Vtigercrm department management
Welcome to Simone Giustetti's wiki pages.
Languages: English -  Italiano
 Permission management in VtigerCRM 5
Department Management
VtigerCRM provides a wide set of tools to grant privileges and configure fine grained data access to users and groups. Security features are natively available in standard program modules and can be expanded to custom ones. The resulting flexibility enables security managers to cover a wide array of scenarios ranging from small companies, where everyone is granted access to pretty much everything, to more paranoid ones where data access is restricted to authorized staff members only. This paper presents a system configuration aimed to the following scenario:
- All subjects can access only information they were previously authorized to.
- Department managers can access data assigned to them or their staff members, but not other departments data and documents.
- Some information need sharing among all users whatever their role.
Introduction
Data access is managed through 6 features in VtigerCRM to guarantee maximum flexibility. The mentioned entities are:
- Profiles
- Users and Groups
- Roles
- Sharing Access
- Fields Access
Each entity can be configured through a specific form. All forms can be accessed from the "Settings" menu. We shall now proceed with a step by step system configuration. VtigerCRM release 5.2.1 will be used for testing purposes.
Profile Configuration
The first step is to configure Profiles. Profiles are the mean for user fine grained data access management. The higher level of detail consists of each form or table field. When creating a new profile assign it an unique name them select data access permissions. VtigerCRM can grant read, insert and delete permissions for each field of each module.
Global Privileges are located at the top of the profile form; they take precedence over detailed privileges for each module. Disable global privileges in order to activate fine grained control. Some modules are provided of advanced features such as data import, data export and other more. Advanced features can be enabled or disabled flagging or unflagging the appropriate entries in the module sub-form.
To attain the desired configuration some new profiles will be created:
- pratiche_diu: Where diu stands for Delete, Insert, Update. Consents read and write access to all modules except for Accounts which will be dealt with later. Standard users are prohibited access to some information therefore some fields are disabled for this profile. Moreover the export feature was disabled for the Contacts, Documents, Invoice, Lead and Quotes modules. The profile is meant for all standard users.
- administrator_pratiche_diu: Access to all fields for all modules is enabled by default and so are all advanced features. Access to the Accounts module is again prohibited. The profile is meant for managers.
- aziende_diu: This profile manages access for the Accounts module alone.
Role Configuration
Roles define an organization hierarchy and every user position in it. The hierarchical tree has a common origin, The CEO, then branches in departments and sub-departments. Multiple profiles can be assigned to a single role thus permitting an user to access different software modules with a different set of permissions.
The hierarchy configured consists of the following tree:
- CEO
- responsabile_azienda (company_manager)
- responsabile_filiale_MI (department_manager_MI)
- operatore_filiale_MI (department_user_MI)
 
- responsabile_filiale_GE (department_manager_GE)
- operatore_filiale_GE (department_user_GE)
 
 
- responsabile_filiale_MI (department_manager_MI)
 
