Hi community,
I’m having trouble configuring the Security Suite (Groups) module in my SuiteCRM setup. After conducting numerous tests, I have been unable to get the access restrictions to behave as expected, so I’m reaching out in the hope that someone can assist me.
Challenge we’re trying to solve:
We want a user to be able to edit an Opportunity when it is assigned to them. However, if the user declines the opportunity, they should only be able to view it in read-only mode.
To achieve this, we implemented the following:
- Created two groups, one with edit rights and one with read-only rights
- Created two users, one assigned to each group
- Created a third “worker” user who belongs to both groups
- Enabled Strict Rights, disabled Additive Rights
Problem:
When the Opportunity is assigned to the user with edit rights, the worker user (who belongs to both groups) can only view the record, not edit it — even though the group with edit rights is assigned to the Opportunity.
Configuration Description (steps to reproduce):
- We used the Opportunities module for testing.
- Groups created:
Gpo-Edición
Gpo-Lectura
- **Roles created:**Rol-Edición:
- Access: Enabled
- Delete: None
- Edit: Group
- Export: None
- Import: None
- List: Group
- Mass Update: None
- View: GroupRol-Lectura:
- Access: Enabled
- Delete: None
- Edit: None
- Export: None
- Import: None
- List: Group
- Mass Update: None
- View: Group
- Roles assigned to groups:
Gpo-Edición
→Rol-Edición
Gpo-Lectura
→Rol-Lectura
- Users created:
usuario-grupo-edición
usuario-grupo-lectura
usuario-trabajo
- Group assignments:
usuario-grupo-edición
→Gpo-Edición
usuario-grupo-lectura
→Gpo-Lectura
usuario-trabajo
→ Both groups:Gpo-Edición
andGpo-Lectura
- Admin > Security Suite Settings:
Additive Rights
: DisabledStrict Rights
: EnabledUser Role Precedence
: DisabledInherit from Created By User
: EnabledInherit from Assigned To User
: EnabledInherit from Parent Record
: Enabled
- Test case:
- A previously created Opportunity is assigned to
usuario-grupo-edición
- Only the group
Gpo-Edición
is assigned to the record
Unexpected result:
The user usuario-trabajo
, who belongs to both groups (edit and read-only), can only view the Opportunity, but cannot edit it — even though the group with edit rights is assigned to the record.
Has anyone experienced a similar behavior?
Are we misunderstanding how group permissions are evaluated when a user belongs to multiple groups, especially with Strict Rights enabled?
Any suggestions or examples of a working configuration for this use case would be highly appreciated.
Thanks in advance!
Environment Details:
- OS: Debian 12
- Web Server: Apache 2.4.62
- PHP: 8.2.28
- Database: MariaDb 10.11.11
- SuiteCRM: Version 7.14.6
- Installation type: Virtual Private Server (not shared hosting)
- Access: I have full admin rights and SSH access
- Status: This is not a fresh install; the system has been running for several months for configuration