Implementation of Security & User Permissions in OpenCRM
The user permissions and security settings in OpenCRM are very powerful and flexible. This FAQ will walk you through some of the options you have with these settings. If you do not see an overview or outline that matches what you want to do, get in touch with our support team, they’ll be able to advise you of your options.
In terms of where these settings are applied, here is a quick guide:
- Restrict access to an entire module: Profiles
- Restrict access to a group of records to certain users: Team & Groups
- Define which users can edit or access records: Default Organisation Sharing Access (Note: You can also set this per record by using Record Level Security)
- Access and visibility to Views and Reports: Set on the individual View or Report
- There are also a number of miscellaneous security options that can be found at the end of this FAQ
A good shorthand to remembering where to look to control the different aspects of security is that we have two levels of control in terms of what people can do with records (Profile and Default Organisation Sharing) and which records they can see (Group/Team membership).
To help you navigate this (quite long) FAQ, here's a table of contents:
- Given access to entire modules
- Controlling access by Team or Group
- Setting default record security
- Changing access for a particular record (make a record private)
- Permissions on Custom Views and Reports
- And some other stuff:
- What happens if you link a user to a record they don't otherwise have permission to see?
- What do the different admin levels mean?
- What does the Reports to field do?
- Can I change the security of emails?
- What happens with deleted records?
You can restrict access to an entire module by altering “Entity” access for user profiles. This allows the ability to (per profile and per module) set how much or how little access a profile has to a module and the records within it.
To edit these, go to Settings > User Management > Profiles > Select the Profile you wish to edit.
You will see a screen to will give you the following options for each module:
- Allow: Access to see the module (e.g. see the tabs in the system), if this is unticked, the users assigned to that profile will be completely unable to see the module or the records within it. When ticked, the user is able to see the module in their navigation tabs, but not access it. They can, however, select a record from this module in a pop-up window to link to another record, ex. selecting a Product from the grid on a Sales Order or selecting a Company from a Contact record
- Create/ Edit: Users can create new or edit existing within that module, but not delete them
- Delete: Users can delete the records within that module
- View: Users can see, but not edit or delete records within that module
- Merge: Users can merge two records within that module together (used to manage duplicates)
- Convert: This is a way of enabling or restricting the ability for users to convert Leads
To learn more about Profiles, see this FAQ.
Group/ Team Level Record Security
Group and Team level security is used to restrict access to records based on your users’ relationships to each other.
It works by assigning your users to specific Teams or Groups. You can then set records to only be visible (via the Default Record Level Security below) to the assigned user’s Group or Team.
For example, if User A and User B are both in Team 1, but Users C and D are in Team 2, any records assigned to User A are visible to only Users A and B, not Users C or D.
Essentially a Group is a collection of Teams. You can choose whether or not you want records assigned within a Team to also be shared within any Group to which a Team belongs by going to Settings > Configuration Settings > Additional Settings > Group and ticking the available option.
Note that it is possible to override Team security with "Global" record level security settings, both at record level and globally by default (see below).
If you wish Users to only see their own records you do not need to utilise Teams or Groups at all. By setting up a User to not be a member of any Team , you are effectively setting this User up as if they were in their own individual Team. The data created by this User will be visible only to themselves and any Admin users (see below).
Default Record Level Security
You can specify what security level is applied to any new records by default. This can still be overridden on each individual record or by the restrictions placed via a User’s Profile.
There are two things to keep in mind when you are setting default security:
- System and Data admin users overrides all record security - including Private records
- Setting records as “Private” DOES prevent access to the record, but does NOT necessarily hide the record from the search results and views.
- I.e. A user would be able to see the record details in the grid, but an attempt to access could then be denied depending on the level of security applied.
- Therefore a combination of Group/ Team visibility and record level security is required for a completely secure solution.
- For example a record is Private but the owner is in a team with another user, the second user would be able to see the record in a search but not access it.
To change the security of all the new records created in a given module, go to: Settings > User Management > Default Organisation Sharing Access.
There are three overarching types of security:
- Public – This gives users belonging to the same Group or Team varying degrees of access to each other’s records.
- Private – This restricts access to only the assigned user, with some control over the access Group/ Team members might or might not have to the records.
- Global – This gives every user varying degrees of access to each other’s records.