- responsabile_azienda (company_manager)
Two departments where created for the company: MI for the city of Milano and GE for Genova. As previously stated our goal is for each staff member to read and modify his/her own documents only. Department managers will be able to access their documents and that of other department members, but not documents owned by the other department staff.
The pratiche_diu profile was assigned to role operatore_filiale_XX while the administrator_pratiche_diu one was assigned to role responsabile_filiale_XX.
User Configuration
Users can be added to VtigerCRM through a proper form. When adding a user assign him/her an unique name, a password and a default role; then fill-in descriptive information and assign contacts. Each user can be granted one and only one role.
Each user will be assigned role operatore_filiale_GE or operatore_filiale_MI according to their department. Manager roles will be assigned to no one because role based access control does not work out as expected. Please read the following forum page for details.
The below table summarizes the created users and their default role:
| User Name | Assigned Role | 
|---|---|
| Utente_ge_1 | operatore_filiale_GE | 
| Utente_ge_2 | operatore_filiale_GE | 
| Utente_ge_3 | operatore_filiale_GE | 
| Amministratore_GE | operatore_filiale_GE | 
| Utente_mi_1 | operatore_filiale_MI | 
| Utente_mi_2 | operatore_filiale_MI | 
| Utente_mi_3 | operatore_filiale_MI | 
| Amministratore_MI | operatore_filiale_MI | 
| Amministratore_azienda | responsabile_azienda | 
The adopted configuration grants all staff members the same access rights therefore managers will not be able to access other user documents yet. The Sharing Access feature will later be enabled to grant managers higher privileges.
Group Configuration
Groups in VtigerCRM simplify permission management grouping users with similar privileges into a single entity. Every group member has the same privileges and as such can share documents and information with other members of the same group. The following groups will be configured:
- filiale_GE: Group for members of the department in Genova, both users and administrators. The group has one member only: the role "operatore_filiale_GE".
- filiale_MI: Group for members of the department in Milano. The group has one member only: the role "operatore_filiale_MI".
- responsabili_filiale_GE: Contains user "amministratore_GE" (manager_GE) only.
- responsabili_filiale_MI: Contains user "amministratore_MI" (manager_MI) only.
- gestione_aziende: Group used to share Accounts among all users. The group will be assigned two other groups: "filiale_GE" (department_GE) and "filiale_MI" (department_MI) which sum up to all users in the company.
Assign all Accounts to the gestione_aziende group and all users will then be able to access every account and link it to documents, activities and other modules.
Sharing Access Configuration
Enabling Sharing Access the CRM administrator will be able to add rules for data sharing among users and group members. The first configuration step is to force a Private access for all sensitive software modules: Customer Portal, Accounts & Contacts, Calendar, Campaigns, Documents, Invoice, Trouble Tickets, Leads, Quotes, Potentials, Purchase Order, Sales Order and Service Contracts. Users will be able to read, create, delete and update their own data only, not other user ones.
Add then the following list of rules:
- LEADS
- Leads for users with role "operatore_filiale_GE" (staff members) can be accessed by members of group "responsabili_filiale_GE" (department managers) with Read/Write privileges.
- Leads for users with role "operatore_filiale_MI" can be accessed by members of group "responsabili_filiale_MI" with Read/Write privileges.
- ACCOUNTS & CONTACTS
- Accounts and Contacts of users with role "operatore_filiale_GE" can be accessed by members of group "responsabili_filiale_GE" with Read/Write privileges.
- Accounts and Contacts of users with role "operatore_filiale_MI" can be accessed by members of group "responsabili_filiale_MI" with Read/Write privileges.
- DOCUMENTS
- Documents of users with role "operatore_filiale_GE" can be accessed by members of group "responsabili_filiale_GE" with Read/Write privileges.
- Documents of users with role "operatore_filiale_MI" can be accessed by members of group "responsabili_filiale_MI" with Read/Write privileges.
When done inserting new rules, press the "Recalculate" button to update privilege configuration. At recalculation conclusion managers will be able to share data and documents with their department members. Configuring the Sharing Access feature achieved one of the goals set out in the introduction to this Article.
Fields Access
The "Fields Access" feature enables the CRM administrator to define a set of default rules for VtigerCRM field access. This feature is useless to our goals and as such will be ignored.
Number of Departments Higher Than Two
In this paper was detailed how to configure data access permissions fit for a binary tree developed corporate hierarchy. The two department case study is generic and can be easily expanded to a department number higher than two. To add a department: configure a new dedicated Role and new Group similar to the above defined ones. Replicate the configuration a number of times equal to the department count and you'll be done.
One goal of the adopted configuration consists of sharing some selected information among all users whatever their role.
Assigning all Accounts to group gestione_aziende, which includes all users, information were effectively shared among staff members. Spread accounts among single users, in a way similar to other modules, would not have worked. Each user would have been granted access to his/her own accounts but not to others. Sharing contacts with a common account would have been impossible.
Conclusion
The many entities ruling data access in VtigerCRM were listed and briefly described in the paper above. We detailed a configuration suitable for a company organized in multiple departments and an easy way to expand and generalize the case study. Please refer to VtigerCRM documentation and wiki for a deeper take of the topic.
For any feedback, questions, errors and such, please e-mail me at studiosg [at] giustetti [dot] net
Languages: English - Italiano