#3982 - Providing Access to Pre-Existing Records
Been using SecuritySuite for a couple years now and our company is now splitting into two branches. One branch is all the existing users, and the new second branch is new users. We want the users to only see the records for their branch. So we created a security group for each branch, and created roles. What happens though is as soon as we add an existing user of the original company to the role for Branch A, they can't see any of the records that were previously created before we were using SecuritySuite. I guess we need to migrate all the records into that Branch? If correct, is the only way to do that via writing a custom script that reads the ID field of all the records in the modules we are using and creates a record to relate those records to that branch in the securitygroups_records table?
Thanks
5 years ago
Sorry, meant to say, been using SuiteCRM for a couple years now, not SecuritySuite. We did not use any of the SecuritySuite features until now.
5 years ago
Is the existing user still assigned to the other SecurityGroup? If so, this would explain why they can see any records assigned to that old group. They would also be able to see any old records that they were assigned directly to. Conflicting roles could also be coming into play here. A user inherits roles both assigned directly to the user and to any groups that the user is a member of. The best way to see how all of those roles are ultimately rolling up is to go to the User record in SuiteCRM and then the Access tab. This may provide clues as to why a given user is able to see a given record.
To your question about migrating records, the full SecuritySuite versions available here (https://www.sugaroutfitters.com/addons/securitysuite/pricing include the ability to mass assign/remove groups from records on the list views.
For more in-depth, specific scenarios writing custom scripts may be the best solution.
Let me know if you have any questions.
5 years ago
The existing records would not be assigned to any security group as there were not groups defined when they were created (securitygroups_records table was empty.) So I guess I need to use the mass assign groups for all the records in all the modules to assign the existing records to the newly created group.
5 years ago
Not sure that would help here then. It sounds like a roles issue. Make sure that the user's role is set to Group access only for list/view/etc. This will limit the user to seeing only records either assigned to the user's security group or to records that the user is directly assigned to.
5 years ago
The setup is working fine for any newly created records now that we have the Security Groups and roles defined. Group A only sees records created by members in that Group and Group B only sees records created by users in Group B. Just to make sure I'm clear... the issue is once we put a user into Group A that was one of the original users creating records when we weren't using Security Groups, they can't see any of the old records because as intended we just want to Group A to see Group A's records. So I think need to use the mass assign to assign all the records old records that have no security group or user assigned to them to the new Group A so Group A can see all the old records but Group B cannot. Does that make sense? If not, maybe best to just give you login access and you can see for yourself?
5 years ago
You got it exactly right. Old records need to have the group for them to see.
5 years ago
I've currently got about 2,200 case records and each of those has about 10 tasks, 3 emails, 3 contacts, and 10 documents each. I don't see a way to see more than 20 records at a time. So I'm thinking my original plan to write a PHP script to create all the associated security group records is going to be way less cumbersome than trying to do it with the Mass Assign function in the CRM interface?
5 years ago
SuiteCRM will let you do a "Select All" on the list view, but a script would be best. I suggest doing a straight SQL query for this. Much quicker to run and gives you ultimate control over your objectives.
You can find a starting SQL script at the bottom of this document: https://www.sugaroutfitters.com/docs/securitysuite/developer-tips
5 years ago
The SQL may save me a little time, thanks. But none of the Accounts are assigned to Security Groups. I made the mistake of having a 1-to-1 relationship between accounts and cases. Each account has only one case. Going forward all the records for Group A are assigned to one account and all the records for Group B to another. The CRM is functioning as an internal case management system. Each customer only has one case so I figured out when I went to setup the Security Groups I just neede one account "bucket" for each group. I suppose I could first relate all the cases, contacts, etc to the new single account then that script would work "out of the box" and just change the module for each module I have records in. Thanks again!
5 years ago
It's more of just a general guide. You will need to alter the select/joins for your needs. Just need to get the security group ID, record, and record type. Best to view the securitygroups_records table for one added in SuiteCRM to see how to mimic the inserts.
I'm going to close this case out for now, but feel free to follow up here with any questions as you dig into it.