CiviCRM Community Forums (archive)

Hello-

I am working on an implementation of CiviCRM for a client and I have a few questions.

The client likes the system, but is concerned about security, specifically:

1) Locking down the "Export" feature so only selected users have access to it.
2) Limiting access to Reports, so only certain users can see them
3) Limiting access to various other parts of the system (for example, not everyone should be able to send out a email blast).

Also, he wants to segment access to the contact database, so that certain users only have access to certain groups of contacts, but other users have access to all the contacts of users "under" them:

4) Enabling heirarchical access controls on the contact database.

I couldn't see how to implement these features using the "Access Controls" section of the Admin.

I can't imagine this is the first time someone has had this set of requirements, so I was wondering, what are the best practices for enabling this kind of functionality in CiviCRM?

1. Not possible to only lock export out. You can potentially "simulate" this by modifying the tasks shown via the task hook

http://wiki.civicrm.org/confluence/display/CRMDOC/CiviCRM+hook+specification#CiviCRMhookspecification-hookcivicrmsearchTasks

(but export will still be exposed for the other component searches)

2. each report instance can be individually permissioned

3. Each component can be individually permissioned. So folks who cant send out an email blast dont get civimail permission

4. check acl hooks:

http://wiki.civicrm.org/confluence/display/CRMDOC/CiviCRM+hook+specification#CiviCRMhookspecification-hookcivicrmaclWhereClause

There also some blog posts on this, check:

http://www.google.com/search?q=civicrm+acl+site%3Acivicrm.org%2Fnode&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

lobo

Thanks!