by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

By clicking you consent to share your profile with the developer

#705 - Allow view access based on relationship?

Closed General Question created by evan 7 years ago

Hi, just getting my head around SecuritySuite and have a quick question.

All our Projects have a related Account, and we have remote users that are assigned to each Project (these users are all part of a group for remote users). We want each user to be able to view just the Account that is related to each of their Projects, but the actual Account should always be assigned to an internal user. The remote users should never be able to access other Accounts.

Hope this makes sense. Is there a way to achieve this?

SugarCRM CE 6.5.16 SecuritySuite (Full) 2.7.3

Cheers Evan

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    7 years ago

    Hello Evan,

    There can definitely be a learning curve to setting up a 3-level access scenario (groups/teams, roles, users). To get a more general idea of how SecuritySuite works definite check out https://www.sugaroutfitters.com/docs/securitysuite/example-of-a-typical-setup first.

    Then for your scenario the key is add the remote users' groups to the appropriate Accounts. Don't forget to add the users to the remote security group as well. Then have the default setting of Inherit from Parent configured. Whenever a project is then created for that Account it will automatically assigned that group to the Project as well (assuming that the module uses the standard SugarCRM way of linking relationships between records).

    That group would also be assigned a Role that is configured to allow Group access to Projects and Accounts only (list, view, edit, etc). Tweak per your requirements. The next time the remove user logs in that person will only see Projects and Accounts that have their remote user group associated to them.

    So to summarize create a remote user group, add the users to it, assign the group to the appropriate accounts (and projects if they already exist), and create a role and assign it to the group with the appropriate permissions.

    Note that a user must re-login anytime roles are edited. Sugar caches rights upon login.

    In this scenario the internal user would still be the Assigned To user.

    -Jason

  2. evan member avatar

    evan

    7 years ago

    Hi Jason, thanks for the awesome reply. That all seems pretty straight forward - basically just assign the correct group to each Account and the Project will follow. I'll have a look through the documentation a few times as well.

    One quick follow up question - if we want each remote user to only have access to their own Projects & Accounts (instead of all remote users Projects & Accounts), we just have to create a separate group for each remote user?

    Cheers Evan

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      7 years ago

      Either that or make them the assigned to user and set their rights to Owner.

      -Jason

  3. eggsurplus member avatar

    eggsurplus Provider Affiliate

    7 years ago

    Closing this out. Feel free to follow up if you need any more assistance.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "Couldn't do without it. Highly recommended and I guarantee that you will not find another alternative."

    Read More Reviews