CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • ACL to restrict view of custom data
Pages: [1]

Author Topic: ACL to restrict view of custom data  (Read 787 times)

taiga

  • I’m new here
  • *
  • Posts: 14
  • Karma: 0
ACL to restrict view of custom data
September 03, 2010, 04:47:58 pm
Hi there,

we ran into a problem where the ACL in CiviCRM does not seem to permit this type of restriction in a CiviCRM 3.1.5 and Durpal 6.19 installation:

  • Attach custom data group to an individual contact as a tab (or inline)
  • Store sensitive information in custom data fields
  • Allow "view" of custom data group to only authorized staff members who belong to "caseworker" CiviCRM group
  • Disallow and "hide" from view custom data group for all non-authorized staff members who don't belong to "caseworker" group

The boring intermediate steps of setting up a ACL role, assigning a group to that ACL role, adding the staff member to that group have been done, but the result is that the custom data group is visible to all users regardless of access restrictions.

We've turned off the Drupal permission settings for these items:
  • profile listings
  • profile listings and forms
  • access all custom data

While these Drupal permissions are enabled for the staff member login:
  • view all contacts

Any pointers on how to get this to work, i.e. restrict view of sensitive information to a subset of the staff logins belonging to a specific group?

Many thanks in advance,

Alan

taiga

  • I’m new here
  • *
  • Posts: 14
  • Karma: 0
Re: ACL to restrict view of custom data
September 03, 2010, 04:54:47 pm
SOLVED: followed the directions below from another ACL post and things work as expected

"...realized that my test users were picking up permissions from the anonymous user.  Once I altered the anonymous and authenticated permissions everything worked as it was supposed to."

This is not mentioned in the documentation and caused us a great amount of grief, any way we can put this as a requirement or "CAUTION" note into the documentation?

Thanks,

Alan

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL to restrict view of custom data
September 03, 2010, 09:05:52 pm

the wiki documentation is editable by users. wanna make the appropriate changes

i know that logged in users pick up all the permissions of auth users. i was not aware (or forgot) that they also pick it from anon users.

on the other hand i'm not sure when u'll give anon users more access than auth users

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • ACL to restrict view of custom data

This forum was archived on 2017-11-26.