I like the idea, but honestly don't want to touch this with a ten foot pole. It opens up a whole can of worms that can easily spell disaster. Supporting this will be a nightmare and I'd definitely would need to increase the cost of this add-on substantially to cover it.

The downside is high I suppose for a full-blown solution, but the cost of keeping N versions up to date for my user groups is worse!

I'm thinking about adding a Realms module, then relating it to the Users table. Then I just limit user lists and selects to those within the same realm as the session. Your group admin stuff already limits group owners to managing their own groups. I can rely on your group and role permissions for securing access.

modules/Users/metadata/popupdefs.php has a where clause.

any others you can think of? I wish I could set a break point on reading the users table

what does securitysuite_filter_user_list control?

maybe this is all that I'm looking for!!

Of course, I couldn't use a default group with a default role for for all users, but I have a trigger for that anyway.

Sweet. Sounds like I can implement my hierarchy with this.

I just need to define a "Group" for each "Realm" and stuff every single member into that group.

Then the admin user can see those users whenever setting up teams.

Each team can be sub-divided in to smaller teams using groups. If the admin user for the entire team is a member of every group, then he can select any team member from any group.

Roles can set the global access policy based on what each kind of member a team has, sales/management etc.

LOVE IT

The best line of code is the one that you DO NOT write.

I think I found a bug in your implementation.

For non-admin users, the link index.php?module=Users&action=index will bring up the current user's detail page.

But the link index.php?module=Employees&action=index&return_module=Employees&return_action=DetailView will list all Employees, even those not in the group!

Better behavior would be to give

Since sugarcrm is open-source, you cannot count on the user not being able to conjure up their own links.

Probably need to just restrict this list of users like you did elsewhere.

In case it ever gets that far custom/modules/Employees/views/view.list.php:137

        $this->where .= "(users.status <> &#039;Reserved&#039; or users.status is null) ";
        /* MDR: BEGIN - SECURITY GROUPS */
            global $current_user, $sugar_config;
            if(!is_admin($current_user)
               && isset($sugar_config[&#039;securitysuite_filter_user_list&#039;])
               && $sugar_config[&#039;securitysuite_filter_user_list&#039;] == true
               ) {
              require_once(&#039;modules/SecurityGroups/SecurityGroup.php&#039;);
              global $current_user;
              $group_where = SecurityGroup::getGroupUsersWhere($current_user->id);
              $this->where .= " AND (".$group_where.") ";
            }
        /* END - SECURITY GROUPS */