Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.
#489 - Different users having different roles in different groups
I have tried looking through other posts but can't quote grasp how to set this up, I wondered if someone is able to help.
At the moment we have several security groups, each one with its own role. We assign contacts to a security group, so then users in that security group can only view and edit the contacts assigned that group.
But the question has been asked to now have different users with different roles for the groups, I am not sure how to set that up.
So... User1 can have full edit/view rights in Group1, but only view rights in Group2. User2 can have full edit/view rights in Group2, but only view rights in Group1. User3 can only have view/edit their own contacts in Group1 and Group2.
We actually 8 groups, so it may be: User1 can have full edit/view rights in Group1, but only view rights in Group2. User2 can have full edit/view rights in Group3, but only view rights in Group4. User3 can only have view/edit their own contacts in Group5 and Group6. etc.
Is it just a question of assigning a user to multiple Roles, but then where is the link between only applying the roles to contacts in a security group? So would a user be assigned a "default" security group that the contacts are assigned to, then have extra roles assigned to the user? This is the bit that confuses me. We wont want to assign contacts to many different security groups, then the users to many different security groups which is the way I am understanding how it works. But have a contact assigned to one security group, but different roles assigned to that group, and different users assigned different roles. So we are not linking a user to a security group, but linking a user to a role, then the role to the group? I'm confused!
Hope I am making sense!
Thanks
-
"Works really well, improves CE version greatly. Fantastic addon." - cmyatt
Read More Reviews
- Most Recent Love from Users
kacsoristvan- damien8105
- anri
- Administrador
- Stefano1
- einkauf2
10 years ago
This is what the "Strict Rights" option is exactly for. You want a user to have different rights to a record if it is assigned to a different group. The key is that the role then needs to be assigned to the group instead of the user. With Strict Rights enabled it will look at the groups associated to a record and apply the rights based on the groups that the user is also a member of. With Strict Rights turned off (default setting) it will just grant the greatest rights of all roles assigned to the user or user's groups regardless of what groups are assigned to a record.
Hope that helps a bit more! -Jason
10 years ago
So I create several roles for the different permissions, then assign the roles to a security group.
What I cant understand is if I assign a user to a security group, which role will be applied to the user, if I don't assign the role to the user. I don't want a user to be assigned a role with edit rights for example if all I want them to do is view.
About this "it will look at the groups associated to a record " - so are you saying we DO need to assign a record to multiple security groups? I can see how then we can make the connection to the users in the correct security group. But I was hoping we did not need to assign every record to multiple groups. We would have lots of groups. We have 8 at the moment, by area, so one would be London. So users in the London group can only access contacts in the London Group. So we would need to setup London Edit, London List/View? So thats 16 groups. Then London contacts (or any record) are assigned to both London Edit and London List/View? Was hoping we would just have "London" group, but then assign roles to users who can access contacts in London group.
Thanks for the speedy reply
10 years ago
Actually it may be more than two per area, so a Full access rights, Edit, View Only. So 3 groups per area group.
10 years ago
It sounds like you may be completely bastardizing the concept of teams where you can having 5+ users on a team all with different rights to records within that team while those users can also then be on different teams with a completely different set of rights. That last part "a completely different of rights" will be impossible to manage and ensure that a user never has invalid access to a given record.
In general, it is best to have everyone in a given team have the same level of access. This is best managed by applying a role to the security group itself. Then when you have exceptions that need to be made for a given user a role can be assigned directly to the user instead.
Now if you have a user who is a member of 2 different groups and you need different levels of access for both groups then you would need to enable "Strict Rights". In that case, the user will have the rights applied based on the group assigned to the record.
Not many security architectures out there in the application world can support the scenario that you originally described. It's just crazy hard to manage and ultra-expensive to develop and support.
10 years ago
Thanks for this.. I certainly do not want to bastardise it I dont think... trying to understand the best way for the setup. Not sure if you misunderstand me but I think its quite a standard setup.
So we would have a Manager of the London Group with Full rights for all Contacts in London. An Admin person who can edit them only. Then all the other users just have View only rights.
So I think this setup should be standard... we have then various other areas in addition to London with a similar setup. A Manager may be a Manager of several areas, or an Editor may be able to edit several areas.
Maybe a Manager of London could View but not edit Contacts of another area.
Does this make more sense, and does this still sound like its a bastardisation? :)
If its possible with your first recommendation above, thats fine, I just wanted to confirm if that means we need to assign records to multiple security groups (e.g we would have a Manager security group, editor group, and user group), so the record needs to be assigned to all the groups, so the users in the different groups have the different roles?
Thanks
10 years ago
The most common way that people use SecuritySuite is to implement a Manager/Agent hierarchy where a Manager can see any record in the group and the Agent can only see their own records. In that scenario you would create a group for each team, add the agents to the team and assign a role to the group with Owner only access (if agents can see any of the team records then change that to Group only access). Then assign the Manager to the group and assign a Group only role directly to the Manager.
Now the Manager can see any records in the group, but the Agents can only see their own.
If you want the Manager to have access to another group you could assign the Manager to any other group as needed. However, that Manager would have the Group rights to that other because of the role directly associated to the Manager.
Yes, multiple security groups can and are used as a solution like you propose. It all depends on your situation and it sounds like that may do the trick.
I hope that helps!
10 years ago
"Then assign the Manager to the group and assign a Group only role directly to the Manager."
So this is applying roles to the Manager direct... this makes sense now.
"However, that Manager would have the Group rights to that other because of the role directly associated to the Manager."
Ah right, now I get it.
OK thanks a lot for this, I will carry on experimenting!
7 years ago
Closing this out, but feel free to follow up if you have any more questions.