Hi all,
I hope there are some security group gurus here, as I’m struggling to find a solution that works for our company. I’m not even sure a solution exists for this but here goes!
The short version
How can I set it so that user1, user2 and user3 can only view/edit their own records and the records of user4, but not each other’s records, in a way that is automated (i.e. users don’t have to specify security groups for records but simply assign it to user4 to assign it to correctly).
The long version
-
A bit of background first…
- user1, user2 and user3 are current employees in the sales team.
- They manage their own territories usually and are assigned directly to an “Owner” role which gives them permissions to view records assigned to them only. They cannot see anyone else’s records.
- exUser4 is an ex-employee who recently left the company
- Territory for this user is now going to be overseen by user1, user2 and user3 until someone else is employed.
- We want to leave the records assigned to exUser4, so we can re-assign them to the new employee.
- Users will never share a record assigned to exUser4, they are explicitly handed a section of exUser4’s territory.
- user1, user2 and user3 are current employees in the sales team.
-
What we want to achieve
- For selected users to see/edit their own records and those of exUser4.
- For example
- User1 should be able to view/edit exUser4 records
- User1 should be able to view/edit their own records
- User1 should not be able to see user2 or user3 records
-
Security Suite Management Config
- I’ve tried most combinations it feels like, but there are the current settings;
- Additive rights – enabled
- Strict rights – enabled
- Inherit from Created by user/assigned to user – disabled
- User role precedence – disabled
- Use creator group select – enabled
- Inherit from parent record – enabled
- Default groups for new records set to None for all modules
- I’ve tried most combinations it feels like, but there are the current settings;
-
What I’ve tried
- I created a security group for the territory (North West)
- This security group has a role called “Group” assigned to it – anyone in that security group can view/edit records assigned to that group, even if not directly assigned to them.
- This security group has exUser4, user1, user2 and user3 assigned to it.
-
Problems
- User1, user2 and user3 can see exUser4 records but also each other’s records.
- I tried creating a “Private” security group with the “Owner” role and assigning users own records to that group but sometimes when converting a lead for example, it’s not possible to specify a security group at that point and it doesn’t work correctly. They can also list everyone else’s records (although can’t go in to view/edit them), which is the opposite of what the role allows.
- I’ve quick repair/rebuild after most attempts.
-
Queries
- With “Use creator group select” set to disabled, what happens to records when a user is a member of two security groups? Does the record get assigned to both? Or the primary? And if no primary group is set?
- Is it possible for users to mass update records to different security groups? On my instance, only an admin has that feature to do that from the list view.
The only two options I can see to try now are…
- Assign exUser4’s records to user1, user2 and user3 respectively and then delete all mention of exUser4.
- Then when newEmployee1 joins, user1, user2 and user3 will have to re-assign their records accordingly. To make matters worse, we have exUser2 with the same issue.
- Create 3 security groups for North West, one for each user1, user2 and user3.
- Unknown option three, that will only be revealed when someone on this forum points it out to me!
I’m using SuiteCRM v7.11.10 for the record.
Any help appreciated.