by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

By clicking you consent to share your profile with the developer

#2756 - Group rights-not inherited issue!

Closed Bug? created by it12 7 years ago

Dear Sirs,

I have a following scenario, I have 2 users in 2 different groups. Each of groups are having different rights on certain Account module. Filter User List is on, as I want to be able for users only to see their group members.

Now , there is a situation where one of the users from 1st group needs to see only names of other users from 2nd group and not to inherit any rights from 2nd group. My though is that when you add that user in 2nd group and mark "not inherited" as on that it would do the job, but the rights are still assigned and they inherited all rules just like any other user from 2nd group.

Thank you very much and looking forward to your reply.

Best Regards,

Slaven.

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    7 years ago

    The inherit checkbox is only for whether the user's groups should be inherited by any records created. The roles will still be applied in that case as you are seeing. You may need to create a special exception for your need. To do that, edit include/utils.php. There will be two functions in that file that determine which users show in the user list. Look for "SECURITY GROUPS" to find these two functions. You can edit the logic as needed to show just the users needed.

    Hope this helps!

    • it12 member avatar

      it12

      7 years ago

      Hello,

      Thank you very much. I have found these two codes you mentioned, but the logic is written for every module and every security group. I just need to alter the settings so that one or more users I add from another group can see assigned to and user names without inheriting any role rules from that group. Can you please help out as I'm not a php developer.

      Looking forward to your reply.

      Best Regards,

      Slaven.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      7 years ago

      A better place is actually in modules/SecurityGroups/SecurityGroup.php in getGroupUsersWhere(). Replace the user id and group id place holders. This is a hack that will be wiped out whenever there is an update so be sure to back this up to merge back in:

          function getGroupUsersWhere($user_id)
          {
              //exception that should see users from a specific group
              if($user_id == 'ID-OF-THE-USER')
              {
                  return " users.id in (
                      select sec.user_id from securitygroups_users sec
                      where sec.deleted = 0 and sec.securitygroup_id = 'ID-OF-THE-SECURITY-GROUP'
                  )";
              }
              else
              {
                  return " users.id in (
                      select sec.user_id from securitygroups_users sec
                      inner join securitygroups_users secu on sec.securitygroup_id = secu.securitygroup_id and secu.deleted = 0
                          and secu.user_id = '$user_id'
                      where sec.deleted = 0
                  )";
              }
      
          }
      
  2. it12 member avatar

    it12

    7 years ago

    Hello,

    Thank you for your help. I have tried to implement the code but to no avail, user is still inheriting all of the role rights of that group, this is of course assuming that user.id is equal to user added to 2nd group and group.id is equal to that 2nd group.

    function getGroupUsersWhere($user_id)
        {
            //exception that should see users from a specific group
            if($user_id == 'ID-OF-THE-USER')
            {
                return " users.id in (
                    select sec.user_id from securitygroups_users sec
                    where sec.deleted = 0 and sec.securitygroup_id = 'ID-OF-THE-SECURITY-GROUP'
                )";
            }
    
    

    So the future developments should have an option to use separate roles for different users that belong to same security group. That would allow them to see all users and their records, but to have different type of access to those records.

    Best Regards,

    Slaven.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      7 years ago

      It won't work until you replace the ID-OF-THE-USER and the -ID-OF-THE-SECURITY_GROUP values. It may be helpful to have a dev do this part for you.

      I don't see us adding this to SecuritySuite in the near future. Seems like a pretty specific need at this time.

    • it12 member avatar

      it12

      7 years ago

      Hello,

      Thank you for your input. Of course I have replaced the values with id of user and security group from the database tables "securitygroup and securitygroup_users", it's just that the code is not working, roles from security group are still inherited.

      Let me just explain this briefly again. Let's say that user name is "Steve" and he belongs to the group "One", that group has some roles setup for accessing Accounts module. Now "Steve" is the only member of that group but he needs to see other users that are part of group "Two" and their records. He can't see them unless he is a member of that group. Now, when we add him, he will inherit role rights of group "One" and this will allow him to have rights that we don't want.

      This is the first problem, the second is what if more users from group "One" needs to have that kind of access to group "Two".

      Looking forward to your reply.

      Best Regards,

      Slaven.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      7 years ago

      Sorry for the extremely slow response here. I lost this over the holidays. There is an option under SecuritySuite Settings called Strict Rights where the group that is assigned to the record drives which role to use. So if you are assigning roles to the group then if only "Two" is assigned to a record then only the role associated to "Two" will be applied to "Steve".

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "No brainer. I have purchased it for two production installations and not regretted it."

    Read More Reviews