by eggsurplus

Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.

Cancel at any time!
Free Trial

#1632 - Create Security Groups and Roles

In Progress General Question created by jva_alteridea 2 years ago

Hi,

We are using SecuritySuite-Enhaced in our system and we have a requirement that I do not know how to achieve with the standard security group / roles tools.

We have a custom Projects module (related with another 2) with users as members of a project.
For each project there are 3 roles with different group level privileges for the involved modules.
The part that is special, is that a member/user can be part of more than project and in each project the might have a different role.

The only solution I have found is create a security group per project and duplicate the 3 roles also per project. This would require to programatically:
* create the security groups and the roles (in the case of the roles by duplicating 'seed' ones with the right configuration) each time a project is created (in the before_save hook).
* When a user is assigned to a project, link it to the appropriate role

My first question is if there is a better approach?
The second one is, if this is the only approach, how is the best way to implement it? Is there any documentation/example code I can use?

Thanks in advance

Kind regards
Juan

  1. eggsurplus member avatar

    eggsurplus Provider Affiliate

    2 years ago

    Hi Juan,

    That approach could work. Another approach is to use the Strict Rights setting on the SecuritySuite Settings page. This then allows the rights that are specific to that project be the rights that the user gets.

    For example, say there is an Implementation Team group and a Sales Team group. User A is a member of both groups. The Sales Team group has a role assigned to it that gives it ready only rights. The Implementation Team group has a role that gives full edit rights.

    With Strict Rights, if you assign a Sales Team group to a project and the tasks then User A (who is a member of both groups) would only have access to the records based on the Sales Team's permissions. So User A would only have read only rights.

    Without Strict Rights turned on (the default approach with SecuritySuite) User A would have full edit rights because of User A's membership in the Implementation Team group, even though that group isn't assigned to the project/tasks.

    Hope this makes sense!

    By the way, there is some very light documentation on programmatically adding/removing groups on the fly with your proposed approach. You can find that at https://store.suitecrm.com/docs/securitysuite/developer-tips.

    Cheers,
    Jason

  2. jva_alteridea member avatar

    jva_alteridea

    2 years ago

    Hi Jason,

    I have trying to implement the Strict Rights approach you suggested, since it seems to fit our needs, but I cannot make it work.

    I have defined the following setup in a fresh SuiteCRM installation:

    Project_1
        - Security_Group_Project_1_edit:
            - Role Superuser (all rights for the module) 
            - User_A
    
    
    Project_2
        -Security_Group_Project_2_read
            - Role Read (list and view rights at group level) 
            - User_A
    

    With this setup 'User_A' has the right permissions when accessing Project_2, but the permissions for Project_A are wrong, access is totally blocked.

    Any suggestion on how to make this approach work?

    Thank in advance.

    Cheers,
    Juan

    Setup:
    - SuiteCRM 7.10.12
    - SuiteCRM_7.10.12_SecuritySuite_v3.1.12
    - PHP 7.2.10
    - macOS 10.13.6

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      2 years ago

      User_A is in Security_Group_Project_1_edit, Superuser is assigned to Security_Group_Project_1_edit, and Security_Group_Project_1_edit is assigned to Project_1?

      I am sure you have triple checked, but could you confirm again if that is the setup, please? Could you post a screenshot of the SecuritySuite Settings page and the Superuser role grid?

      If I understand correctly, the project module you are using is a custom module. How was this linked up with SecurityGroups? Was the Hookup Tool used or Studio? If Studio, that relationship will need to be removed and then the Hookup Tool used.

  3. jva_alteridea member avatar

    jva_alteridea

    2 years ago

    Hi Jason,
    Yes, that is the setup.
    Regarding the module, for the time being I am testing with the standard Accounts Module (in a fresh SuiteCRM installation), to confirm that the setup works (I will use it later in several custom modules)

    I have attached the screenshots of the setup.

    Cheers,
    Juan

  4. jva_alteridea member avatar

    jva_alteridea

    2 years ago

    Sorry, the images:
    security_group_superuser.png
    securitygroups_configuration.png
    SuiteCRM_superuser_grid.png

    • eggsurplus member avatar

      eggsurplus Provider Affiliate

      2 years ago

      Is that superuser group assigned directly to the account? If so, would it be possible to send over temporary credentials for me to check out your setup to solutions@eggsurplus.com?

    • jva_alteridea member avatar

      jva_alteridea

      2 years ago

      Hi Jason,
      Yes, the superuser group is assigned directly to the account.

      I am creating a copy of the setup in AWS so you can access it; will send the login information as soon as it is ready.

      Thanks,
      Juan

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
  • "The add-on itself was already a must for my SuiteCRM, which was missing this very important security feature. However, what surprised me the most was ..." - Davint

    Read More Reviews