Author Topic: More fine grained permissions (Read 654 times)

Eileen · July 24, 2012, 04:22:40 pm

In discussions with a client they have some requirements for permissions that don't currently exist

1) Edit All Contribution Pages - this is because they have staff that they want to be able to do updates to contribution pages - but they don't want them to be able to change site configuration - in the customer's words.

Quote

"If I want someone to edit the copy on 10 campaign pages, even if it is just to correct a spelling error, I need to give them permission to globally administer all of CiviCRM which is a bit scary. I'd like to be able to farm out basic management of contribution pages without farming out full admin priv."

2) Control which events they can edit. Current permissions are:

CiviEvent: access CiviEvent
CiviEvent: edit event participants
CiviEvent: edit all events
CiviEvent: register for events
CiviEvent: view event info
CiviEvent: view event participants
CiviEvent: delete in CiviEvent

There are also ACLs you can use
- view
- edit
- delete
- search
- create
- all

The notes about the ACLs is a bit unclear

Quote

"NOTE: For Event ACLs, the 'View' operation allows access to the event information screen. "Edit" allows users to register for the event if online registration is enabled.
Please remember that Drupal's "register for events" permission overrides CiviCRM's control over event information access. "

However, a bigger limitation with the ACLs is that you give permission per event.

I believe any of the following would meet the client's requirement

1) Add a drupal permission 'edit own events' - a limitation of this approach would be that the staff member might be replaced & the ownership would then be less than useful.

2) Extend the ACLs so that the actions could be limited by event type rather than by event - a limit here would be that it would have to be possible to have more than one type of event type selectable - and that it result in a large number of ACLs - in which case it would need to possible to hook into this.

3) Edit events created by people that are viewable by the logged in user.

My client would be looking to get us (me) to patch core with the acceptable approach.

Donald Lobo · July 24, 2012, 06:38:19 pm

for item 1:

a. do they want the person to create profiles / custom data for their contrib page which also require administer civicrm privileges

b. what about payment processors?

for events, we've tried to solve the problem by creating "event templates". So "less privileged users" basically can start from the template and modify a few pieces they need.

To some extent its also a question of training and process' within the organization

for item 2:

The ACLs basically control the "front end aspect of events". You can implement the hook_civicrm_aclGroup on the tableName civicrm_event to implement any of the 3 rules u've mentioned

lobo

Eileen · July 24, 2012, 06:59:03 pm

On

#1 - the answer is no - they don't need to create those things. They just want the contribution page equivalent of what 'edit all events' confers. The event template approach doesn't get help in this because at the moment you can't create contribution pages unless you have administer civicrm. I like the event templates but I see them as more a data entry assist than being related to permissions

#2 - so - this isn't a requirement which is broader than this customer & we can / should acheive it through custom code.

CiviCRM Community Forums (archive)

News:

Author Topic: More fine grained permissions (Read 654 times)

Eileen

More fine grained permissions

Donald Lobo

Re: More fine grained permissions

Eileen

Re: More fine grained permissions