ticket, no source access | |
| Delivery model | Build-to-order, 2-4 weeks, UAT + rollback | Open-ended timeline | Instant download, integration on you |
This is a build-to-order app, not an instant download. After a scoping call to confirm the exact role profiles, DocTypes, fields and rules you need, typical delivery is 2 to 4 weeks from confirmed scope, including UAT on staging before go-live.
ERPNext core is role-and-DocType shaped with coarse `permlevel` field control and link-based User Permissions. We add per-field read/write/masking, per-record allow/deny evaluated in the SQL query layer, and role-profile-aware workspace visibility — enforced server-side, with an effective-access audit report and change log on top.
It is enforced server-side in `hooks.py` doc events and at the field-fetch layer, so masked values are stripped from the REST API, `frappe.client.get`, list views and report builder — not just greyed out. Client scripts only handle UX affordances; they are never the security boundary.
We build and test against ERPNext/Frappe v15 and v16. We confirm your exact bench version during scoping and deliver an app aligned to it, with an upgrade-safe structure.
Every build includes a post-go-live support window for defect fixes and configuration questions. Beyond that, we offer ongoing support and can add rules, DocTypes or version-upgrade compatibility as a follow-on engagement. You also receive the full git repository so your team can maintain it.
Because it is a standalone Frappe app using documented hooks (`get_permission_query_conditions`, `has_permission`, doc events, `scheduler_events`) rather than core patches, it upgrades cleanly. We validate against your target v15/v16 version and hand over docs so upgrades stay predictable.
Yes. Record-level rules can key off existing dimensions such as territory, company, department or custom group fields, mapped to your current role profiles, so access mirrors your real org structure without duplicating records or roles.
A build-to-order Frappe app that extends ERPNext permissions with field-level read/write masking, record-level rules and role-scoped workspace visibility. ECOSIRE scopes, builds, installs and supports it on your ERPNext v15/v16 bench.