The detailed levels of security are as follows, note that marking a record as Private overrules any of these security settings:
- Public: Read Only - Only the user assigned to these records is able to edit or delete it, but everyone belonging to the same Group or Team as the assigned user can view it.
- Public: Read, Create/ Edit - Only record owner can delete these records, but anyone belonging to the same Group or Team as the assigned user can view, create, or edit them.
- Public Read, Create/ Edit, Delete - Everyone belonging to the same Group or Team as the assigned user gets full access to all records.
- Private - Only Record owner has access to the records. Nobody else has ANY access, with the exception of System or Data Admins.
- This is different from marking a single record as Private, see below in Record Level Security
- Private ( + Team: Read Only) - Record owner has full access to these records and users that are members of the same Group as the record owner are able to view it.
- Any users directly linked to the record get access to view REGARDLESS of private flag
- Private ( + Team: Read, Create/ Edit) - Record owner has full access to record and users that are members of the same group get access to view, or edit record UNLESS the record is marked as private.
- Any users directly linked to the record get access to view/edit REGARDLESS of private flag.
- Private ( + Team: Read, Create/ Edit/ Delete ) - Record owner has full access to the record, as do any users of the same group, UNLESS the record is marked as private.
- Users linked directly to the record get full access REGARDLESS of private flag
- Global: Read Only – Everyone can view this record, this overrides group security.
- Global: Read Create/ Edit – Everyone can view, create, or edit these records, this overrides group security.
- Global: Read Create/ Edit/ Delete – Everyone can view, create, edit, or delete these records, this overrides group security.
- Global: Read Only ( + Team: Create/ Edit) - Record is visible to everyone, but only users who belong to the same Group or Team as the record owner are able to create or edit a record.
- Global: Read Only ( + Team: Create/ Edit/ Delete) - Record is visible to everyone, but only users who belong to the same Group or Team as the record owner are able to create, edit, or delete a record.
Important: Public security respects Team membership and Reports to functionality with the following exception: Knowing the URL of a record you wish to view (for example receiving a link via notification) will allow the record to be viewed, edited or deleted depending on the specific Public option set. Users outside your Team may also be able to see information relating to the record within a Report, provided they have access to run Reports.
Wherever a Team or Group is given differential access, this same access is granted to those users to whom the assigned user reports (see the “Reports to” functionality below).
Important: If your Default Organisation Sharing Access allows you do to more than your Profile, you can only do as much as you are able from the Profile level, i.e. if you can edit/ create, delete the records assigned to members of your Group or Team via the Default Organisation Sharing, but only view records at Profile level, you can only view records. If you have higher security at Profile, but lower for the records assigned to members of your Group or Team by the Default Organisation Sharing Access, the higher only affects how you interact with your own records, i.e. if you can create/ edit, delete at the Profile level, but only view your Group or Team's record, you can create/ edit, delete your own records, but only view your Group/ Team members' records.
Record Level Security (i.e. make a record private)
There are methods of implementing security at individual record level, overriding any defaults set for the system.The settings for the Security option are identical as the above options, with the added override of those options in the Default Organisation Sharing Access dropdown menu. This means that you could mark a single record as Private (via the Private tick box) or, if your default permissions allow your Team or Group to edit a record, you can change it to be Read Only for your Team or Group.
In terms of the Team or User restriction option, you can restrict the visibility of this single record to a single Team and this will override your Default Organisation Sharing.
Important: Marking a record as private will prevent access to it from all users except Data and System Admins. Any users within the same Team who have access to the module in question, however, will be able to see the record in list view. All users, regardless of Team will be able to see information relating to a Private record within a Report, provided they have access to reporting. It is possible to restrict Admins accessing records ticked as private via additional settings, the email, documents and projects modules are the only modules with a "Private" check box.
But I can't edit the security field on a record?
It is important to remember that the security field and Team Sharing field as shown below can only be edited by the record owner (ie the Assigned To User).
If edited by any user other than the record owner, the security drop-down is disabled and the team sharing field is not visible.
Custom View Permissions
All users have access to the Custom Views drop down in every module. They will have access to any Custom Views to which they have been assigned. To find out more about setting up Custom Views and assigning them to your users, see “Specify View Visibility” in this FAQ.
- Private Flag
- This is available on Documents, Emails, and Projects. When ticked, this will both hide the record from the grids and prevent all access to the record from anyone except those linked to the record in the user list, and system and data admins.
