Have SuiteCRM remove the existing security group from record

Good Morning All,

   I desperately need to find a way to have SuiteCRM remove the old security group from a record when a new person from another group is assigned. Currently, when a new person is assigned, the new security group is added to the record but the old group remains there as well. If anyone could give me an idea, or example on how to get SuiteCRM to remove the old group when a record is reassigned I would be forever grateful haha. Thanks in advance for any information!

Best Regards,


Are you a developer?

“Adding a security group” is in reality “creating a relationship to a security group record”.

So you can have a logic hook triggering when the relationship is saving, and inside that logic hook you can clear the others.

There might be a simpler solution. Have you checked the Security Suite settings to see if it’s possible to set some preference like “single security group allowed”?

I am, but brand knew to this CRM and Language. If this cannot be done easily, do you know of anyway to make the record read-only based on a selection? If I could do this, this would eliminate the need to alter the inheritance logic for security groups. Essentially, I am trying to build lead/opportunity approval functionality. I need a way for the sales agent to submit the record for approval (e.g. a drop-down that says “Submit for approval”, while it’s in this stage, I need the record to be read-only for that entire security group. Once it has been approved, a member of a different security group would change the drop-down status to approved, which would then allow the sales agent to alter it again. This is the last piece of the puzzle as far as switching to SuiteCRM and our biggest road-block. Thanks in advance for any information.

Have you considered the Assignment mechanism? It’s one of the most powerful in SuiteCRM if you use it right.

So you would assign the records to whoever needs to work on them next. They would show up in their Dashlets (“My leads” etc means “leads assigned to me”) and be easy to filter for in List views.

They would be automatically notified of assignments.

And then you can have security roles based on “owner” which also means “person to whom record is assigned”.

I did think about that, however, the issue is if it is set to owner then that user is unable to see leads/opps/etc from any other user as they can only see records they are assigned to. The sales agents need to be able to see the entire list of leads/opps/etc within their group. My biggest issue is that their old CRM had the ability for the sales agent to submit a record for approval. Essentially all it did was make that record read-only to everyone in the sales agent group while the sales manager group approved it, once approved it would then be editable by the sales agents again (in some instances, in others it would be read-only indefinitely) This is the main cause of my headache at this point haha.

Ok, let’s go back to the idea of creating a logic hook to manage security group de-assignments when you assign to another security group-

You can read the Developer guide here


Focus on Beans and Logic Hooks, although it would do good to read all of it, it’s not that big.

Try to get a logic hook working, one of these:


And here’s an example of adding a security group programatically:

$securityTeam = new SecurityGroup();
$securityTeam->retrieve_by_string_fields(array('name' => 'Sales' ));
if ( $securityTeam->id == null)
	$GLOBALS['log']->fatal("Group with the name Sales wasn't found!");

Thank you for information. I am going through the developer guide now. However, the ever changing requirements for this build now require the file to be accessible by the sales agent while in approval status. Is this something that can be done with a hook? e.g.

Sales agent in security group A sets status to Pending Approval
Record becomes read-only for security group A, but not Security group B
User in security group B reviews record, sets status to Approved
Record becomes writable for security group A again

I know in NetSuite this was a simple thing to do, but in SuiteCRM it seems that making anything read only (aside from altering for the entire group) requires custom code.

3-tier security like SuiteCRM has is the most expressive you can get. You can do practically anything with this. The downside might be the apparent complexity for some simple tasks.

Note that to add a security group when the Status change, you don’t need code, you can do it with a Workflow (I just tried it and it worked). But unfortunately it doesn’t seem that Workflows are able to remove relationships (it could get complex, knowing which of multiple relationships to remove).

Is there a simple way to set a record as read-only based on a field value? or will this require heavy modification of the module itself. Essentially, I just need a way to make the following happen:

Sales agent in security group A sets status to Pending Approval
Record becomes read-only for security group A, but not Security group B
User in security group B reviews record, sets status to Approved
Record becomes writable for security group A again

I’m not sure if you’ve read my post, you seem to be just repeating what you said before…

But: there is no other mechanism apart from Security Settings, you need to do this with Roles, Groups, etc.

These might be code customizations but they are quite simple ones.

I would write a logic hook that runs whenever a new security group is being added to a Lead record, and clears any preexisting associations with other groups. This way you could then build your mechanism entirely through the Workflows that add relationships, while the hook would be silently clearing up the left-overs behind the scenes.

1 Like