Author Topic: Access Control CiviCRM vs. Drupal (Read 1466 times)

Bill Scheurer · September 19, 2008, 01:00:39 pm

We are trying to give certain users access to all the data for contacts in a target group.

We created Drupal users with defined "roles" within Drupal permissions. We created "ACL roles" within CiviCRM and assigned them to the target group. We assigned users to an access control group for the target group.

These users are able to view but not edit the data for contacts in the target group.

If we set the Drupal user role permissions to "edit all" then these users can view/edit all contacts in our CiviCRM database, not just those in the target group.

So, we are missing how to manage the interaction between the Drupal and CiviCRM access control features. We cannot find how to make them work together.

(Is there some basic book on CiviCRM we can read? The online resources are wonderful, but not structured in the same way as a book.)

Denver Dave · September 19, 2008, 10:13:22 pm

Perhaps the concept of an online / real time study group might work - by phone conference or www.BlogTalkRadio.com

Discussion here:
http://forum.civicrm.org/index.php/topic,1490.0.html

Dave Greenberg · September 22, 2008, 02:02:13 pm

Bill - The Drupal role permissions "trump" the CiviCRM ACL's - so if you give someone "edit all contacts" in Drupal, they will have that permission regardless of the ACL Role(s) assigned to their ACL Group.

The setup that should do what you want (as tested in 2.1) is:
* Create Drupal role and assign "access CiviCRM" plus any other permissions that you want to give them for component functions (e.g. contributions etc.) PLUS "add contact". (NOTE: The fact that you need to include 'add contact' for this case could be considered a bug and we are fixing for 2.2 - but for now you need to include it.).
* Do NOT assign any of these permissions:
- edit all contacts
- view all contacts

Now verify the ACL piece (which I suspect you have set up correctly):
* An ACL to allow 'Edit' on the 'target group'.
* An ACL Role for this ACL, assigned it to the 'ACL Group' that your permissioned users are in

If this still doesn't work - try deleting all records in civicrm_acl_cache. We've fixed a few cases where this 'cache' wasn't updated when ACL configurations were changed.

Finally - it would be really helpful once you've got your arms around this to add / modify the doc in this section to make it clearer (i.e make it "useful" to someone who is figuring this out as you have been doing).

http://wiki.civicrm.org/confluence/display/CRMDOC/Assign+Users+to+Roles

Dave Greenberg · September 23, 2008, 03:14:56 pm

Quote

How do I delete all records in civicrm_acl_cache?

You have to do this manually via MySQL command line or phpMyAdmin. The SQL statement is:

Code: [Select]

delete from civicrm_acl_cache;

CiviCRM Community Forums (archive)

News:

Author Topic: Access Control CiviCRM vs. Drupal (Read 1466 times)

Bill Scheurer

Access Control CiviCRM vs. Drupal

Denver Dave

Re: Access Control CiviCRM vs. Drupal

Dave Greenberg

Re: Access Control CiviCRM vs. Drupal

Dave Greenberg

Re: Access Control CiviCRM vs. Drupal