Permissions, Roles and Access Rules

[tim g.]

Hmm. My previous topic was moved to <a href="http://forum.civicrm.org/index.php/topic,14813.msg63222.html#msg63222">Professional CiviCRM Services </a>. Which I am appreciative of because I didn't know that arm of the forums existed. However it looks like there are a lot of problems posted there and very few 'bites'.

So while I wait and see if someone takes me up on my offer to pay them I will go ahead and start a forum topic where I list my problem in more detail and attempt to resolve the problem on my own.

I have embarrassingly been trying to figure this out for over a week now (and counting). I am "an American" now living in the Philippines and tackling what I thought would be a small database project for a street ministry called <a href="http://www.hecaresfoundation.com/">He Cares Foundation.</a>

I've successfully installed CiviCRM 3.1.4 however I have hit a small hurtle where I am trying to limit the access of users in the database to a specific group using the Access Control List. I've successfully creating users that can see everything, and I've created users that can see nothing :-)

~~~~~~~~~~~~~~~
~ Ok so here 'it' goes ~
~~~~~~~~~~~~~~~

The goal: To create a user access level called "Marketers" and to further refine this role so that those assigned to it are only able to view and edit the contacts that have been specifically assigned to them.

1) I've created a Drupal Role called "Marketers". The intention of course is to limit the access of this role so that the users assigned to this are only able to view and edit the groups that as assigned to them.

2) In order to prepare for the further refinement of access to specific groups of contacts I have created the following groups within CiviCRM:
... "Group 0 Donors": Test Group (will assign contacts to this to see if I can get this correct)
... "Group 1 Donors": Higher level donors
... "Group 2 Donors": Mid level donors
... "Group 3 Donors": Smaller donations.

3) To begin with I want to use the "Group 0 Donors" as a test subject. So I am creating an "ACL Role" called "Marketer - Group 0 Donors"
Note:  There are five contacts assigned to the Group "Group 0 Donors".

4)Note: I consider this step kind of repetitive and I don't understand why 'both' an "ACL Role" and an "ACL" need to be created. In fact the "ACL Role" in step 3 above seems to be little more than a title that is to be used somewhere. In any case:
- To limit my own confusion (I hope) I created an ACL also called "Marketer - Group 0 Donors"
- This "ACL" is set to:
a) "A group of contacts"
b) "Group 0 Donors Test"
c) Operation is set to "Edit"
                  I've actually included a screen shot of this to answer any other questions.

... I hope this gives enough information for someone to seriously consider helping me. After all; I picked this product in hopes to do (as I have done for years) promote the FOSS and OpenSource community

[Donald Lobo]

if i had to guess, your users in the ""Marketer - Group 0 Donors" also have either "view all contacts" or "edit all conatcts" permission. you miht want to check that

also ensure that some enabled module is not implementing the acl hooks (which might override your UI based functionality)

lobo

[tim g.]

Thank you thank you thank you for responding :-)
Trying to sort out your response from what I understand so far.

if i had to guess, your users in the ""Marketer - Group 0 Donors" also have either "view all contacts" or "edit all conatcts" permission. you miht want to check that

also ensure that some enabled module is not implementing the acl hooks (which might override your UI based functionality)

Hmm I think you are referring to the "edit permissions" area in Drupal because that's the only area that has a "view all contacts" or "edit all conatcts" permission in it's listing. I'll try changing that and test the user that I've assigned to that role and see if it works.

Again thank you.

[tim g.]

Hmm. That doesn't seem to be quite getting it.

- If I have both "view all contacts" or "edit all contacts" permission checked then I can see 'all' of the contacts under my test user.
- If I have both "view all contacts" or "edit all contacts" permission unchecked then I can see 'none' of the contacts under my test user.

[Donald Lobo]

and u have associated the ACL Role: "Marketer - Group 0 Donors"  with a civicrm group whose members are users who you want to give access to the test group, right?

note that in the ACL case, drupal roles are ignored and its all ACL roles (why and the duplicity etc is another question and a longer conversation/cleanup!)


lobo

[tim g.]

Sorry took so long for me to respond. I had a marketing meeting this afternoon and then even that was cut short because my daughter got a fever.

Just got back to looking at this a few minutes ago.

and u have associated the ACL Role: "Marketer - Group 0 Donors"  with a civicrm group whose members are users who you want to give access to the test group, right?

<slightly embarrassed laugh>  he he; I remember thinking about that last week but then that thought got lost in a cloud of other thoughts headed off in several directions ... That's why I needed an expert to bring me back to that utterly important strain of logic.

However in fairness I think it was the perceived duplicity and the "roles" in Drupal that helped guide me down a path that was amidst an oblivious fog.

I just took the following steps to follow what you were directing:
1) Created a new Group called "Group 0 Donors - Marketers"
2) Went to "Permissions" to assure that "edit all contacts" and "view all contacts" were checked and saved.
3) Added the test user (tgott) to the group "Group 0 Donors - Marketers".
4) Removed "tgott" from the other two groups that it was listed in.
5) Logged in as tgott and did a search for contacts <sigh> over five hundred contacts came up again (should only come up with the four that is a part of the "Group 0 Donors - Test"

Can't seem to pinpoint where I'm going wrong yet.
I've attached another screen shot at the bottom. Maybe you can take a look at my listings of groups to see if I am doing anything blatantly obviously incorrect.

Thanks again and again.

[Donald Lobo]

you might want to read (and re-read) carefully the documentation here:

http://wiki.civicrm.org/confluence/display/CRMDOC32/Access+Control

briefly if u give someone "edit/view all contacts" they see all contacts

lobo

[tim g.]

And that "briefly" part is the one that did it for me :-) Thanks to you I have successfully limited the test user "tgott" to the five contacts that are in the "Group 0 Donors - Test"

It's been a long time since I've yelled "EUREKA!" about anything. Unfortunately it shocked my seven month old daughter a little and she cried. Which led to three or four minutes of my consoling her that daddy was just happy.

I had already read over that Access Control part of the user manual so it is really only pointers and experience that I needed. As such my appreciation continues. You had brought up the importance of the "edit all contacts" and  "view all contacts" check-boxes before which is why I had tried both enabling and disabling these areas in my earlier efforts to resolve the problem.

So the thing that really 'fixed' this for me was

u have associated the ACL Role: "Marketer - Group 0 Donors"  with a civicrm group whose members are users who you want to give access to the test group, right?

But then I had failed to repeat those previous steps of reviewing the  "edit all contacts" and  "view all contacts" check-boxes. Again thanks.

With this new light shed on understanding Access Control I'll spend the rest of the day reviewing the material at http://wiki.civicrm.org/confluence/display/CRMDOC32/Access+Control and repeating the steps until I have it "down pat".

[tim g.]

BTW; I was actually looking for someone to pay in order to help me do this work before. And you did it for free; so allow me to at least show my appreciation by buying you a hot cup of Sumatra, a cold Frappuccino; or anything in between.

If you don't consider this inappropriate; let me know where I should PayPal it and I'd be happy to give you this small token of thanks. ... God bless.

[Donald Lobo]

WOuld be great help to future ACL users if you can edit and clarify the ACL documentation to make it more clear. That helps improve the quality of the docs

if u'd like to make a contribution, you can do so here: http://civicrm.org/donate

thanx

lobo

[tim g.]

K ... I had already made a small donation a couple of days ago but at your request I just made another one in your honor.

As far as the "ACL documentation" goes I'll add to it as soon as I think that I have come up with a useful way to clarify the documentation. I'm sure I can. It'll just take me getting to that 'moment' as previously alluded to in my other post, that I've mastered this area of "Permissions, Roles and Access Rules".