Good catch, Mayer! Copy/paste issues. Both are fixed now.

-Jason

Although with the right configuration and processes in place this may certainly work, I'd instead recommend using something like DeDupit to handle the dupes: https://www.sugaroutfitters.com/addons/DeDupit

You can have a data steward review possible dupes for more loosely detected duplicates and you can also have it automatically merge dupes for more stringent rules. For example, if an email address matches.

I'm not sure if dedupit has the functionality I need. I had planned to have multiple rule-sets per dedupe run E.g. first it tries an exact email match (maybe 20% of the records get matched. Next it might try an exact mobile phone AND 1st 3 characters of first name, then maybe another 10% of the records might get matched. And it would keep going through all the matching rules and re-trying the remaining records.

2. I want more flexibility in defining the match rules. Instead of requiring exact matches

- substring match - date inbetween or less/greater than another date(s).

3. Does it need to check every contact with every other contact for each run? Suppose I've just run a batch job load, and 500 new records have been added. Can I specify that dedupit only needs to check the newly add records (e.g. based on date-created field) - otherwise this will lead to a lot of unnecessary processing, since we will have around 20 feeds coming daily, and we would like to run the dedupe process after each load.

Anyway.... whether or not we use dedupit or our own external process... we still need a way to hide the records from normal users until they have been merged or declared unique.

You would be able to set up those different rules. I believe you can configure it to run for only new records, but not entirely sure.

For SecuritySuite, you would assign everyone Group access to view records so that they can only see records assigned directly to them or that have their group(s) associated to the record. The newly imported records would not have a group assigned to them. Once you have finished the data review then the appropriate groups would need to be assigned. You'll want to automate that last step as much as possible. It could be some custom code or by using a workflow tool that checks a "data reviewed" field on the module and when set it auto assigns the appropriate group(s).

Hope that helps.

Thanks that's useful info. Can I assign a contact record to multiple groups?

Yes, absolutely.

Yes, a person can be a member of multiple teams.

That's pretty crazy. Typically this sort of person is one who can see everything in the system and just has rights to All for everything.

Another option is to use the "Not Inheritable" checkbox for that user who belongs to a given group. With that checked the invisible user can create records without that group being auto assigned to the record which makes the record invisible to the manager of that group. It won't make the user invisible, but it will make the records not accidentally show up. There are ways to alter utils.php to make the user not show up in dropdowns, etc, but it does require custom code.

-Jason

Yes, you would just have a record assigned directly to a user using the Assigned To field and remove any Security Groups assigned in the Security Groups subpanel. Then make sure rights for View/List/Edit are set to Group or Owner. Then only users who are assigned to that record will see it. Basically acting as private then.

SecuritySuite adds a new Create right. Make sure to go to Admin->Repair and run a Repair Roles. Then for the user make sure any roles have the Create permission set appropriately for Accounts. The link should show if they have Create rights then. Hope this helps!

Thanks as always! Fixed and I'll remove this comment.

Owner in the SuiteCRM sense means that the user is set as the Assigned To user for the record. In the database this would be the assigned_user_id column. It means the simple record assignment. Sorry for the confusion!

Mass Assign Security Groups is just a way to say "add this group to these records". It is not an "assignment" in the traditional sense. What you said here is correct. To clarify, Owner rights in a role doesn't change with SecuritySuite. It is based on the Assigned To field. Group rights is a new role level and is based on whether the user's group is attached to a record.

Hope this helps!

Thank you for your patience, I think this helped.

Your hack is actually the best way to handle this scenario. Because they can only see their own they wouldn't see unassigned records without some sort of modification like you have done. Nice job making that work!

Ok, many thanks for this super-fast answer !!! I tought my way was too "hacky" in order to be the right choice !

Other question, I use the same hack in order to manage the right of a custom action. is there a better way more in the "philosophie" of SecuritySuite ? Like add an action in acl_role_action database or something like that ?

Sometimes if the hack does exactly what you need without any real harm then there is no better way to do it.

I like your idea of an acl_role_action. You have to weigh if it's worth it rather than just using an if/else custom strategy. Personally I wouldn't touch it if what you have is doing the job.

Ok thanks, i have just 6 month of sugarcrm coding and i'm always afraid that i code something that already exist !

Will would only be in the East Sales group and Sarah only in the West Sales group. Jill would be added to both East Sales and West Sales. Within the Users subpanel for both of those groups Jill would have "not inheritable" checked so that when Jill creates a record neither the East or West records would be added to the new record. This helps ensure that members of East/West cannot see Jill's records.

Does this help?

To add even another level, Jill could also be in a new "District Sales" group that contains all district managers. All other district managers could be added to it, but they would also be in the groups that they specifically lead, but marked non inheritable.

Yes, thanks. Putting "Jill" into the 2 separate groups was what I was looking for.

Now when going to higher levels, I am still a little confused. When you say "district managers" are you referring to Will and Sarah? or Jill and other colleagues?

Yes. If possible, avoid having to create groups except at the bottom level of the hierarchy. However, if you really need to you can repeat the process up the chain.

This becomes hard as both SugarCRM and SuiteCRM do not distinguish rights between those who created and those who are assigned the record. To support that you would basically need to customize the isOwner function in /data/SugarBean.php to return true if the current user is the person who created the record.

Hope this helps!

For the Create column on that role set to None for that module.

Thanks for your answer, but i don't see the Create column on the role setting. I have Access, Delete, Edit, Export, Import, List, Mass Update and View columns, but not Create column. Am i in the correct place??? Thanks in advance.

If you are using the Enhanced version of SecuritySuite available here you can run a Repair Roles and the Create column will show.

I'm using the SuiteCRM Version 7.9.1, and it has the Security Groups by default, so it's possible to do it??? or is necessary to upgrade??? Thank you.

It's not possible with the default version included with SuiteCRM. You would need to purchase at least the Enhanced version here to get the Create rights option. Hope this helps!

Hello,

If you must keep their rights at owner then they need to be assigned to the record. This would likely mean multiple assigned users since you probably don't want to remove the existing assigned person. You can do this with the SecuritySuite Enterprise plan via the multiple assigned users field. More info on that can be found here: https://www.sugaroutfitters.com/docs/securitysuite/multiple-assigned-users

Cheers, -Jason