Issue Configuring Security Suite (Groups) – Strict Rights - Access Control Not Working as Expected

Hi community,

I’m having trouble configuring the Security Suite (Groups) module in my SuiteCRM setup. After conducting numerous tests, I have been unable to get the access restrictions to behave as expected, so I’m reaching out in the hope that someone can assist me.


Challenge we’re trying to solve:

We want a user to be able to edit an Opportunity when it is assigned to them. However, if the user declines the opportunity, they should only be able to view it in read-only mode.

To achieve this, we implemented the following:

  • Created two groups, one with edit rights and one with read-only rights
  • Created two users, one assigned to each group
  • Created a third “worker” user who belongs to both groups
  • Enabled Strict Rights, disabled Additive Rights

Problem:
When the Opportunity is assigned to the user with edit rights, the worker user (who belongs to both groups) can only view the record, not edit it — even though the group with edit rights is assigned to the Opportunity.


Configuration Description (steps to reproduce):

  1. We used the Opportunities module for testing.
  2. Groups created:
  • Gpo-Edición
  • Gpo-Lectura
  1. **Roles created:**Rol-Edición:
  • Access: Enabled
  • Delete: None
  • Edit: Group
  • Export: None
  • Import: None
  • List: Group
  • Mass Update: None
  • View: GroupRol-Lectura:
  • Access: Enabled
  • Delete: None
  • Edit: None
  • Export: None
  • Import: None
  • List: Group
  • Mass Update: None
  • View: Group
  1. Roles assigned to groups:
  • Gpo-EdiciónRol-Edición
  • Gpo-LecturaRol-Lectura
  1. Users created:
  • usuario-grupo-edición
  • usuario-grupo-lectura
  • usuario-trabajo
  1. Group assignments:
  • usuario-grupo-ediciónGpo-Edición
  • usuario-grupo-lecturaGpo-Lectura
  • usuario-trabajo → Both groups: Gpo-Edición and Gpo-Lectura
  1. Admin > Security Suite Settings:
  • Additive Rights: Disabled
  • Strict Rights: Enabled
  • User Role Precedence: Disabled
  • Inherit from Created By User: Enabled
  • Inherit from Assigned To User: Enabled
  • Inherit from Parent Record: Enabled
  1. Test case:
  • A previously created Opportunity is assigned to usuario-grupo-edición
  • Only the group Gpo-Edición is assigned to the record

Unexpected result:
The user usuario-trabajo, who belongs to both groups (edit and read-only), can only view the Opportunity, but cannot edit it — even though the group with edit rights is assigned to the record.


Has anyone experienced a similar behavior?
Are we misunderstanding how group permissions are evaluated when a user belongs to multiple groups, especially with Strict Rights enabled?

Any suggestions or examples of a working configuration for this use case would be highly appreciated.
Thanks in advance!

Environment Details:

  • OS: Debian 12
  • Web Server: Apache 2.4.62
  • PHP: 8.2.28
  • Database: MariaDb 10.11.11
  • SuiteCRM: Version 7.14.6
  • Installation type: Virtual Private Server (not shared hosting)
  • Access: I have full admin rights and SSH access
  • Status: This is not a fresh install; the system has been running for several months for configuration