by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Cancel at any time!
Free Trial

#1578 - How to implement security group hierarchy

In Progress General Question created by so_removed_7 5 years ago


I have a question : How to implement security group hierarchy?

My requirement is as following :
let us take an example I have only one module "Node"
I have a few teams with hierarchy.

Ex. "Team A" has 3 members "Amember1", "Amember2", "Amember3" and two admin of Team A "Aadmin1", "Aadmin2"

members of "Team A" can see all data in same team.
Admin of "Team A" can see all data in same team.
members of "Team A" can not see data of Admin.
And "Aadmin1" can not see data of "Aadmin2" and vice-verse .

Again there is N level of team hierarchy.

I have implemented this as follows :

create security group for team A -> "SG-A-Normal"
and assigned this group to all members and admin
-create security group for team A admin -> "SG-A-Admin"
and assigned this group to admins of Team A. and make this admin group to default group of Admins.

SG-A-Nomal security group has a role with all access to Module "Node"
SG-A-Admin security group has a role with owner access to Module "Node"

But the problem is when I reached to level 4 heairchy
I will have to create multiple security groups and assign them to level 4 admin
Means Level 4 Admin will have all access to level 3, level 2, level 1.

Is there any way to connect security group hiearchy?
Like If SG-Super is parent of SG-A-User
then user with SG_Super access can also view SG-A-User

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    5 years ago

    Hi Ramakant,

    An alternative is to just have a "SG-A" group and put all your normal members and admins in that group. Then part the admin users in that group as "Not Inheritable" so that when they create records they won't have the "SG-A" group automatically assigned to the new record. This means that normal users won't see their records.

  2. so_removed_7 member avatar


    5 years ago

    Thanx its working for one level


    Team Member (level1) can see all nodes (own + all nodes in same group). except his/her seniors i.e. Team Lead and managers
    Team Lead (Level 2) can see all nodes (own + all members'). except his/her seniors i.e. managers
    Manager (Level 3) can see all nodes (own + all team leads' + all members').

    Should I do some custo coding or can it be achieved simply?

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      5 years ago

      You would create the groups at the lowest level and work your way up. So create a group for every team. Then assign all members and leads to every appropriate team. Create a role called something like "Team Only" and set the rights to "Group" for everything. Then assign that role to each group. Now go back to the security group and in the users subpanel edit every team lead and set "Not Inheritable" and save (to ensure that team members can't see the lead's records).

      For managers (level 3) you don't need to do anything. Just ensure that they have a role set to All so that they can see all records. If you have a Level 4 then you just repeat the process going up. Managers would be added to groups, set as Not Inheritable, etc.

      It's very similar to the example here:

      The biggest difference will be that the team lead should be marked as Not Inheritable when added to the security group so that when they create a record their group won't be assigned to the new record (so that team members won't see the record).

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
  • "SecuritySuite was a very good addition to our SugarCRM implementation helping to integrate different functional teams with strictly specified roles."

    Read More Reviews

Keep up to date on the latest additions

We'll send you an email every month with handpicked add-ons, reviews, tricks and tips. Don't worry, we hate spam as much as you do.