by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SugarCRM or SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Free 30 day trial
Try it Now

By clicking you consent to share your profile with the developer

#3982 - Providing Access to Pre-Existing Records

Closed General Question created by jeffc 5 years ago

Been using SecuritySuite for a couple years now and our company is now splitting into two branches. One branch is all the existing users, and the new second branch is new users. We want the users to only see the records for their branch. So we created a security group for each branch, and created roles. What happens though is as soon as we add an existing user of the original company to the role for Branch A, they can't see any of the records that were previously created before we were using SecuritySuite. I guess we need to migrate all the records into that Branch? If correct, is the only way to do that via writing a custom script that reads the ID field of all the records in the modules we are using and creates a record to relate those records to that branch in the securitygroups_records table?

Thanks

  1. jeffc member avatar

    jeffc

    5 years ago

    Sorry, meant to say, been using SuiteCRM for a couple years now, not SecuritySuite. We did not use any of the SecuritySuite features until now.

  2. eggsurplus member avatar

    eggsurplus Provider Affiliate

    5 years ago

    Is the existing user still assigned to the other SecurityGroup? If so, this would explain why they can see any records assigned to that old group. They would also be able to see any old records that they were assigned directly to. Conflicting roles could also be coming into play here. A user inherits roles both assigned directly to the user and to any groups that the user is a member of. The best way to see how all of those roles are ultimately rolling up is to go to the User record in SuiteCRM and then the Access tab. This may provide clues as to why a given user is able to see a given record.

    To your question about migrating records, the full SecuritySuite versions available here (https://www.sugaroutfitters.com/addons/securitysuite/pricing include the ability to mass assign/remove groups from records on the list views.

    For more in-depth, specific scenarios writing custom scripts may be the best solution.

    Let me know if you have any questions.

    • jeffc member avatar

      jeffc

      5 years ago

      The existing records would not be assigned to any security group as there were not groups defined when they were created (securitygroups_records table was empty.) So I guess I need to use the mass assign groups for all the records in all the modules to assign the existing records to the newly created group.

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      5 years ago

      Not sure that would help here then. It sounds like a roles issue. Make sure that the user's role is set to Group access only for list/view/etc. This will limit the user to seeing only records either assigned to the user's security group or to records that the user is directly assigned to.

    • jeffc member avatar

      jeffc

      5 years ago

      The setup is working fine for any newly created records now that we have the Security Groups and roles defined. Group A only sees records created by members in that Group and Group B only sees records created by users in Group B. Just to make sure I'm clear... the issue is once we put a user into Group A that was one of the original users creating records when we weren't using Security Groups, they can't see any of the old records because as intended we just want to Group A to see Group A's records. So I think need to use the mass assign to assign all the records old records that have no security group or user assigned to them to the new Group A so Group A can see all the old records but Group B cannot. Does that make sense? If not, maybe best to just give you login access and you can see for yourself?

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      5 years ago

      You got it exactly right. Old records need to have the group for them to see.

    • jeffc member avatar

      jeffc

      5 years ago

      I've currently got about 2,200 case records and each of those has about 10 tasks, 3 emails, 3 contacts, and 10 documents each. I don't see a way to see more than 20 records at a time. So I'm thinking my original plan to write a PHP script to create all the associated security group records is going to be way less cumbersome than trying to do it with the Mass Assign function in the CRM interface?

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      5 years ago

      SuiteCRM will let you do a "Select All" on the list view, but a script would be best. I suggest doing a straight SQL query for this. Much quicker to run and gives you ultimate control over your objectives.

      You can find a starting SQL script at the bottom of this document: https://www.sugaroutfitters.com/docs/securitysuite/developer-tips

  3. jeffc member avatar

    jeffc

    5 years ago

    The SQL may save me a little time, thanks. But none of the Accounts are assigned to Security Groups. I made the mistake of having a 1-to-1 relationship between accounts and cases. Each account has only one case. Going forward all the records for Group A are assigned to one account and all the records for Group B to another. The CRM is functioning as an internal case management system. Each customer only has one case so I figured out when I went to setup the Security Groups I just neede one account "bucket" for each group. I suppose I could first relate all the cases, contacts, etc to the new single account then that script would work "out of the box" and just change the module for each module I have records in. Thanks again!

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      5 years ago

      It's more of just a general guide. You will need to alter the select/joins for your needs. Just need to get the security group ID, record, and record type. Best to view the securitygroups_records table for one added in SuiteCRM to see how to mimic the inserts.

      I'm going to close this case out for now, but feel free to follow up here with any questions as you dig into it.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
Rating
  • "Works only EN lang, If run upgrade SecSuite under RU lang - error..." - vstgod

    Read More Reviews