by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

By clicking you consent to be contacted by the developer

#427 - Private records

Open General Question created by wd 8 years ago

What is the best configuration to have each user have both:

  1. Regular records visible to all.
  2. Private records based on setting the account as private with all related records private.

We created: Role Private with owner only for access, Security Group Private and Assigned a user Assigned account and related entries to security group Private.

Others can still see the records.

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    8 years ago

    SecuritySuite works on the opposite premise meaning that you would configure everything to the most restrictive level first then open it up as necessary. To make a record "Private" everyone would be part of a group that gives Group level access to records instead of All (e.g. a Global group). Then that group would be configured to always be assigned for all new records. When a record needs to be private then remove that Global group from the record.

    Another possibility is to take advantage of the Strict Rights option. With it you could have a "Private" group with a role assigned to it where everything is set to Owner. Everyone gets assigned to the "Private" group in addition to all other groups (or none). Make sure that Additive Rights is checked in the settings (it is by default) so that this isn't applied by default. Then assign the "Private" group to a record that should be made private. With the Strict Rights option it will apply the rights based ONLY on the group(s) assigned to the record. You may need to remove any other groups also assigned to the record.

    There may be other options. Sometimes special scenarios may require some special logic. For companies that have a unique business need it may require some workflows or custom logic hooks that detect when a value is set to something, such as being marked private. Then based on that value groups could be added or removed from the record and children records. There are workflow tools that can help in most cases such as Process Manager: https://www.sugaroutfitters.com/addons/process-manager-enterprise

    Hope this helps! -Jason

    • walkerdaniels member avatar

      wd

      8 years ago

      Your second option Strict Rights is the direction. I tried configuration above and everyone can still access record. Your thoughts? The next question if this works. The roles will need to allow for RIVA to update records to attach emails, which means that Role "private" will need edit and import set to all, not owner, for it to work via API.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      8 years ago

      Can you verify what groups are assigned to the private account and what roles are assigned to any groups assigned and to the current user? It may only work if you have the current user assigned to both Global and Private. In theory, private would need to be on that group for the user to not be able to access it. I'd like to be able to replicate the scenario. Also, are you using 6.5.16?

      If RIVA uses a special user in SugarCRM then just have a RIVA role assigned to it to grant All access.

    • walkerdaniels member avatar

      wd

      8 years ago

      Yes 6.5.16 . Private Group ( with Private Role ) is assigned to the Account to be private. No other groups assigned. All users are part of private. All users are also part of a "Global" Sales Group that lets them see all accounts and has a account view with some read only fields. RIVA does not use a special user, it impersonates all users at the api. Above you mention in theory...private need to be on that group..does that mean make private group part of global?

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      8 years ago

      Did a test with this and got it to work for the most part. Here is how I set it up:

      • Create a Global group and assign a role to it with All access
      • Create a Private group and assign a role to it with Owner access
      • Add all users to both Global and Private
      • Set Strict Rights
      • For an account that should be private add the Private group and remove all other groups
      • Log in as the assigned user for that account to verify that the user has access
      • Log in as some other user and verify that the user cannot access it

      The one downside is that the non-assigned user can see it in the list view. The user cannot click a link to get to it, however. The list view visibility is a limitation of how SugarCRM works.

      I'm unsure on the RIVA part. If it impersonates the assigned user for a record then it should be just fine.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      8 years ago

      Also, if you set up the Global group to be Group access to List View then the list problem goes away. In general, most folks set up default access to be Group level for most users. Only admin-types or C-levels would have All access.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "It works perfectly :) I had some problems when i started using it, but with some help from the team of Sugar Outfitters, everything is fine and workin..." - joaninhafonseca

    Read More Reviews