Example of a Typical Setup
A Typical Hierarchy Setup
Although SecuritySuite can handle any organizational structure, the most common scenario it is used for is one where the owner can see everything, managers can see both their own records and those of their team, and team members can only see their own records
This company has 2 sales teams; East and West. The owner, Jill, should be able to see everything. The East Sales team is lead by Will and Sarah leads the West Sales team. Both of them should see everything just in their own respective teams. The rest of the sales reps in each teams should only be allowed to see their own records.
Set up the Groups
1) Create a group called East Sales 2) Add Will and the sales reps 3) Create a group called West Sales 4) Add Sarah and the sales reps
Set up the Roles
1) Create a role called Everything and set the rights to All. Tips and Tricks: Click the header in any column on the role grid and you can set the rights for the whole column at one time 2) Assign the Everything role directly to Jill's user account. 3) Create a role called Group Only and set the rights for everything to Group. 4) Assign the Group role directly to Will and Sarah. 5) Create a role called Owner Only and set the rights for everything to Owner. 6) Assign the Owner Only role to the East Sales and West Sales groups
Assign the Groups
This instance already has some existing leads so we will assign them to the appropriate groups.
1) Go to the Leads list view and search for the leads that should belong to the East Sales group 2) Check the appropriate leads, in the Mass Assign panel choose East Sales, and click "Assign" 3) Repeat for the West Sales team
NOTE: Going forward the groups will be automatically inherited by any calls, contacts, notes, etc that get added based on the SecuritySuite Settings that are configured. If the SugarCRM instance is already loaded with lots of data at the time of starting with SecuritySuite then there may be some initial work to be done to add those groups to the related records. The Mass Assign functionality on the List View can be used or direct database insertion into the securitygroups_records table. See existing data in that table for how to format the data. This will require SQL knowledge if you want to go that route.
Check the Settings
These settings determine how SecuritySuite functions. In the Group Inheritance Rules panel the defaults of "Inherit from Created By User", "Inherit from Assigned To User", and "Inherit from Parent Record" will work perfectly in this scenario.
Any lead that gets created will automatically have groups assigned to it based on who created it and who gets assigned to it. If a call is created for a lead then the call will inherit the groups from the lead record (parent record) along with inheriting the groups from the created by user and the assigned to user.
Another key setting is "Strict Rights". In the scenario above the default settings will cause the links on the list view for the team leads to show with no link for records that are assigned to their group. In many cases you will want to uncheck "Strict Rights" so that you can assign groups in the manner described in this doc.
The hardest part is always the initial setup. Once you have things configured and figured out it will just run on its own. If you have some special work flows where you want to add certain groups based on some custom logic it's pretty easy to do with logic hooks or using Process Manager which is a great workflow tool for SugarCRM. Here's an example of adding groups automatically using Process Manager.
Have a more complicated structure? Apply the same principles here for each additional level of hierarchy that you may have. The key is to create a group at the lowest levels of the structure and then work your way back up.