by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

#215 - Wide Open Security By Default for New Users

Closed Bug? created by markriggins 6 years ago

A new user with NO SECURITY GROUPS or roles can see ALL RECORDS, even records that have been assigned to a security group unless they have been assigned a restrictive role, such as 'Group Only'

Is there a way to reverse this ridiculous default behavior?

Can you add a default role for new users?

These default access policy is not acceptable for a Security package.

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    6 years ago

    This is very possible to do. Everybody uses this module differently. To do what you want use the "Default Groups" option on the Security Suite Settings page. There is a bit of a learning curve to this module. But once you get it there are many, many scenarios that it can cover. In your case, create a locked down group with a role associated with it with NO ACCESS to everything. Then set the Default Group for any newly created User record to that group on the settings page.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      6 years ago

      To clarify, when you first set up using Security Suite you will need to associate all existing users and records to the appropriate groups. From there on out records will inherit groups based on your configured settings.

  2. markriggins member avatar

    markriggins

    6 years ago

    I added a trigger to the users table instead to add a default role for all new users.

    ================================

    delimiter $$
    drop trigger if exists trigger_users_after_insert;
    create trigger trigger_users_after_insert after insert on users
    for each row
    begin
    insert into acl_roles_users
    select uuid(), acl_roles.id, NEW.id,
    current_timestamp, 0 from acl_roles where name = 'DealershipMember' and deleted = 0 limit 1;
    end;

    $$

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      6 years ago

      That's not a bad way of going about it if that is your requirement. Adding a default group using the option setting on the Security Suite Settings page would also accomplish the same thing without needing a trigger.

      SugarCRM by default allows full access. SecuritySuite is simply an additional layer that allows you to add additional layers of security to the default SugarCRM behavior.

      Nice find!

    • markriggins member avatar

      markriggins

      6 years ago

      This is a default role, not a default group. But if we add the "default" role to a te default group, then I suppose we could accomplish it that way.

    • markriggins member avatar

      markriggins

      6 years ago

      I like that better -- triggers are so hidden, it's very easy to forget. If someone changes the name of the default role in my trigger, it breaks without complaint.

  3. markriggins member avatar

    markriggins

    6 years ago

    This isn't about groups really -- the new user I created was not a member of ANY group, but could still see all records until I assigned a role.

    It's working for me now, so I'm not 100% sure if this was pilot error or a reproduceable bug.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "The perfect solution for managing security. Very stable and easy to implement. Must-have add-on for every CE implementation!"

    Read More Reviews

Keep up to date on the latest additions

We'll send you an email every month with handpicked add-ons, reviews, tricks and tips. Don't worry, we hate spam as much as you do.