CiviCRM Community Forums (archive)

Hi there

I have some questions about an implementation for an advocacy group. We have a core admin team who have full access to CiviCRM, which is fine. We wish to delegate some access to a wider team of 'local coordinators'. These are volunteers around the country who liaise with local volunteers on the ground, organise leafleting and campaigning, etc. We want them to have access to restricted data, and to send emails, only to people within their local area.

• We have defined a test area (Scotland campaigners) by using a smart group with a post code REGEX.
• We have defined a Drupal role of Local Coordinator which we hope to use across the whole country, as it only grants basic access.
• We have given them CiviCRM and CiviMail access only.
• We have created a user called Scotland Admin and assigned it this role.
• We have defined a Scotland admin group in Civi and made Scotland Admin a member.
• We have created an ACL role called Scotland admin.
• We have mapped the ACL role to the group.

As a test and first step, I created an ACL rule which granted them View to the Scotland campaigners group. This granted them access to (nearly, things like Ubercart and custom fields were missing) complete contact records. It also let them CiviMail users. Unfortunately, we don't want these users to necessarily have access to complete contact data. At the moment it's only email, name and post code.

I've tried experimenting with profiles to achieve this, and can't seem to get a listing to appear. We could get round this by using a Drupal view (which might be the better way anyway) but this doesn't solve the mailing issue. Although the user gets access to the email addresses through the view, that doesn't translate into the group appearing under CiviMail.

Any ideas where to go from here would be very welcome

Agree with the above - here are some other thoughts.

Your 'across the whole country' might need a rethink before the end of the week ;-)

We make a lot of use Views and Webforms to give users who we don't want in civicrm the access to find, update etc - but yes I concur that this doesn't get you to civimail.

I take it that Drupal permissions are not granular enough to get you there? Ie could you 'display' the contact data in Views and give them 'only' access to civimail?

Another couple of thoughts around other work we have done that are part of the larger picture.

Extensions
- Related Permissions and Entity Setting Helper Extension together give you an alternative to ACL via groups - by auto permissioning Relationships so that eg
A always has permission on B, and B always has permission on C.
So you can use this to make A your Scotland manager with a Relationship to B (your Scotland contact record) and have B<->C as the relationship between 'scotland' and 'its people' - and hence A can be given access to all C based on the relationships

CiviCRM Entities module
- not sure we have looked at whether this can be used to effectively lock minor admins out of civi, but the scenario i would see is give admins access to contacts via Views (built using the Permissioned Relationships above, or a Group if you don't have too many sub-levels to do this through but means each needs a unique View) and use civi-entity to  let them Email and CiviMail to their contacts