Example of a Typical Setup
A Typical Hierarchy Setup
Although SecuritySuite can handle any organizational structure, the most common scenario it is used for is one where the owner can see everything, managers can see both their own records and those of their team, and team members can only see their own records
The Scenario
This company has 2 sales teams; East and West. The owner, Jill, should be able to see everything. The East Sales team is lead by Will and Sarah leads the West Sales team. Both of them should see everything just in their own respective teams. The rest of the sales reps in each teams should only be allowed to see their own records.
Set up the Groups
1) Create a group called East Sales 2) Add Will and the sales reps 3) Create a group called West Sales 4) Add Sarah and the sales reps
Set up the Roles
1) Create a role called Everything and set the rights to All. Tips and Tricks: Click the header in any column on the role grid and you can set the rights for the whole column at one time 2) Assign the Everything role directly to Jill's user account. 3) Create a role called Group Only and set the rights for everything to Group. 4) Assign the Group role directly to Will and Sarah. 5) Create a role called Owner Only and set the rights for everything to Owner. 6) Assign the Owner Only role to the East Sales and West Sales groups
Assign the Groups
This instance already has some existing leads so we will assign them to the appropriate groups.
1) Go to the Leads list view and search for the leads that should belong to the East Sales group 2) Check the appropriate leads, in the Mass Assign panel choose East Sales, and click "Assign" 3) Repeat for the West Sales team
NOTE: Going forward the groups will be automatically inherited by any calls, contacts, notes, etc that get added based on the SecuritySuite Settings that are configured. If the SugarCRM instance is already loaded with lots of data at the time of starting with SecuritySuite then there may be some initial work to be done to add those groups to the related records. The Mass Assign functionality on the List View can be used or direct database insertion into the securitygroups_records table. See existing data in that table for how to format the data. This will require SQL knowledge if you want to go that route.
Check the Settings
These settings determine how SecuritySuite functions. In the Group Inheritance Rules panel the defaults of "Inherit from Created By User", "Inherit from Assigned To User", and "Inherit from Parent Record" will work perfectly in this scenario.
Any lead that gets created will automatically have groups assigned to it based on who created it and who gets assigned to it. If a call is created for a lead then the call will inherit the groups from the lead record (parent record) along with inheriting the groups from the created by user and the assigned to user.
Another key setting is "Strict Rights". In the scenario above the default settings will cause the links on the list view for the team leads to show with no link for records that are assigned to their group. In many cases you will want to uncheck "Strict Rights" so that you can assign groups in the manner described in this doc.
That's it!
The hardest part is always the initial setup. Once you have things configured and figured out it will just run on its own. If you have some special work flows where you want to add certain groups based on some custom logic it's pretty easy to do with logic hooks or using Process Manager which is a great workflow tool for SugarCRM. Here's an example of adding groups automatically using Process Manager.
Have a more complicated structure? Apply the same principles here for each additional level of hierarchy that you may have. The key is to create a group at the lowest levels of the structure and then work your way back up.
10 years ago
Thank you very much Jason! This is very useful.
Please check these: In the "Set up the Roles", Will and Sarah need the "Group only" role, dont' them? In the "Assign the Groups" paragraphe check: "If the is already". (typo)
10 years ago
Good catch, Mayer! Copy/paste issues. Both are fixed now.
-Jason
10 years ago
With this module is it possible to hide all records having a particular field value set, from all users except one group? I want to automatically import a list of contacts from other systems which will contain dupes, and I want them to be hidden from all users until a data steward has reviewed them all and merged them with existing records where needed.
10 years ago
Although with the right configuration and processes in place this may certainly work, I'd instead recommend using something like DeDupit to handle the dupes: https://www.sugaroutfitters.com/addons/DeDupit
You can have a data steward review possible dupes for more loosely detected duplicates and you can also have it automatically merge dupes for more stringent rules. For example, if an email address matches.
10 years ago
I'm not sure if dedupit has the functionality I need. I had planned to have multiple rule-sets per dedupe run E.g. first it tries an exact email match (maybe 20% of the records get matched. Next it might try an exact mobile phone AND 1st 3 characters of first name, then maybe another 10% of the records might get matched. And it would keep going through all the matching rules and re-trying the remaining records.
- substring match - date inbetween or less/greater than another date(s).
Anyway.... whether or not we use dedupit or our own external process... we still need a way to hide the records from normal users until they have been merged or declared unique.
10 years ago
You would be able to set up those different rules. I believe you can configure it to run for only new records, but not entirely sure.
For SecuritySuite, you would assign everyone Group access to view records so that they can only see records assigned directly to them or that have their group(s) associated to the record. The newly imported records would not have a group assigned to them. Once you have finished the data review then the appropriate groups would need to be assigned. You'll want to automate that last step as much as possible. It could be some custom code or by using a workflow tool that checks a "data reviewed" field on the module and when set it auto assigns the appropriate group(s).
