Control what your users can access and save time, money, and frustrations. Lock down sensitive data in SuiteCRM to specific groups or teams. Supports unlimited assigned users, unlimited group assignments to records, custom layouts for each group, login/sudo capabilities and much more.
#1632 - Create Security Groups and Roles
Hi,
We are using SecuritySuite-Enhaced in our system and we have a requirement that I do not know how to achieve with the standard security group / roles tools.
We have a custom Projects module (related with another 2) with users as members of a project. For each project there are 3 roles with different group level privileges for the involved modules. The part that is special, is that a member/user can be part of more than project and in each project the might have a different role.
The only solution I have found is create a security group per project and duplicate the 3 roles also per project. This would require to programatically: * create the security groups and the roles (in the case of the roles by duplicating 'seed' ones with the right configuration) each time a project is created (in the before_save hook). * When a user is assigned to a project, link it to the appropriate role
My first question is if there is a better approach? The second one is, if this is the only approach, how is the best way to implement it? Is there any documentation/example code I can use?
Thanks in advance
Kind regards Juan
6 years ago
Hi Juan,
That approach could work. Another approach is to use the Strict Rights setting on the SecuritySuite Settings page. This then allows the rights that are specific to that project be the rights that the user gets.
For example, say there is an Implementation Team group and a Sales Team group. User A is a member of both groups. The Sales Team group has a role assigned to it that gives it ready only rights. The Implementation Team group has a role that gives full edit rights.
With Strict Rights, if you assign a Sales Team group to a project and the tasks then User A (who is a member of both groups) would only have access to the records based on the Sales Team's permissions. So User A would only have read only rights.
Without Strict Rights turned on (the default approach with SecuritySuite) User A would have full edit rights because of User A's membership in the Implementation Team group, even though that group isn't assigned to the project/tasks.
Hope this makes sense!
By the way, there is some very light documentation on programmatically adding/removing groups on the fly with your proposed approach. You can find that at https://store.suitecrm.com/docs/securitysuite/developer-tips.
Cheers, Jason
5 years ago
Hi Jason,
I have trying to implement the Strict Rights approach you suggested, since it seems to fit our needs, but I cannot make it work.
I have defined the following setup in a fresh SuiteCRM installation:
With this setup 'User_A' has the right permissions when accessing Project_2, but the permissions for Project_A are wrong, access is totally blocked.
Any suggestion on how to make this approach work?
Thank in advance.
Cheers, Juan
Setup: - SuiteCRM 7.10.12 - SuiteCRM_7.10.12_SecuritySuite_v3.1.12 - PHP 7.2.10 - macOS 10.13.6
5 years ago
User_A is in Security_Group_Project_1_edit, Superuser is assigned to Security_Group_Project_1_edit, and Security_Group_Project_1_edit is assigned to Project_1?
I am sure you have triple checked, but could you confirm again if that is the setup, please? Could you post a screenshot of the SecuritySuite Settings page and the Superuser role grid?
If I understand correctly, the project module you are using is a custom module. How was this linked up with SecurityGroups? Was the Hookup Tool used or Studio? If Studio, that relationship will need to be removed and then the Hookup Tool used.
5 years ago
Hi Jason, Yes, that is the setup. Regarding the module, for the time being I am testing with the standard Accounts Module (in a fresh SuiteCRM installation), to confirm that the setup works (I will use it later in several custom modules)
I have attached the screenshots of the setup.
Cheers, Juan
5 years ago
Sorry, the images:
5 years ago
Is that superuser group assigned directly to the account? If so, would it be possible to send over temporary credentials for me to check out your setup to solutions@eggsurplus.com?
5 years ago
Hi Jason, Yes, the superuser group is assigned directly to the account.
I am creating a copy of the setup in AWS so you can access it; will send the login information as soon as it is ready.
Thanks, Juan