Security Groups Guidance

Hi all,

I hope there are some security group gurus here, as I’m struggling to find a solution that works for our company. I’m not even sure a solution exists for this but here goes!

The short version

How can I set it so that user1, user2 and user3 can only view/edit their own records and the records of user4, but not each other’s records, in a way that is automated (i.e. users don’t have to specify security groups for records but simply assign it to user4 to assign it to correctly).

The long version

  • A bit of background first…
    • user1, user2 and user3 are current employees in the sales team.
      • They manage their own territories usually and are assigned directly to an “Owner” role which gives them permissions to view records assigned to them only. They cannot see anyone else’s records.
    • exUser4 is an ex-employee who recently left the company
      • Territory for this user is now going to be overseen by user1, user2 and user3 until someone else is employed.
      • We want to leave the records assigned to exUser4, so we can re-assign them to the new employee.
      • Users will never share a record assigned to exUser4, they are explicitly handed a section of exUser4’s territory.
  • What we want to achieve
    • For selected users to see/edit their own records and those of exUser4.
    • For example
      • User1 should be able to view/edit exUser4 records
      • User1 should be able to view/edit their own records
      • User1 should not be able to see user2 or user3 records
  • Security Suite Management Config
    • I’ve tried most combinations it feels like, but there are the current settings;
      • Additive rights – enabled
      • Strict rights – enabled
      • Inherit from Created by user/assigned to user – disabled
      • User role precedence – disabled
      • Use creator group select – enabled
      • Inherit from parent record – enabled
      • Default groups for new records set to None for all modules
  • What I’ve tried
    • I created a security group for the territory (North West)
    • This security group has a role called “Group” assigned to it – anyone in that security group can view/edit records assigned to that group, even if not directly assigned to them.
    • This security group has exUser4, user1, user2 and user3 assigned to it.
  • Problems
    • User1, user2 and user3 can see exUser4 records but also each other’s records.
    • I tried creating a “Private” security group with the “Owner” role and assigning users own records to that group but sometimes when converting a lead for example, it’s not possible to specify a security group at that point and it doesn’t work correctly. They can also list everyone else’s records (although can’t go in to view/edit them), which is the opposite of what the role allows.
    • I’ve quick repair/rebuild after most attempts.
  • Queries
    • With “Use creator group select” set to disabled, what happens to records when a user is a member of two security groups? Does the record get assigned to both? Or the primary? And if no primary group is set?
    • Is it possible for users to mass update records to different security groups? On my instance, only an admin has that feature to do that from the list view.

The only two options I can see to try now are…

  • Assign exUser4’s records to user1, user2 and user3 respectively and then delete all mention of exUser4.
    • Then when newEmployee1 joins, user1, user2 and user3 will have to re-assign their records accordingly. To make matters worse, we have exUser2 with the same issue.
  • Create 3 security groups for North West, one for each user1, user2 and user3.
  • Unknown option three, that will only be revealed when someone on this forum points it out to me!

I’m using SuiteCRM v7.11.10 for the record.

Any help appreciated.

Hi @simong_1984,

Ok so say you have your role as Sales Team set up like this

Assign this to everyone whos in the Sales Team

Now the easiest way to do what you’d want is each user has there own security group which is only related to them

Now when you want to add a record from another user to there view, you go to that record and relate that security group. which gives them a view like this, all of there records that are assigned to them, plus the one we need them to see but it’s still assigned to the old user

Let me know if this helps at all :+1:

1 Like

Thanks for such a prompt and well explained reply. That is a huge help and has changed the way I’ve viewed security groups; I was looking at it from a completely different angle. I’ll test it out and let you know how it goes.

I’m also quite explicit with my roles and don’t leave anything set as “Not set”. I assume “Not set” would basically mean they have unfettered access to import/export/mass update etc?

Ye defo change those about, purely just for example there only changing the fields needed. Not set allows for easy inheritance and leaves it as unchanged from current etc. For example, say you have 3 groups that were picked up in 3 through 1;
####### | Delete. .| Edit . . . . | View. . . | MassUpdate|
Group 1 - | Not Set | Group . .| Group. .| Yes
Group 2 - | Yes . . . . .| Not Set | Not Set | No
Group 3 - | Not Set | Not Set | Owner. .| Not Set
You end results would be;
####### | Delete. .| Edit . . . . | View. . . | MassUpdate|
Results - .| Yes . . . . . | Group. . | Owner. | No

1 Like