5

SuiteCRM 7.5.1 - In Reference to using Users, Roles, and the Security Groups within SuiteCRM specifically.

So, I have a specific setup and I've looked through and read lots of documentation and tried my best to wrap my head around how SuiteCRM does this.

How would one correctly implement the following scenario?:

Let's say I have a tree like so:

enter image description here

We'll number these rows for the sake of understanding: 1, 2, 3 and 4. Then we have Administrators who are employees to throw into the mix.

Administrators can work with almost all records except working with workflows, mess with code, or mess with a few custom modules, outside of that, they have very few restrictions and don't obey any of the rules of the downline.

Then we follow the downline:

Person 1's can see all Person 2's, 3's, and 4's that are specifically within their downline and within their Territory. They cannot see any other Person 1's period. They cannot see any 2's, 3's, and 4's that aren't within their downline or their Territory. They also cannot see Administrators or anything assigned to them.

Person 2's can see all Person 3's and 4's within their specific Downline and Territory, They cannot see any Person 1's or 2's period. They cannot see any Person 3's or 4's outside of their Territory or Downline. They also cannot see Administrators or anything assigned to them.

Person 3's can see all 4's within their specific Downline and Territory, They cannot see any Person 1's, 2's, or other 3's period. They cannot see any Person 4's outside of their Territory or Downline. They also cannot see Administrators or anything assigned to them.

Person 4's can see only records assigned to them.

In this example there is only 4 deep, in the real world, there is actually 12 deep plus administrators plus me, the Super Admin.

How can I go about resolving this?

Josh Whitlow
  • 481
  • 6
  • 25

1 Answers1

7

I wrote SecuritySuite and what you need is fairly typical. There can be a large learning curve for figuring this out so I wrote up an example setup for a 3 deep hierarchy here to try to help with that a bit: https://www.sugaroutfitters.com/docs/securitysuite/example-of-a-typical-setup.

Your example is a 4 deep hierarchy, but it's fairly similar. The key is to create groups for the lowest level. In your case, this would be at the person 4 levels. So person 4a, 4b, 4c would all be in Group A. A role with Owner only rights would be assigned directly to Group A so that 4a/4b/4c could only access their own records.

Person 3a would be in Group A, but a "Manager" role would be created with Group access and assigned directly to person 3a. Person 3a's Group A membership would be marked as non-inheritable so that when person 3a creates a record Group A wouldn't be assigned to it directly. Person 3a would also be in Group AA along with person 3b/3c/3d (according to the picture above).

Person 2b (2nd person in the 2nd tier of the image above) would be in Group A and Group AA, both marked as non-inheritable. Person 2b would have the "Manager" role assigned directly.

Person 1 would have a role assigned directly with "All" access as this person can see everyone.

Star
  • 3,222
  • 5
  • 32
  • 48
egg
  • 1,736
  • 10
  • 12
  • So I must be doing something wrong: Created Group A, assigned users Ken and Andrea both to the group, Ken has a role with Group permissions assigned to him, Group A has a role assigned to it with Owner permissions. Ken and Andrea are both the 'Assigned To' of their own records in a custom module that I related to Security Groups. I then assigned both Ken and Andrea's records to Group A. Ken is also a member of Group AA. When I login as Ken, I cannot see Andrea's record which I need to be able to see. I also believe I have the right [settings](http://imgur.com/P0QmNL5) – Josh Whitlow Aug 03 '16 at 14:08
  • After further investigation, I realize this may be due to the custom module. If i add records to the default Opportunities module and have one sale for Andrea and one for Ken, Then I can properly see their associated records depending on who I login as. So... how do I configure this for custom modules? – Josh Whitlow Aug 03 '16 at 14:29
  • There is a Hookup Tool under Admin->SecuritySuite where you can add Security Groups support to any existing custom modules. Run that for your custom module and then going forward it should work correctly. – egg Aug 03 '16 at 17:28
  • How to mark a person's group membership as non-inheritable? Also, we have nearly 7 level hierarchy. Is this possible to obtain this 7 level hierarchy of teams? How to create n number of hierarchy in SuiteCRM? I am using SuiteCRM 7.7.9. – Mano Gunasekaran Mar 20 '17 at 16:01
  • In a group go to the Users subpanel and click edit for any given user. You can set non-inheritable on this screen. For N hierarchy the key is to create your groups at the base level and work your way back up by adding the appropriate people to the groups and assigning the appropriate roles to both groups and users. – egg Mar 20 '17 at 19:56