- Record Level Security
- On each record, you can specify an access level, like the default access levels above, to apply specific security to individual records.
- This is done in the "Security" block when looking at a record in Edit mode.
- You must be the owner of the record in order to make security changes
- The options are the same as those in the Default Entity Level Security
By default, Custom View creation is limited to System Admin, Data Admin and Configurator users.
A global setting can allow all users to edit and create custom views. This option can be found by going to Settings > Configuration > Additional Settings > Custom View Settings.
Reports do not respect Team sharing by default, so will return details of records regardless of the Team membership of the person running the Report. To make them observe your Team sharing defaults, go to Settings > Configuration > Additional Settings > Security Settings and tick the following setting:
This will ensure that your users will only be able to report on records they have permission to view.
In addition to the default and Profile based permissions discussed above under Record Level Security, you can set restrictions on which of your Users or Teams can view an individual report by editing the Report Security block. This overrides the Default Organisation Sharing.
Miscellaneous Security Options
There are a number of other options to control the security of various records within your system.
Linking Users to records
- Some entity types (Contacts, Companies, Activities, Documents, Projects) allow you to link additional users under the Users subtab.
- If you link a user to a record here, it will share the record with that user as well as any users that share a Group with that user.
- Doing this overrides your default security settings.
- For Contacts, Companies, and Activities, adding this extra user gives them full ownership permission
Special Admin User Permissions
A number of special user permissions that are set at the user level are available which will alter how permissions are applied:
- System Admin – A system admin has full access to all data (including private data) that is present in the system.
- It also gives the user full access to all available configuration options
- Data Admin - As per System Admin, this gives the user full access to data in the system bypassing all securities and private flags.
- A Data Admin can also report on ALL cost centres (normally you can only report on your own cost centre)
- Configurator – Being a configurator does not affect access to the data in the system, but does grant access to some areas of the configuration options (Settings screen) and the ability to create custom views. Importantly for this FAQ, configurators cannot view any of the user permissions block.
- Financial Admin – This allows a user to be able to perform Edit/ PDF functions on Orders/ Invoices/ Quotes where Require financial authorisation is ticked . See this FAQ for more information.
- You can also have a list of "Credit Admin" users by going to Settings > Configuration > Additional Settings > Credit Check and you can put in usernames of your Credit Rating administrators who can override credit limits and will receive a notification of when a credit limit has been overriden.
To give a user one of the above admin statuses, go to Settings > User Management > Users > Edit and tick the relevant options
Reports To Security
If you have users who “Report to” other users, this can have an effect on the records the second user would see.
The user who is junior will be able to see their own records as well as the records of any members of any Group/ Team they are in. However, the junior user will not be able to see the records of the senior user, i.e. the person they are reporting to (unless they are in the same Group/ Team).
The senior user will see all their own records and the records of the other members of a shared Group/ Team. They will also be able to see the records of any users who are reporting to them.
This also has an effect if there is a chain of users reporting to each other. For example, if User A reports to User B, and User B reports to User C:
- User A will only see User A’s records
- User B will see Users A and B’s records
- User C will see Users A, B, and C’s records
Important: Group security will override “Reports to” permissions. Therefore if Users A, B, and C are all in the same Group/ Team, then they will all be able to see all of each other’s records regardless of “Reports to” setup.
Saying that, any records that are made visible to a second user via the “Reports to” security will not be shared with that second users’ group. For example, if User D reports to User E, User E will see User D’s records. If Users E and F are in a Group that does not include User D, however, User F will not be able to see User D’s records.
Email Security (List View)
The Email module has some additional security options surrounding it. It is possible to restrict access to global searching on Emails to only Admin users (i.e. System Admin, Configurator, Data Admin, and Financial Admin). To enable this, go to: Settings > Configuration > Additional Settings > Email Settings and tick
Hiding of inactive/ deleted accounts records
You can also set all the records assigned to one or more particular users to be hidden from all but a select few users.
To set this up, go to Settings > Additional Settings > Interface Settings. You will see the following two options.
The first box is a list of User IDs for all those users for whom you wish to hide their records. These may be inactive users or higher level administrators who have need of additional privacy.
The second box is a list of User IDs for those users who are allowed to see the records of these hidden users.