Changes

Languages: '''English''' - [http://www.giustetti.net/wiki/index.php?title=vtigercrm_gestione_reparti Italiano]

[[en/vtigercrm_intro#Permission_Management | Permission management in VtigerCRM 5]]

'''VtigerCRM''' provides a wide set of tools to grant privileges and configure fine grained data access to users and groups. Security features are natively available in standard program modules and can be expanded to custom ones. The resulting flexibility enables security managers to cover a wide array of scenarios ranging from small companies, where everyone is granted access to pretty much everything, to more paranoid ones where data access is restricted to authorized staff members only. This paper presents a system configuration aimed to the following scenario:

'''VtigerCrm''' provides a wide set of tools to grant privileges and configure fine grained data access to users and groups. Security features are natively available in standard program modules and can be expanded to custom ones. The resulting flexibility enables security managers to cover a wide array of scenarios ranging from small companies, where everyone is granted access to pretty much everything, to more paranoid ones where data access is restricted to authorized staff members only. This paper presents a system configuration aimed to the following scenario:

* All subjects can access only information they were previously authorized to.

* All subjects can access only information they were previously authorized to.

* Department managers can access data assigned to them or their staff members, but not other departments data and documents.

* Department managers can access data assigned to them or their staff members, but not other departments data and documents.

* Some information need sharing among all users whatever their role.

* Some information need sharing among all users whatever their role.

=== Introduction ===

=== Introduction ===

Data access is managed through 6 features in VtigerCrm to guarantee maximum flexibility. The mentioned entities are:

Data access is managed through 6 features in VtigerCRM to guarantee maximum flexibility. The mentioned entities are:

* Profiles

* Profiles

* Users and Groups

* Users and Groups

* Sharing Access

* Sharing Access

* Fields Access

* Fields Access

Each entity can be configured through a specific form. All forms can be accessed from the '''"Settings"''' menu. We shall now proceed with a step by step system configuration. VtigerCrm release '''5.2.1''' will be used for testing purposes.

Each entity can be configured through a specific form. All forms can be accessed from the '''"Settings"''' menu. We shall now proceed with a step by step system configuration. VtigerCRM release '''5.2.1''' will be used for testing purposes.

 

=== Profile Configuration ===

=== Profile Configuration ===

The first step is to configure '''Profiles'''. Profiles are the mean for user fine grained data access management. The higher level of detail consists of each form or table field. When creating a new profile assign it an unique name them select data access permissions. '''VtigerCrm''' can grant '''read, insert and delete permissions''' for each field of each module.

The first step is to configure '''Profiles'''. Profiles are the mean for user fine grained data access management. The higher level of detail consists of each form or table field. When creating a new profile assign it an unique name them select data access permissions. '''VtigerCRM''' can grant '''read, insert and delete permissions''' for each field of each module.

'''Global Privileges''' are located at the top of the profile form; they take precedence over detailed privileges for each module. '''Disable global privileges in order to activate fine grained control'''. Some modules are provided of advanced features such as data import, data export and other more. Advanced features can be enabled or disabled flagging or unflagging the appropriate entries in the module sub-form.

'''Global Privileges''' are located at the top of the profile form; they take precedence over detailed privileges for each module. '''Disable global privileges in order to activate fine grained control'''. Some modules are provided of advanced features such as data import, data export and other more. Advanced features can be enabled or disabled flagging or unflagging the appropriate entries in the module sub-form.

[[File:vtiger_profile_global_en_small.jpeg]]

[[File:vtiger_profile_global_en_small.jpeg]]

=== Role Configuration ===

=== Role Configuration ===

[[File:vtiger_role_operator_en_small.jpeg]]

[[File:vtiger_role_operator_en_small.jpeg]]

=== User Configuration ===

=== User Configuration ===

Users can be added to VtigerCrm through a proper form. When adding a user assign him/her '''an unique name, a password and a default role'''; then fill-in descriptive information and assign contacts. Each user can be granted '''one and only one role'''.

Users can be added to VtigerCRM through a proper form. When adding a user assign him/her '''an unique name, a password and a default role'''; then fill-in descriptive information and assign contacts. Each user can be granted '''one and only one role'''.

Each user will be assigned role operatore_filiale_GE or operatore_filiale_MI according to their department. Manager roles will be assigned to no one because '''role based access control does not work out as expected'''. Please read the following [https://forums.vtiger.com/viewtopic.php?f=100&t=49084 forum page] for details.

