Author Topic: Edit permission on Smart Group (Read 1190 times)

kdas · February 17, 2008, 04:21:54 pm

Hi All,

I am doing a test to learn Civicrm Access Control as part of design a system for our church.

I need your opinion if you have a better design approcah for the case I mentioned below. Also one issue/bug mentioned below.

Our church has few centers around the country and a local admin is assigned to each area to manage the contact information.

I have created following Role and ACLs and assigned the permission as follows:

Austin_Edit_Role has Edit permission on contacts in Austin_Group (standard group)
Austin_View_Role has View only permission on contacts in Austin_Group (standard group)
Dallas_Edit_Role has Edit permission on contacts in Dallas_Group (standard group)
Dallas_View_Role has View only permission on contacts in Dallas_Group (standard group)

I realized that above roles can only be assigned to a ACL type Group not to individual users which is fine. Unless there is a way that I am not aware of.

Assignment of Roles are as follows:
Austin_Edit_Role is assigned to Austin_Admin ACL group that has a member called admin_austin.
Austin_View_Role is assigned to Austin_View_Only ACL group that has a member called admin_austin_v.
Dallas_Edit_Role is assigned to Dallas_Admin ACL group that has a member called admin_dallas.
Dallas_View_Role is assigned to Dallas_View_Only ACL group that has a member called admin_dallas_v.

This way we can allow the access to contacts to a admin of that area.

We also want someone with more privilege to access contacts of all the areas. So I created a Smart Group called Central_Group that is defined as all contacts that are in Austin_Group and Dallas_Group and other area groups.

Central_Edit_Role has Edit permission on contacts in Central_Group (smart group)
Central_View_Role has View only permission on contacts in Central_Group (smart group)

Assignment of Roles are as follows:
Central_Edit_Role is assigned to Central_Admin ACL group that has a member called admin_central.
Central_View_Role is assigned to Central_View_Only ACL group that has a member called admin_central_v.

This all works fine except few things that need your opinion:

1. When I login as 'admin_central' I can find all the contacts belong to Austin and Dallas group. But when I Edit one of the Austin contact after search and try to save, I get the warning that user does not have view permission. The contact is updated but somehow contact was removed from Austin_Group. So when I search again I don't see that contact. Is this a bug? This does not happen if I manually assign Central_Group group to a contact under Group tab, but that defeats the purpose of smart group.

2. I noticed that if contact belongs to a smart group, in this case Central_Group, in the Group tab smart group is not listed. May be that is per civicrm design. If contacts belong to a standard group it is listed under Group tab. You can manually assign that contact to a smart group then it is listed but that defeats the purpose of smart group.

3. I just used example of 2 areas Austin and Dallas. If there are multiple areas that seems to be a lot of maintenace on part of CiviCrm administrator. I am sure there must be some better or simple way to design such scenario using CiviCrm or some other Drupal module. Does anyone has similar experience that works?

4. To add a contact automatically into a area group, I was thinking of using profile for each area. I tried a simple test that seems to work. Though it will add more maintenace for administrator to create/assign ACL for Profiles. Any better suggestions?

I hope that discussion on this scenario will help me as well as other fellow CiviCrm users.

Thanks in advance for sharing your wisdom.

Dave Greenberg · February 18, 2008, 02:49:50 pm

Using smart groups in conjunction w/ ACLs is a bit "experimental" - and not optimized for larger data sets at all. This is a shortcoming we hope to address during the 2.x cycle. If your organization is able to sponsor moving this work forward with technical and or financial resources - that would be great.

That said, if your dataset is not too large the existing functionality might work for you. A few thoughts...

Quote

When I login as 'admin_central' I can find all the contacts belong to Austin and Dallas group. But when I Edit one of the Austin contact after search and try to save, I get the warning that user does not have view permission. The contact is updated but somehow contact was removed from Austin_Group.

1. If the contact being edited is "removed" from a group they were in - that is definitely a bug. Please see if you can replicate the behavior on the public demo (http://demo.civicrm.org) - and file a bug report with steps to recreate.

2. If you're using Drupal, you might want to create Drupal roles with "view all contacts" and "edit all contact". Then assign your "Central" admin users to those roles - thus avoiding the need for the "Central" smart group.

3. Smart groups do NOT show up under the Groups tab when viewing an individual. We don't show them due to the performance hit that it would require to do all the smart group queries when displaying the tab. This is either a bug or missing feature, depending on how you look at it. Caching smart groups is on the road map for 2.x - at which point we can fix this.

kdas · February 19, 2008, 09:18:37 pm

Hi Dave,

Thanks so much for your quick response and sharing your wisdom.

I don't have to use Smart Group as you mentioned about its performance.

One alternative you suggested is to use Drupal role with "view all contacts" and "edit all contact". Other would be to add user admin_central in all the desired area ACL groups.

-KDas

CiviCRM Community Forums (archive)

News:

Author Topic: Edit permission on Smart Group (Read 1190 times)

kdas

Edit permission on Smart Group

Dave Greenberg

Re: Edit permission on Smart Group

kdas

Re: Edit permission on Smart Group