Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.
Options
Getting Started
Setting up security correctly can be overwhelming at first. We recommend first completing the Installation Guide and then reviewing the Typical Setup doc. Then check out all of the Features available including granting admin rights and assigning multiple users. After that, check out the many configurable options below.
Other Options
- Additive Rights
- Strict Rights
- New User Group Popup
- User Role Precedence
- Filter User List
- Use Popup Select - pre-6.5.5
- Use Creator Group Select - 6.5.6+
- Shared Calendar - Hide Restricted
- Inherit from Created By User
- Inherit from Assigned To User
- Inherit from Parent Record
- Default Groups for New Records
- Inbound email account
Additive Rights
User gets greatest rights of all roles assigned to the user or the user's group(s)
Strict Rights
If a user is a member of several groups only the respective rights from the group assigned to the current record are used.
New User Group Popup
When creating a new user show the SecurityGroups popup to assign the user to a group(s).
User Role Precedence
If any role is assigned directly to a user that role should take precedence over any group roles.
Filter User List
Non-admin users can only assign to users in the same group(s)
Use Popup Select
When a record is created by a user in more than one group popup a group selection screen otherwise inherit that one group. Inheritance rules will only be used for non-user created records (e.g. Workflows, etc).
Use Creator Group Select
Adds a panel to a record creation screen if a user is a member of more than one inheritable group that allows a user to select one or more groups that the user belongs to that should be associated with the newly created record. If a user is in just one group the normal inheritance rules will instead be applied.
NOTE: The new record will still inherit from the Assigned To user or Parent record if these options are set. This setting only overrides the Created By setting.
Shared Calendar - Hide Restricted
By default users can see when other users are busy on the Shared Calendar. Even if the user doesn't have rights to the meeting, call, etc. It will display on the calendar, but the user cannot view more details unless the user has rights to that specific calendar item. By setting this option the user cannot see these items on the Shared Calendar; only items that the user actually has rights to.
Inherit from Created By User
The record will inherit all the groups assigned to the user who created it.
Inherit from Assigned To User
The record will inherit all the groups of the user assigned to the record. Other groups assigned to the record will NOT be removed.
Inherit from Parent Record
e.g. If a case is created for a contact the case will inherit the groups associated with the contact.
Default Groups for New Records
Set groups that should always be attached when a specific module is created.
Inbound email account
Locks down inbound email accounts in the email client to only list those that belong to the same group as the current user.
-
"Incredibly useful. It's one of the first features you need. This needs to be part of the core product." - MTP
Read More Reviews
- Most Recent Love from Users
kacsoristvan- damien8105
- anri
- Administrador
- Stefano1
- einkauf2
11 years ago
We are experimenting with SecuritySuite with the intention of implementing the premium version on our system, and have a question regarding the "Inherit from Parent Record" option which does not seem to have an effect for activities already created.
Scenario 1: "Inherit from Parent Record" is checked A user "U" is in security group "X" and has a role where Edit/List/View Calls = Group A lead has a call in their history, this call is not in a security group The lead is assigned to security group "X"
With "Inherit from Parent Record" checked I would expect that user "U" could see this call, but they cannot as no security group is assigned to the call.
Scenario 2: "Inherit from Parent Record" is checked A user "V" is in security group "Y" and has a role where Edit/List/View Calls = Group A lead is in security group "X" A call is logged for this lead and the call is automatically put in security group "X" The lead is added to security group "Y" and removed from security group "X"
With "Inherit from Parent Record" checked I would expect that user "V" could see the call in the history, but they cannot as it is still assigned to security group "X".
It seems that the "Inherit from Parent Record" checkbox means that only new child records will be added to this security group, and if I later change the lead's security group, child records remain in the old (or no) security group.
Is there a way to update the security group for child records (e.g. Calls, Tasks, Meetings, Notes) when the security group is changed in the parent record (e.g. Lead or Contact)? Am I missing something really obvious here, or is this not a feature of SecuritySuite and would have to be implemented via a logic_hook?
With many thanks.
11 years ago
That is correct, inheritance works at the time of record creation. So when you initially setup SecuritySuite for an existing SugarCRM instance you will probably want to do some sort of data work to ensure the groups are associated as you require them to be. Most will do something directly against the database using SQL to populate the securitygroups_records table.
When it comes to how to handle removing groups, this is best handled via a logic hook as it the need to do this varies from install to install. It may make for a good feature request, however.
11 years ago
That is helpful, thank you for the speedy response.
Inherit from Assigned To User adds security groups to a record each time the record is reassigned to a user with additional security groups, and I was hoping that Inherit from Parent Record might do a similar thing to child records each time the security group(s) of the parent record are updated - even if security groups are not removed but are just added.
This would definitely be my first feature request, rather than the option of removing groups. I can work on the data to update the security groups for child records, however I can envisage scenarios where a parent record changes security group and the new user has no idea of their history.
Is there a formal way of making a feature request, or is this good enough?
With thanks.
11 years ago
Makes sense to me. Can you add it here as a feature request? https://www.sugaroutfitters.com/support/securitysuite I'd probably add a new set of options for when a parent record changes. The challenge is that in SugarCRM it is possible to have cyclical relationships so there has to be a stopping point on how far down to propagate changes.
11 years ago
I've done that, thanks. And that is helpful to know also - at least a depth of 3 would be good, as a Lead/Contact may have an Activity, which may have a Note, etc. You could even make the depth an option the user could choose from a list? (Just a thought.)
For the sake of our own development, how long might it take for such a feature request to roll out? (Don't worry, we won't be holding you to it.)
With thanks.
8 years ago
Hi, is it possible to limit access to records that meet a criteria based on a field ?, for example: The "Group A" can list and view all accounts while the "Group B" only can list and view the accounts whose account type is prospect.
Regards
8 years ago
Yes, using workflows you can accomplish this by adding Group B (or removing) whenever the account type changes using a workflow tool such as Process Manager: http://sugaroutfitters.com/addons/process-manager-enterprise
The rights for Group B would be set to List -> Group and View -> Group so that they can only see those accounts that have their group assigned to it (which would be those with account type = prospect).
Hope this helps!