Setting permissions for users without roles...?

So I’m still having fun working through security and permissions on the 7.11.22 installation I inherited.

It’s been set up with permissions managed at the default screen level, with additional controls at the field level (using a plugin).

It seems to me, though, that the security model is topsy-turvy: if a user is not in any role groups, there seems to be access to the full system, both for the SuiteCRM-managed permission and the field-level ones managed by the plugin.

Is this the standard behaviour of SuiteCRM, or something in our configuration? I couldn’t find anything in the docs or anything obvious in the admin control panel.

This seems like a bit of a problem, as it’s all too easy to accidentally forget to assign a user a role when setting up a new user – surely the default should be no access without a role…?

Have you seen Admin / Security Suite Settings?

There are some option there to tweak the way permissions are calculated. But I’m not sure any of them addresses your issue.

I am not entirely surprised at what you describe, that SuiteCRM is not really a system where the default is “no access”. I guess it’s for historical reasons, and that approach seem obvious today, but maybe was not so obvious 20 years ago.

To mitigate, you can create a workflow that assigns a user a role upon creation.