CiviCRM Community Forums (archive)

Hi.
I've been asked to push forward with our evaluation of civicrm, and the next step is the management of permissions.
I've set up a drupal 7 + civicrm instance.

Staff will access civicrm using their active directory login (via the drupal LDAP authentication module). no-one else will access the system, i.e. the contacts do not have access to civicrm, only the staff.

In Drupal, we've set  pair of roles for the staff : 'staff' which is just about everyone, and 'management' who is just the management team.

I'm requested to set up permissions in civicrm so that management can have some contacts that 'staff' cannot access/modify/export/...

I read carefully the acls, groups and permissions info. The process is :
- remove civicrm permissions in Drupal
- create a civicrm access group
- add people to the access group
- create a civicrm ACL and define permissions for the ACL
- link group and ACL

this works well, but it is static : if a new user joins or leaves the staff, this info is updated in the AD/LDAP (user is added/removed to the drupal 'staff' role) but civicrm stays impervious to this.

So How do I link a civicrm acl to a drupal role instead of a civicrm access group, hor how do I create a civicrm access group that stays in sync with a given Drupal role ? Is this supported ? Is there a module to do it ? Is this not a common use-case ? have I missed something Obvious ?

Thanks in avdance.

Wondering if you could use the civicrm_group_roles module which ships w/ CiviCRM. This does 2-way synch between a Drupal role and a CiviCRM group.

I added the roles sync, but it apparently does nothing, no groups are added to the users.
We have ldap auth enabled, so users don't have drupal accounts proper, we use the ldap for that.
We have users in ldap (AD in fact), with groups.
The LDAP module allows these users to auth in Drupal (works fine) and create and assigns drupal roles to them (works fine too)
Then group sync should add to the user's contact page in civicrm a civicrm group based on the user's drupal role (I created an association rule for that our_drupal_role <=> target_civicrm_group. However, this doesn't happen.
And when I check the user's contact page in civicrm, it does link to the userid of that user in drupal, so that part does work.

I have a bad feeling that some triggers that get triggered when you actually create a drupal user account aren't when you use ldap. Still, it doesn't work and I don't know where to look at to trace the whole process of use. Any pointers welcome

It sounds like you're having the same problem described by these folks:
http://groups.drupal.org/node/23486

Unfortunately there's precious little info in their post, and no mention of a solution