CiviCRM Community Forums (archive)

I've repeated the procedure below from the documentation a few times, trying instead of limiting access to a group, to limit access to a custom group of fields.  I am in Drupal and I am not enabling any role to access custom fields of profiles.  Yet, roles other than the "Development Team" continue to have full access to the custom group of fields.  Either I'm missing something basic or there is something flaky going on.

Any ideas out there?

/w.

"Overview - Built-in CiviCRM Access Control

CiviCRM's built-in Access Control is managed by Access Control Lists (ACL's). ACL's allow you to control who can view and edit specific contact groups, specific profiles and/or specific sets of custom data.

For example, you might want to allow only staff on your Development Team to view or edit contacts in your "High Value Donor" group. The basic steps for this are:

   1. Create a group ("Development Team") - Manage Groups.
   2. Add development team contacts to the group - Add Members to Group.
   3. Create an ACL Role ("Development") - Administer CiviCRM » Access Control » Manage Roles » New ACL Role.
   4. Create an ACL (a "permission") which allows the "Edit" operation on the "High Value Donor" group for the "Development" role - Administer CiviCRM » Access Control » Manage ACLs » New ACL.
   5. Assign the "Development" role to users in the "Development Team" group - Administer CiviCRM » Access Control » Assign Users to CiviCRM Roles » New Role Assignment."

Thanks for responding.  This is an interesting problem and one that affects my installation design, so I've spent some time on it.

First to answer your questions.

(1) I have tried this different ways -- in none of them do the users id's in question have drupal roles that have permission to access all custom data.  I've tried it with no roles having that permission (but see further below).
(2) I have gone through the following procedure repeatedly with a variations in the last ACL step.
    

• establish user ids in drupal that have corresponding contacts in civicrm
• make them members of their own one-member groups for acl purposes
• create ACL roles
• assign the groups to the acl roles
• assign those roles ACL's to access groups of contacts and/or groups of custom data fields.

(3) I have implemented no hooks and the ACL config in CIVICRM is was it as came to me (see further experiments below).  I do have the CCK installed, but nothing custom.


So, here is what I have observed after several hours of experimentation:

(0)  The ACL control to groups of contacts seems to work fine -- once the rules in place, users see only the contacts in the group that they are authorized for (unless they have drupal permissions to view or edit all contacts, in which case they do see all).
(1)  It seems, however, that access to custom data is entirely controlled by two DRUPAL permissions -- "access all custom data" and "administer CiviCRM":  If either one is on, then the user has access to all custom data, regardless whether or not they have any civicrm ACL permissions to do so; if they are both off, then the user cannot access any custom data even if specifically permitted in CiviCRM.
(2)  I noticed that, as installed, the civicrm_acl table has entries with entity id = 0 and entity id = 2, which end up in the acl_cache for logged in users.  These entries would allow access to all custom data.  Before I reached my previous conclusion, I tried high rand entity-ID's to those civicrm_acl table entries to keep from being processsed.  This made no difference in user ability to access custom data (although it did keep the entries out of the cache).
(3)  It appears that access to custom data is not being affected at all by the ACL's.

It's an outstanding product and I greatly appreciate your availability and your attention to continuous improvement.

/w.

Thank you.


"2. you should add ACL's for specific custom groups if you want to control access to custom groups. In that case those specific roles should not have the above 2 permissions"

That is, I'm quite sure what I did -- I added CIVICRM ACL's granting access of contacts groups including the users to those custom fields.  But doing that didn't allow access to the custom fields until I granted one of the permissions in question, in which case the user got access to all custom groups.

Thanks for taking the time to respond on this, Lobo.

MY BAD!

After coming back to this, posting again and spending an embarrassing additional amount of time looking at all the wrong things, I realized that my test users were picking up permissions from the anonymous user.  Once I altered the anonymous and authenticated permissions everything worked as it was supposed to.

/w.