Simple and Secure: Using SugarCRM Roles to Secure Information
Recently a customer asked us to enforce a typical privacy / security rule in SugarCRM. The request was to make sure that SugarCRM users would experience the following simplified scenario:
1) Sales reps could search for and find any account in the database but only edit their own accounts
2) Sales reps should not be able to read meeting notes entered by other users but they should be able to see that the notes exist
3) Sales reps should not be able to see any detail about opportunities managed by other users
The simplest way to handle this scenario was to create a new Role in SugarCRM. Roles are accessed by SugarCRM administrators in the Administration section of SugarCRM.
We added a new role and named it Sales Representative Role
When you edit this role we see that we have a number of access options for the various modules defined in Sugar. You can edit high level module access directly in the Role overview grid or you can select a module from the list on the far left to edit additional field level access details for that module.
We make the following modifications to accomplish our three objectives:
1) To allow visibility to all accounts but to prevent editing if the account is not assigned to the user:
Find the Account module row, find the Edit column and set the role option Owner. This will ensure that for members of this role, they can view all Accounts, but only edit an Account if they are the owner (the Account is assigned to that user).
2) To prevent users from reading meeting notes entered by other users:
Find the Meetings module row, find the Edit and View columns. Set the role option to Owner. This will effectively turn meeting history detail entries unreadable to the user if assigned to another user than themselves. The user would be able to see that the notes exist because the List option was not set.
3) To prevent users from viewing or editing opportunities managed by others users:
This time, select the Opportunities module from the far left column. You will see the general access settings on the top row and detailed field level access listed below.
Select the Edit, List and View options and set them to 'Owner'.
Note that any option not specifically set to an option as reflected by the 'Not Set' option means that this Role does not add any permissions or constraints to this element of Sugar and it is regulated by defaults or other role settings.
For a more detailed treatment of Role Management in SugarCRM, see this article.