Each user will be assigned role operatore_filiale_GE or operatore_filiale_MI according to their department. Manager roles will be assigned to no one because '''role based access control does not work out as expected'''. Please read the following [https://forums.vtiger.com/viewtopic.php?f=100&t=49084 forum page] for details.

The below table summarizes the created users and their default role:

The below table summarizes the created users and their default role:

{| border="1"

 

{| style="width:70%; border:1px;"

|- bgcolor="darkgrey"

! User Name !! Assigned Role

! User Name !! Assigned Role

|-  align="center"

|-  align="center"

The adopted configuration grants all staff members the same access rights therefore managers will not be able to access other user documents yet. The '''Sharing Access''' feature will later be enabled to grant managers higher privileges.

The adopted configuration grants all staff members the same access rights therefore managers will not be able to access other user documents yet. The '''Sharing Access''' feature will later be enabled to grant managers higher privileges.

=== Group Configuration ===

=== Group Configuration ===

'''Groups in VtigerCrm''' simplify permission management grouping '''users with similar privileges into a single entity'''. Every group member has the same privileges and as such can share documents and information with other members of the same group. The following groups will be configured:

'''Groups in VtigerCRM''' simplify permission management grouping '''users with similar privileges into a single entity'''. Every group member has the same privileges and as such can share documents and information with other members of the same group. The following groups will be configured:

* '''filiale_GE''': Group for members of the department in Genova, both users and administrators. The group has one member only: the '''role''' "operatore_filiale_GE".

* '''filiale_GE''': Group for members of the department in Genova, both users and administrators. The group has one member only: the '''role''' "operatore_filiale_GE".

* '''filiale_MI''': Group for members of the department in Milano. The group has one member only: the '''role''' "operatore_filiale_MI".

* '''filiale_MI''': Group for members of the department in Milano. The group has one member only: the '''role''' "operatore_filiale_MI".

[[File:vtiger_group_agency_en_small.jpeg]]

[[File:vtiger_group_agency_en_small.jpeg]]

=== Sharing Access Configuration ===

=== Sharing Access Configuration ===

When done inserting new rules, press the "Recalculate" button to '''update privilege configuration'''. At recalculation conclusion managers will be able to share data and documents with their department members. Configuring the '''Sharing Access''' feature achieved one of the goals set out in the introduction to this Article.

When done inserting new rules, press the "Recalculate" button to '''update privilege configuration'''. At recalculation conclusion managers will be able to share data and documents with their department members. Configuring the '''Sharing Access''' feature achieved one of the goals set out in the introduction to this Article.

=== Fields Access ===

=== Fields Access ===

The "Fields Access" feature enables the CRM administrator to define a set of default rules for VtigerCrm field access. This feature is useless to our goals and as such will be ignored.

The "Fields Access" feature enables the CRM administrator to define a set of default rules for VtigerCRM field access. This feature is useless to our goals and as such will be ignored.

 

=== Number of Departments Higher Than Two ===

=== Number of departments higher than two ===

In this paper was detailed how to configure data access permissions fit for a binary tree developed corporate hierarchy. The two department case study is generic and can be easily expanded to a department number higher than two. To add a department: configure a new dedicated '''Role''' and new '''Group''' similar to the above defined ones. Replicate the configuration a number of times equal to the department count and you'll be done.

In this paper was detailed how to configure data access permissions fit for a binary tree developed corporate hierarchy. The two department case study is generic and can be easily expanded to a department number higher than two. To add a department: configure a new dedicated '''Role''' and new '''Group''' similar to the above defined ones. Replicate the configuration a number of times equal to the department count and you'll be done.

 

=== Information Shared Among All Users ===

=== Information shared among all users ===

One goal of the adopted configuration consists of sharing some selected information among all users whatever their role.

One goal of the adopted configuration consists of sharing some selected information among all users whatever their role.

=== Conclusion ===

== Conclusion ==

The many entities ruling data access in '''VtigerCrm''' were listed and briefly described in the paper above. We detailed a configuration suitable for a company organized in multiple departments and an easy way to expand and generalize the case study. Please refer to VtigerCrm documentation and wiki for a deeper take of the topic.

 

The many entities ruling data access in '''VtigerCRM''' were listed and briefly described in the paper above. We detailed a configuration suitable for a company organized in multiple departments and an easy way to expand and generalize the case study. Please refer to VtigerCRM documentation and wiki for a deeper take of the topic.

{{footer_en | link_page=vtigercrm_gestione_reparti}}

 

Languages: '''English''' - [http://www.giustetti.net/wiki/index.php?title=vtigercrm_gestione_reparti Italiano]