Author Topic: View vs Edit, why can't I restrict to view only? (Read 663 times)

vmantese · January 15, 2015, 07:16:22 am

**See reply#5 for solution below**

Hi all,
First time here, I did look over a lot of the boards and wiki for this but I can't seem to find anything.

I'm running the latest version of civiCRM and wordpress and I'm trying to set up the following.

A group of contacts, lets call it 'Secret Agents'
I'd like to enable the group 'Security Clearance Alpha' to VIEW but not EDIT the Secret Agents group.
Finally I'd like to give the group 'Security Directors' to ability to EDIT and VIEW the Secret Agents and Security Clearance Alpha group, them ONLY(and anyone with a higher permission access eg administrators)

And yes, we are a peaceful non-profit, I swear.
V

***EDIT: After Coleman's response I realized my question was missing details, please see my next post (#3) for update. Thank you **
**2ND EDIT:Added solution header**

Coleman Watts · January 15, 2015, 10:33:10 am

Welcome! Congrats on your first post in this forum

There are 2 levels of permissions in CiviCRM - there are site-wide permissions (which give different users blanket permissions like "access CiviCRM" or "administer Groups") and then there are ACLs. I think the latter is what you are looking for. You can read about it more here: http://book.civicrm.org/user/current/initial-set-up/permissions-and-access-control/

Once you've read that feel free to come back with more specific questions and we'll do our best to answer them.

vmantese · January 15, 2015, 11:11:35 am

Thanks for the warm welcome Coleman,

I have gone through the ACL section pretty thoroughly. I did realize something that I forgot to add that will make my problem more obvious.

Let me rephrase my question

A group of contacts, lets call it 'Secret Agents' who have a custom data field 'Secret Agent ID'
I'd like to enable the group 'Security Clearance Alpha' to VIEW but not EDIT the Secret Agents group field Secret Agent ID.
Finally I'd like to give the group 'Security Directors' to ability to EDIT and VIEW the Secret Agents Secret Agent ID.

My solution was to make sure that all members of the Security Clearance Alpha group fell under the wordpress subscriber role which current does NOT have access to custom field data.

Then, I wanted to give them the ability to view the Secret Agents Secret Agent ID.

So I went to

Access Control > Manage Roles :: create new 'alpha clearance' role.
then
Access Control > Assign Users to CIviCRM ACL Roles :: add all members of Security Clearance Alpha to the role alpha clearance
then
Access Control > Manage ACLs :: create a new ACL (role) alpha clearance (operation) view (type of data) custom data = secret agents secret agent ID

but I am notified that

'NOTE: For Custom Data ACLs, the 'View' and 'Edit' operations currently do the same thing. Either option grants the right to view AND / OR edit custom data fields (in all groups, or in a specific custom data group). Neither option grants access to administration of custom data fields. '

this is NOT what I want, this role should NOT be able to edit this field, solely view it. Hopefully that clarifies things, any advice?

Coleman Watts · January 15, 2015, 11:25:18 am

I'm hoping someone with more experience using nuanced ACLs will chime in here, but my understanding of the system is that Civi ACLs are not granular enough to do what you are asking. Mainly they are used to restrict access to an entire contact, not just one field for that contact.
I might be able to come up with a custom code snippet or two that could get you more-or-less what you're asking, but maybe someone out there has a better idea before we go down that road...

vmantese · January 15, 2015, 11:36:00 am

I wouldn't mind trying to write one too if necessary, all I would need is a push in the right direction, as in, is it something I could do using the API or which files would I have to modify...

Thanks,

vmantese · January 16, 2015, 02:30:14 pm

As an FYI to anyone else with the same issue: I've found a solution, although it is extremely clunky and ugly.

As a first step, I cloned the subscriber role to a couple custom wordpress roles: 'limited', 'viewer', and 'editor' in my wordpress themes folder in the file functions.php
//load wordpress site after making this change, then swap limited for viewer, and load again, repeat...
add_action('init', 'cloneRole');
function cloneRole()
{
global $wp_roles;
if ( ! isset( $wp_roles ) )
$wp_roles = new WP_Roles();

$adm = $wp_roles->get_role('subscriber');
//Adding a 'new_role' with all admin caps
$wp_roles->add_role('limited', 'Limited', $adm->capabilities);
}

Next, navigate to CiviCRM » Administer CiviCRM » Access Control >> Wordpress Access Control.

Remove all permissions from all users (for a fresh slate), you will still be able to administrator the site since you should be on a wordpress 'administrator' role or above.

Next, starting with the limited role, i only granted access to the Civi 'categories' such as CiviCRM CiviEvent CiviContribution, etc... if you do not grant these your ACLs inside CiviCRM will do nothing.
I copied the same permissions to the viewer and editor roles and added functionality above that.

For the viewer role I added the ability to view most types of data.

For the editor role I added the ability to edit/delete/modify most types of data.

Next, I created custom Access Control Groups inside CiviCRM tailored to specific needs.

For example, if I wanted to have someone see only basic contact information and nothing else (no events etc...), I could assign them to the 'limited' wordpress role, and assign their account to the access group 'Contact Viewers Access Group' which I would assign to the acl role 'basic contact viewers' with the ACL 'basic contact viewers' 'view' 'all groups' or a specific subgroup if I wanted to limit the scope of their view rights even more.

If I wanted to allow someone to view custom data but not edit it, I would assign them to the 'viewer' wordpress role which I had default given access to custom data.
If you wanted to restrict the custom data that a user could view, you would assign them to the 'limited' wp role, and grant them an ACL to 'view/edit' that custom data
but because you had not given them the explicit right to edit contact data they would not be able to edit the custom data, only view it.
It doesnt really make sense but it works, the most important thing to remember is that you need to
grant access to all major categories to a wp role if you want to be able to create ACLs that do anything in that category.
eg. even if you create an ACL granting an wp 'limited' rights to view events they will not be able to do this unless they have access to CiviEvent but you do not need to specify view event info as the ACL will cover this.

If this all sounds confusing it is because it is, it takes some experimentation but strictly speaking:

users will not be able to edit unless specified under wp access control
users will not be able to view unless granted 'category access' (exceptions are custom data fields and other non CiviCRMxxx categories)

Using these rules you should get a head start and be able to get pretty granular with your controls, it may take 7 different specific ACLs but it is possible.
I do wish there was a more streamlined process for this, but for all of you out there in a similar predicament, fine tuned control is possible with patience.

Best of luck,

V

**EDIT:Sorry for the terrible formatting, I was in a rush.

CiviCRM Community Forums (archive)

News:

Author Topic: View vs Edit, why can't I restrict to view only? (Read 663 times)

vmantese

View vs Edit, why can't I restrict to view only?

Coleman Watts

Re: View vs Edit, why can't I restrict to view only?

vmantese

Re: View vs Edit, why can't I restrict to view only?

Coleman Watts

Re: View vs Edit, why can't I restrict to view only?

vmantese

Re: View vs Edit, why can't I restrict to view only?

vmantese

Re: View vs Edit, why can't I restrict to view only?