[Security Suite] teams and rights management

[david.b]

Hello,

I am discovering SugarCRM and testing the Community Edition 5.2.0e with the Security Suite module.

Here is my problem:

I have created one team called "project x" with 3 members: 1 manager and 2 sales representatives working on that project.

Each sales person should have access to his own records only (contacts for example) whether or not these records are assigned to the "project x" team. Meanwhile, the project manager should have access to his own records and the records assigned to the team (he should not be able to see or modify the other team member's private records).

Regarding the sales persons, I created a role that allows them to list and view their own records only (option set to "owner") and it seems to work fine. For example, salesman 1 has only access to his own records. He cannot access to the records of the 2 other members of the team.

My issue is with the manager. I created another role that allows him to list and view all team records (option set to "group"). But he can access all records from the 2 salesmen, even those that are not assigned to the team which is not what I expected.

What option should I turn on or off so that the manager could only access the records assigned to the team?


Thanks a lot for your help.

Regards,
David B.

[eggsurplus]

Hello David,

It's hard to tell what the cause is but it will work the way that you think it should if everything is configured correctly. Can you post some screen shots of your role configuration for the manager? A screen shot of a record that the manager shouldn't see along with the SecurityGroups subpanel would also be beneficial along with another of any roles assigned to the manager or the group directly, if that makes sense.

Thanks,
Jason

[david.b]

Hi Jason,

to give you a proper answer, I have made my project team from scratch this morning, reassigning contacts and roles to users and users to team.

This time, the manager can only list and view his own records (whether assigned to the team or not). I don't know what I have done differently today...

As you asked, here are some screen shots:

First, this is the "manager" role. Then, you have the "project x" group settings and finally the Security Groups Management settings.

Let me know if you need more information or screen shots.

Thanks,
david

[eggsurplus]

Thanks David,

So far it looks good. Are the actual records (like contacts) associated to the "Project X" group? If so, the manager should see the contacts then even if directly assigned to other users unless his overall rights give him Owner only rights to contacts. This might be the case here because I see "Additive Rights" not checked. To verify this, simply go to manager's user record and view the role grid. Does the rights list Group or Owner there? What other roles are assigned to the manager or the manager's other groups?

If this still doesn't clear it up I'd be happy to dig around a bit if you are able to give access.

-Jason

[david.b]

I checked the Additive Rights box but it did not change anything so I unchecked it. I think I could expect this behavior since the manager has only one role for now and he is member of this group only. By the way, no role is assigned directly to the group.

Below you can see the rights grid for the manager (with Group rights) and the other members (with Owner rights).

I have also attached the contact list of one regular member (IC01). As you can see, IC01 has 5 contacts assigned to that group but the manager still can't see them (yesterday, he could see all of them...).

[eggsurplus]

For Mr. John Employee A1 if you open the detail view and scroll down to the SecurityGroups subpanel do you see Project X list there?

[david.b]

No. None of the contacts shows Project X in the SecurityGroups subpanel.

I am surprised that even the contacts assigned to the Project X (at least on the list view) have no SecurityGroup assigned in their detailled view. Where's the trick?

[david.b]

I have just added manually the Project X SecurityGroup to one of the contacts. Now the manager can see it.

But I still don't get why the list view shows "assigned to Project X" when there is no sign of that group in the detailled view. Maybe I miss the point here?

[eggsurplus]

To be honest, I'm not sure what that field in the list view is. This module doesn't have a field in the list view since it is a many-to-many relationship. The groups need to be associated to the record in the subpanel. My guess is that you're using another different Teams module along with SecuritySuite.

[david.b]

I installed another team management module (CE Teams) before SecuritySuite but it has been disabled and even deleted from the Module Loader.

As I did not pay attention, I cannot say if this "Assigned to team" column in the list view appeared when I loaded the CE Teams module. Anyway, if it was the case, it should be gone since I deleted that module...

If this column has indeed no relation with the SecuritySuite module, I should definitely get rid of it. I'll try to.