E-mail
This page describes the v1.0 implementation for permissioning. All functionality is available in the sandbox as of 6/2/2005 UNLESS otherwise noted.
Permissions and Drupal Roles
For Drupal installations, user access to CiviCRM functions and record (i.e. contact) 'instances' is configured via the normal method of assigning permissions to roles, and then assigning one or more roles to users.
Functional Permissions
The following 'static' functional permissions have been implemented. Once CiviCRM is installed, they will appear under CiviCRM in the Drupal administer->access control menu, and can be assigned to one or more roles as needed:
Permission name |
Access Description |
|---|---|
access CiviCRM |
any user role which requires access to any CiviCRM functionality must have this permission assigned |
administer CiviCRM |
all CiviCRM admin tabs, including configuring relationship types, custom data, etc. |
import contacts |
import a group of contacts in batch mode |
add contacts |
create new individual, org or household records |
edit all contacts |
edit any contact record, regardless of contact attributes |
view all contacts |
view any contact record, regardsless of contact attributes |
edit groups |
create new groups and edit group level properties (e.g. group name and description) |
Instance-based Permissions
Granular control over who can access which contact records is implemented via Group membership and Saved Search.
For each Group OR Saved Search in the site, two permissions will dynamically appear in Drupal administer->access control:
- view <group_name or saved_search_name> (can view any contact in this group or any contact whose properties matches the saved search)
- edit <group_name or saved_search_name> (can edit AND view any contact in this group or any contact whose properties matches the saved search)
Users can then be assigned roles which are granted any combination of these permissions.
Example from our sandbox
This is a snapshot of the current access control setup for the sandbox. Notice that for each 'Group' there is an 'edit' and a 'view' permission (edit encompasses view). There is also an 'edit' and 'view' permission for the Saved Search - 'Major Donors-California'.
Issues
- Currently contacts are not assigned to group(s) until AFTER they're added. This creates a problem for users who have 'add contact' permission, but not 'view any contact' permission. Basically, they can add a contact, but can't see it after they've added it. Suggestions are welcome