Hope that helps.
10 years ago
Thanks that's useful info. Can I assign a contact record to multiple groups?
10 years ago
Yes, absolutely.
9 years ago
can a person has more than one team? for example the head of East Sales and west sales can see both team activities.
9 years ago
Yes, a person can be a member of multiple teams.
9 years ago
Hi Jason, how can i allow a user to see every record assigned to a group, but staying invisible to a manager user?
I have a manager user with "Group Only" role many users with "Owner" role 1 user that has to see everything as a manager, but needs to be invisible to the manager
How can i configure settings accordong to this scenario? Thanks in advance
9 years ago
That's pretty crazy. Typically this sort of person is one who can see everything in the system and just has rights to All for everything.
Another option is to use the "Not Inheritable" checkbox for that user who belongs to a given group. With that checked the invisible user can create records without that group being auto assigned to the record which makes the record invisible to the manager of that group. It won't make the user invisible, but it will make the records not accidentally show up. There are ways to alter utils.php to make the user not show up in dropdowns, etc, but it does require custom code.
-Jason
9 years ago
Thanks Jason for the quick reply,
The "Not Inheritable" checkbox will be perfect.
I will go further on changes on utils.php,... it's very interesting ...
9 years ago
Is there a way to let a specific user set a record they create as 'private' and only seen by them?
9 years ago
Yes, you would just have a record assigned directly to a user using the Assigned To field and remove any Security Groups assigned in the Security Groups subpanel. Then make sure rights for View/List/Edit are set to Group or Owner. Then only users who are assigned to that record will see it. Basically acting as private then.
8 years ago
Hi eggsurplus, im testing this module in trial version, looks great, i have a issue configuring it maybe is something easy , i followd the documentation, my issue is: I have one role with permissions for all in module Account in suiteCRM, then i create a new user to with this rolo and assigned to group from the admin of security suite, the when i login with that user and i go to Sells->Account, the button for create new accounts is not showing up.
8 years ago
SecuritySuite adds a new Create right. Make sure to go to Admin->Repair and run a Repair Roles. Then for the user make sure any roles have the Create permission set appropriately for Accounts. The link should show if they have Create rights then. Hope this helps!
8 years ago
There's a typo on the second line "the owner can sell everything" should be "the owner can see everything". You can delete this comment.
8 years ago
Thanks as always! Fixed and I'll remove this comment.
8 years ago
This is an excellent article and it really helped me develop my configuration. I have a question, though: how exactly do we define "ownership"?
When you say "Create a role called Owner Only and set the rights for everything to Owner", this will be used in conjunction with the assignment of records to specific groups.
So if I understand correctly, "ownership" here would be defined like this: a user "owns" a CRM record (of any type) if-and-only-if that record is security-suite-assigned to a security-group to which a user belongs.
This is not to be confused with simple record-assignment (the "assigned to" field), or record creation (unless record creation causes security-group-assigment, in the cases where it is created with relation to a previous record, and so inherits the parent record's security groups).
8 years ago
Owner in the SuiteCRM sense means that the user is set as the Assigned To user for the record. In the database this would be the assigned_user_id column. It means the simple record assignment. Sorry for the confusion!
8 years ago
Okay, I see I'm still not grasping this correctly.
My confusion came from this: suppose I go to the Contacts list, and select a few contacts. Then I can do two things: 1. Choose Mass update, and from there I can "Assign to" some user; or... 2. Choose Mass Assign Security Groups, on the very bottom of the screen, and assign the records to a Security Group.
So, it seems there are two "assignment" concepts, only I wasn't interpreting them correctly.
Would you say the following interpretation is more correct?:
one Assignment is to assign records to users, which determines ownership, as you explained.
the other Assignment is to assign Security Groups to records, which has nothing to do with ownership
The actual right to access something will come from these things "matching", according also to what is defined in the applicable roles.
8 years ago
Mass Assign Security Groups is just a way to say "add this group to these records". It is not an "assignment" in the traditional sense. What you said here is correct. To clarify, Owner rights in a role doesn't change with SecuritySuite. It is based on the Assigned To field. Group rights is a new role level and is based on whether the user's group is attached to a record.
Hope this helps!
8 years ago
Thank you for your patience, I think this helped.
8 years ago
Hi,
Many thanks for this module and all the work you do for the community. I have a user case that i really don't know how to handle (and if it's possible with SecuritySuite). Let's keep the structure : - owner can see everything, - managers can see both their own records and those of their team, - and team members can only see their own records
I want the team members see their own records AND the unassigned record of their team. I use this for tickets, and i want to allow that the team member can pick an unassigned ticket. For the moment, I make a "hack" of listView and detailView, but i'm pretty sure there a better way...
