Question

Using PXLoginScope throws error - need way to globally search data across tenants

  • 13 February 2023
  • 8 replies
  • 117 views
Brian Stevens
Rank
Userlevel 6
Badge +4

I need to gather data from across all tenants of the instance to allow certain users.  One use case is to allow an authorized user to search Stock Items across all tenants.  While I’m open to suggestions on how to do this without creating a SQL view to bypass the CompanyID injection into the SQL statements, I’m trying to  leverage PXLoginScope for a method I’m testing.  While admin@Company works when logged into Company, it throws an error when my current tenant is not “Company”.

I am trying to use PXLoginScope  to read all the data as admin and return the results to the end user.

I found an example of using it, and I have the same problem no matter my approach.

using (new PXLoginScope(string.IsNullOrEmpty(companyId)
    ? "admin" : ("admin@" + companyId), PXAccess.GetAdministratorRoles()))

using (new PXLoginScope(string.IsNullOrEmpty(companyId)
    ? "admin" : ("admin@" + companyId), Array.Empty<string>()))

using (new PXLoginScope("admin@" + companyId))

What I find particularly interesting is that I do not use or refer to Salesforce or PRxInventoryItem in my screen, nor have I ever.  This customization project contains purely this 1 screen and related code on a SalesDemo tenant for development.

Any explanation as to the error or how to properly use PXLoginScope… or a better way to allow an end user to globally search data in a very controlled way even when the tables contain CompanyID?

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)

8 replies

D
Rank
Userlevel 7
Badge +5

I wonder if it would be better to have a separate table to hold the search content? (e.g. CrossCompanySearch). If you include NoteID in that custom table then you could leverage the global search functionality within each company.  Presumably one record per company per record being sought.

If your CrossCompanySearch table had the CompanyMask column, that would let you access the data in that table from all companies.

I did find a post that shows some more example of using PXLoginScope:

https://stackoverflow.com/questions/52911626/acumatica-pxgraph-createinstance-throwing-error

 

Brian Stevens
Rank
Userlevel 6
Badge +4

We have considered the separate table idea for a while, but we really don’t want to maintain that independently.  It also means compiling a large amount of duplicate data which is a definite negative.  Thanks for the assist on the stack overflow post.  I’ll try that to see if I can get past the immediate issue.

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)
Brian Stevens
Rank
Userlevel 6
Badge +4

I have to adjust for reading from another tenant, the userid admin@Company (or @ the tenant I’m in) is the only one that works.  The code sample from stack overflow threw the same error once I added @ and the tenant login name to the user, although the code certainly had a lot more finness than mine.

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)
Brian Stevens
Rank
Userlevel 6
Badge +4

Unless something has changed, this may be the nail in the coffin of what I want to accomplish.  The alternative is a SQL view excluding the company id fields so that SQL bypasses the Company ID restriction, but it opens a lot of security concerns as well as falling under bad practices per Acumatica.  This is why I had hoped to use PXLoginScope, but the alternative is an external application to walk the directory of tenants and poll each tenant for results.

Still open to ideas of how to do it “properly” but looking more and more like we may have to use the supplemental table method to copy the relevant data.

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)
Chris Hackett
Rank
Userlevel 7
Badge

Hi @Brian Stevens  were you able to find a solution? Thank you!

Chris ~ Let us know how we're doing: https://forms.office.com/r/xmJUdZ1QE5 - A member helped you, please *Like* their post. A member provided an answer to your question, please mark it as *Best Answer*.
Brian Stevens
Rank
Userlevel 6
Badge +4

No acceptable solution found.  You can use PXReadBranchRestrictedScope to populate the view from all branches of the current tenant, but I have not found a way to “legally” bridge tenants.  The only alternative I can imagine is to create a SQL view without CompanyID.  The legal alternative is even less desirable to implement by duplicating data to a new table that does not contain CompanyID. 

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)
Yuriy Zaletskyy
Rank
Userlevel 5
Badge +3

@Brian Stevens did you try to experiment with gropumask column? As far as I remember, it may be possible somehow to share access through maniuplations with that column, also I can’t give you much more details as of now.

https://blog.zaletskyy.com
Brian Stevens
Rank
Userlevel 6
Badge +4

@Brian Stevens did you try to experiment with gropumask column? As far as I remember, it may be possible somehow to share access through maniuplations with that column, also I can’t give you much more details as of now.

Thanks, Yuriy.  While I understand that certainly is the means of sharing data across tenants, my challenge is the nature of the data that needs to be searchable.  I do not need to share the InventoryItem table itself, or the related standard and custom DAC’s containing the various related part information.  (Each tenant legitimately needs to be isolated outside of this search feature.)  I do, however, need to grant access to a limited group of individuals to search for parts across all tenants at an enterprise level.

My hope was a simple query screen to search description, various sources and part numbers, and on-hand availability across the enterprise.  I had attempted using PXLoginScope to walk the tenants in a query screen and return the search results, but I cannot seem to do that internally to Acumatica.  I found a post that explained why this doesn’t work, so my best solution may be an external application to execute the searches in each tenant via API calls so that I don’t have to duplicate data or use a SQL view.

For now, we have the query screen to allow searching across all branches even if the user does not have access within the branch, but we still manually cycle through all tenants to execute the search one tenant at a time.

Changing the world, one byte at a time - https://bstevens.net/ (formerly acumatica.dev)

Reply


Terms & ConditionsCookie settings
About Acumatica ERP system
Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
© 2008 — 2024  Acumatica, Inc. All rights reserved