User Privileges by Office Location?

We’re using Suite to managing cases (with associated tasks, emails, documents, invoices, etc.)

We’re expanding to multiple locations. Management wants to be able to see all cases for all locations but have employees at each location only see the CRM case records (and associated records) that are associated with that location.

It seems we could use the Account as the Office Location and then would need to customize the user module to allow for specifying one or more accounts the user has permissions for then modify all the modules we use to check the associated account and if the user doesn’t have permissions for that account don’t show the record to them.

Is there an add-on that does this? It seems a multi-office environment like this would be a pretty common scenario. I suppose the other solution would be to have each office have their own CRM instance and then just create custom reporting for management. But the problem is there are “super users” that may need to view/edit records from different offices and having them login and logout of each office’s CRM instance would be not the right solution.


You can accomplish this using the built in security groups:

  • You would assign the employees of each office to a separate group
  • You would then associate the respective group to each case using in the subpanel “Security Groups”

You may have to first generally restrict the access to the cases in admin / Role Management

You can tweak the settings with admin / Security Suite Settings

But what about when a new case is created? Will the case and the parent account that is created automatically be assigned to the security group that the user belongs to?

What about if the user is a “Super User” that needs to see all cases. Can they be assigned to multiple security groups? What security group is the case and parent account assigned to when the super user creates a case?

I am not so sure the security groups function has all the capabilities necessary to produce the desired functionality?

Hi, please take a look the Admin / Security Suite Settings

  • You can setup the group inheritance, default groups for new records.
  • An Administrator can see all cases regardless of assigned Security Group
  • You can also explicitly create a Role for a non administrative user that has access to all cases, or associate multiple groups to a user
  • You can setup to popup a selection of security groups when a user associated with multiple groups adds a new case/ account, see “Security Suite Settings”
  • An administrator can also use mass update to (dis)associate multiple cases or accounts with security groups.

So I got around to testing this and didn’t get it to work. This is what I did:

Create Security Group Test1 and assign regular user “User1” to that group

Create Security Group Test2 and assign regular user “User2” to that group

Did not change any of the default group settings as for as inheritance and such.

Logged out of admin, logged in as User1 created a case.

Logged out of User1, logged in as User2 and I can see the case that User1 created.

What did I forget to do in the security group settings?

Hi Jcrist,

  • please go to admin / Role management
  • create a new group
  • In the role matrix you’ll see once you’ve saved the group, set the “delete”, “edit”, “export”, “list”, “view” actions for Cases to “Group” and save
  • Go to security groups, and for each group Test1, Test2 in the subpanel “Roles” select the role you just created

Thanks for the help. I have another question.

So I setup two roles, techs and client managers and assigned users to them. The techs serve all clients so they get to see all records. The account managers should only see the records for their clients (there are only two clients) BUT managers can access more modules than techs.

When I go into the Security Groups, you can configure associated users and roles. I thought that since users were in the tech role, they would be part of the security group if I added that role. But apparently that’s not how it works. So what happens if the users is assigned to a role and to a security group, and in that security group the user and role is also assigned there? I can’t see why you would have a user that is assigned to a security group but not assigned to a role?

So is this the correct way:to setup it up. Setup two roles, elevated (most modules) and regular. Assign the techs to the regular role and the managers to the elevated roll.

In security groups, assign the techs to both client groups and the managers to only their client’s group. Don’t assign any roles to the security groups as I need the roles to be tied to the users not the groups.

Managers have more role privledges than techs. (So I assume I need two roles, and managers is assigned to both of them).

Techs are in all security groups and