Roles and Groups

This has to be the hardest part of the software. I believe I addressed this before and was pointed to some SugarCRM Documentation which doesn’t work well with SuiteCRM because the screens aren’t the same. Every Video and example I look at explains how to setup groups and roles including this one( But in the end fails to explain what you should see when you log in as these different people which would greatly help piece together how the security layer works. There is documentation that sayd that if you report to someone then that person can see their records and the person that reports to them. I have not seen that or how it works. It is all very confusing!!!

This would be a very basic set up to me, we will use a state, broken into 4 regions, each region broken into 4 teams then ending at individual

A State manager should see all the records for everyone in the state
each regional manager should all records for everyone in their region
Each Team manager should see all records for everyone in their team
and each individual should see their own records.

I have no clue how to set this up and make it work. Does anyone have any instructions with testing examples I could use?


3-tiered security can be a lot to get your head around at first. There can definitely be a learning curve.

Have you tried to mimic what that typical setup page illustrates? It should give you a great starting point.

Basically you structure is State > Region > Team. So you would create your groups for every team that you have. For example, “State X - Region A - Team 1”. Then add your team members, manager, regional manager, and state manager to that team. Create a role with Owner access only and assigning it to that new group. Create a Manager role with Group access and assign it directly to the team manager, regional manager, and state manager. This overrides the team role.

Now assign the group to all records in the system that Team 1 should have access to. This is a one-time setup. Going forward groups will automatically be inherited based on your configuration/settings under SecuritySuite Settings. There are a few options to choose from.

Lastly, if you don’t want managers to see each other’s records it would probably be best to edit the relationship for a Regional and State manager in a certain group and check the “Not Inheritable” checkbox. This ensures that if they create a record that other States/Regions don’t get assigned to it thus making it visible to the wrong team managers.

Remember, groups determine which records a user has access to. Roles determine what the user can do with them (including not be able to see it).


Excellent! This post should be starred. And made part of the FAQ. For new users quick and easy setup.

Very good on the explanation. It is now making sense. Yes I did the typical setup but went through the motions and at the end it didn’t say what you could expect when you log in as the user. The thing about understanding is knowing what the end result should look like not just how to get there.

Anyway it is beginning to come together now. Thanks for taking the time to type an extended reply.

Great Job

Great! Glad to help.

Usually folks come in knowing exactly what to expect at the end which is why there isn’t much more detailed in that respect. For example, they want managers to see all records in a team and team members to see only their own records.

1 Like

Good Job. thanks

Thanks for this, I have an issue I cannot solve anyway…

First a question: when you say “Now assign the group to all records in the system that Team1 should have access to” you mean " assign the USERS to the Team1, the people who is part of the Team to team 1" and next " assign the Accounts to the person in charge of it - as the person as been assigned to the Team1 that account will anly be seen from the Team1 roles". Am I right?

Problem: I have an account XYZ , I have been playing a bit with this records and now I see this record in 2 places

1- logged in as a Manager of Team1, as the acct XYZ is assigned to a Salesperson ABC in Team1, the Manager of Team1 sees it - also the account shows assigned to Salesperson ABC

2- logged in as Manager of ANOTHER TEAM ( not related to Team 1, different team, different Groups, etc) I still see account XYZ listed, cannot edit, and also the account shows NOT assigned to any user…

I suspect something left corrupted somewhere so pint 2 occurs… if this has happened before to anyone I appreciate any hint…

If you need more details let me know

Thanks in advance


I am trying to do this but it doesn’t work,

I created a group and the Director, Manager and Sales agent are part of it…
I created a role with owner attributes and assigned it to the group.
I created a role with group attributes and assigned ir directly to the Manager and Director.

After that… the Sales agent created an Account and an Opportiunity

The problem is that the Manager and the Director can’t see the account and opportunity!

What can I do?