CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Access control
Pages: [1]

Author Topic: Access control  (Read 318 times)

ewanmclean

  • I post occasionally
  • **
  • Posts: 36
  • Karma: 0
Access control
September 14, 2014, 02:39:02 pm
Hi there

I have some questions about an implementation for an advocacy group. We have a core admin team who have full access to CiviCRM, which is fine. We wish to delegate some access to a wider team of 'local coordinators'. These are volunteers around the country who liaise with local volunteers on the ground, organise leafleting and campaigning, etc. We want them to have access to restricted data, and to send emails, only to people within their local area.


  • We have defined a test area (Scotland campaigners) by using a smart group with a post code REGEX.
  • We have defined a Drupal role of Local Coordinator which we hope to use across the whole country, as it only grants basic access.
  • We have given them CiviCRM and CiviMail access only.
  • We have created a user called Scotland Admin and assigned it this role.
  • We have defined a Scotland admin group in Civi and made Scotland Admin a member.
  • We have created an ACL role called Scotland admin.
  • We have mapped the ACL role to the group.

As a test and first step, I created an ACL rule which granted them View to the Scotland campaigners group. This granted them access to (nearly, things like Ubercart and custom fields were missing) complete contact records. It also let them CiviMail users. Unfortunately, we don't want these users to necessarily have access to complete contact data. At the moment it's only email, name and post code.

I've tried experimenting with profiles to achieve this, and can't seem to get a listing to appear. We could get round this by using a Drupal view (which might be the better way anyway) but this doesn't solve the mailing issue. Although the user gets access to the email addresses through the view, that doesn't translate into the group appearing under CiviMail.

Any ideas where to go from here would be very welcome

JonGold

  • Ask me questions
  • ****
  • Posts: 638
  • Karma: 81
    • Palante Technology
  • CiviCRM version: 4.1 to the latest
  • CMS version: Drupal 6-7, Wordpress 4.0+
  • PHP version: PHP 5.3-5.5
Re: Access control
September 14, 2014, 03:13:25 pm
You're right - there isn't a capability in CiviCRM at this time to use ACLs to both allow access to a contact AND to restrict access to non-custom fields.  You can restrict access to various tabs (e.g. not giving the Drupal role permissions to access CiviEvent restricts access to CiviEvent), but that doesn't help if you're trying to restrict data available on the "Summary" tab.

You're also right that you can work around this with profiles (or, as you point out, Drupal Views, which is definitely recommended for its flexibility).  But you're also right that this doesn't solve the issue of sending mailings.  I wish I had a better recommendation for you - but I don't think that the functionality you want is available without doing some custom coding.

That said - it shouldn't be TOO tough to write an extension that restricts access to the CiviCRM summary tab by ACL (or Drupal role).  If you did that, you might be able to get away with using only Views to grant access to contact data, and include a link directly to the "New Mailing" for CiviMail.

I hope someone else has an even more clever option - but if not, this one is probably the least work.
Sign up to StackExchange and get free expert CiviCRM advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: Access control
September 17, 2014, 01:19:28 am
Agree with the above - here are some other thoughts.

Your 'across the whole country' might need a rethink before the end of the week ;-)

We make a lot of use Views and Webforms to give users who we don't want in civicrm the access to find, update etc - but yes I concur that this doesn't get you to civimail.

I take it that Drupal permissions are not granular enough to get you there? Ie could you 'display' the contact data in Views and give them 'only' access to civimail?

Another couple of thoughts around other work we have done that are part of the larger picture.

Extensions
- Related Permissions and Entity Setting Helper Extension together give you an alternative to ACL via groups - by auto permissioning Relationships so that eg
A always has permission on B, and B always has permission on C.
So you can use this to make A your Scotland manager with a Relationship to B (your Scotland contact record) and have B<->C as the relationship between 'scotland' and 'its people' - and hence A can be given access to all C based on the relationships

CiviCRM Entities module
- not sure we have looked at whether this can be used to effectively lock minor admins out of civi, but the scenario i would see is give admins access to contacts via Views (built using the Permissioned Relationships above, or a Group if you don't have too many sub-levels to do this through but means each needs a unique View) and use civi-entity to  let them Email and CiviMail to their contacts
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Access control

This forum was archived on 2017-11-26.