Thank for your help and best regards
8 years ago
Your hack is actually the best way to handle this scenario. Because they can only see their own they wouldn't see unassigned records without some sort of modification like you have done. Nice job making that work!
8 years ago
Ok, many thanks for this super-fast answer !!! I tought my way was too "hacky" in order to be the right choice !
Other question, I use the same hack in order to manage the right of a custom action. is there a better way more in the "philosophie" of SecuritySuite ? Like add an action in acl_role_action database or something like that ?
8 years ago
Sometimes if the hack does exactly what you need without any real harm then there is no better way to do it.
I like your idea of an acl_role_action. You have to weigh if it's worth it rather than just using an if/else custom strategy. Personally I wouldn't touch it if what you have is doing the job.
8 years ago
Ok thanks, i have just 6 month of sugarcrm coding and i'm always afraid that i code something that already exist !
8 years ago
When I go beyond the above example (Jill>Will and Sarah>Reps) to a 4 level (John>Jill>Will and Sarah>Reps), Will and Sarah are able to see each others records.
From my understanding of the the set up, I have created a "East Team" and "West Team". Then a "Jill Team" is created with everyone from East and West and Jill. And John has an everything role. But now that Will and Sarah are in the same group that encompasses all, their "Group" role/rights let them see each others records.
Have I set this incorrectly?
8 years ago
Will would only be in the East Sales group and Sarah only in the West Sales group. Jill would be added to both East Sales and West Sales. Within the Users subpanel for both of those groups Jill would have "not inheritable" checked so that when Jill creates a record neither the East or West records would be added to the new record. This helps ensure that members of East/West cannot see Jill's records.
Does this help?
8 years ago
To add even another level, Jill could also be in a new "District Sales" group that contains all district managers. All other district managers could be added to it, but they would also be in the groups that they specifically lead, but marked non inheritable.
8 years ago
Yes, thanks. Putting "Jill" into the 2 separate groups was what I was looking for.
Now when going to higher levels, I am still a little confused. When you say "district managers" are you referring to Will and Sarah? or Jill and other colleagues?
8 years ago
Yes. If possible, avoid having to create groups except at the bottom level of the hierarchy. However, if you really need to you can repeat the process up the chain.
7 years ago
Dear Support,
I want to setup security groups and roles in suitecrm 7.6.6.
Now the scenario is like this:
We have 5 roles:
1) Sales Manager (Head/Manager of specific office) -> They can see own record and sales agents working under him 2) Sales Agent (Employees working in specific office and under sales manager ) -> Can see their own record(created + assigned) 3) Customer Service -> They can see records assign to him by admin 4) Fulfillment -> They can see record assign to them by customer service user 5) Admin (Can view everything)
Till here everything is working fine.
But the issue begins here,
If admin assigns record created by any "Sales Agent" to any other user of customer service and then customer service users will assign that record to fulfillment then the original owner(Sales Agent) not able to see the record.
I want to apply the functionality in which each sales agent would be able to see the record which was created by him. :(
Thank you very much in advance, Prafull Satasiya
7 years ago
This becomes hard as both SugarCRM and SuiteCRM do not distinguish rights between those who created and those who are assigned the record. To support that you would basically need to customize the isOwner function in /data/SugarBean.php to return true if the current user is the person who created the record.
Hope this helps!
7 years ago
this is really help me to find my solution and learn about user,roles and group. thank you
7 years ago
Hi, this is very helpfull article. I have a question, how can i hide the Create button for owner only role??? Thanks.
7 years ago
For the Create column on that role set to None for that module.
7 years ago
Thanks for your answer, but i don't see the Create column on the role setting. I have Access, Delete, Edit, Export, Import, List, Mass Update and View columns, but not Create column. Am i in the correct place??? Thanks in advance.
7 years ago
If you are using the Enhanced version of SecuritySuite available here you can run a Repair Roles and the Create column will show.
7 years ago
I'm using the SuiteCRM Version 7.9.1, and it has the Security Groups by default, so it's possible to do it??? or is necessary to upgrade??? Thank you.
7 years ago
It's not possible with the default version included with SuiteCRM. You would need to purchase at least the Enhanced version here to get the Create rights option. Hope this helps!
6 years ago
Hello Supporter,
I have one query that how to make the sales representatives who have owner only role in sales team could see the records shared by others, like cooperate for one case or project. I have tried many options but all failed and seems the role are conflict. thanks.
Regards, Cecilia
6 years ago
Hello,
If you must keep their rights at owner then they need to be assigned to the record. This would likely mean multiple assigned users since you probably don't want to remove the existing assigned person. You can do this with the SecuritySuite Enterprise plan via the multiple assigned users field. More info on that can be found here: https://www.sugaroutfitters.com/docs/securitysuite/multiple-assigned-users
Cheers, -Jason