This documentation refers to an older version of CiviCRM (3.4 / 4.0). View latest version.

Aller directement à la fin des métadonnées
Commentaire: Migrated to Confluence 4.0
Aller au début des métadonnées
This page refers to CiviCRM 3.4 and 4.0, current STABLE version.

Documentation Search

CiviCRM 3.4 and 4.0 Documentation

Support and Participation

Developer Resources

CiviCRM books!

Make sure to check out the FLOSS Manual Understanding CiviCRM as well! You can also support this project by ordering a hard copy.

Or support us by buying an eBook or hard copy of Using CiviCRM from Packt Publishing.
Return to Access Control Main Page
Access Control not Available in Joomla! 1.5 / CiviCRM 3.x Installations

Access Control functionality is not available for CiviCRM in Joomla! for CiviCRM 3.3 and earlier. Access control for Joomla! will be available in CiviCRM 4.0 with Joomla 1.6.

Context - Uses for Permissions, Roles and Access Rules

Access Control is used to control access to CiviCRM data and functionality. This is done through Access Control Lists (ACL's). An ACL consists of:

1. A Role that has permission to do this operation ('Administrator', 'Team Leader'),
2. An Operation (e.g. 'View' or 'Edit'), and
3. A set of Data that the operation can be performed on (e.g. a group of contacts)

EXAMPLE: "Team Leaders" (Role) can "Edit" (Operation) all contacts in the "Active Volunteers Group" (Data).

CiviCRM provides built-in access control for contact groups, profiles and custom data.

CiviCRM for Drupal includes additional access control features for specific tasks (Administer, Import, etc.), and for component data (contributions, membership, and events). It should be noted that in Drupal you only need to use CiviCRM's ACLs if you wish to control access of certain contacts to certain groups; if you simply want to control the types of data and actions a user can see/perform you can use the Drupal permissions Administer » User Management » Access Control.

Overview - Built-in CiviCRM Access Control

CiviCRM's built-in Access Control is managed by Access Control Lists (ACL's). ACL's allow you to control who can view and edit specific contact groups, specific profiles and/or specific sets of custom data. 

For example, you might want to allow only staff on your Development Team to view or edit contacts in your "High Value Donor" group. The basic steps for this are:

  1. Create a group ("Development Team") - Manage Groups.
  2. Add development team contacts to the group - Add Members to Group.
  3. Create an ACL Role ("Development") - Administer CiviCRM » Access Control » Manage Roles » New ACL Role.
  4. Create an ACL (a "permission") which allows the "Edit" operation on the "High Value Donor" group for the "Development" role - Administer CiviCRM » Access Control » Manage ACLs » New ACL.
  5. Assign the "Development" role to users in the "Development Team" group - Administer CiviCRM » Access Control » Assign Users to CiviCRM Roles » New Role Assignment.

If you are having trouble with getting Permissions to work like you think they should, the first step is to look at your Drupal user Permissions. For example, if you want to prevent a CiviCRM user from editing another contact's record and adding or removing them from an ACL group then you have to uncheck (or disable) "View All Contacts" AND "Edit All Contacts" in the Drupal Permissions for that user role. Then go into CiviCRM Access Control and give that role Edit or View permissions. In order to filter out the ACL Groups to prevent users from adding or removing contacts to ACL Groups jump over to the forum and check this topic out on how to do that: http://forum.civicrm.org/index.php/topic,14595.0.html. This blog post by Gregory Heller also provides a detailed step-by-step guide for controlling access to "sensitive" sets of custom fields.

Overview - Drupal Access Control

Users and Contacts

"Users" is the name Drupal and Joomla use to describe either people who have an account and can log into the website (authenticated/registered user), or a website visitor who has not logged in (anonymous/public user). In CiviCRM, "users" refers to anyone who has been assigned a role with specific permissions to take actions in CiviCRM. "Contacts" is the name CiviCRM gives to the Individuals, Organizations and Households that you create and store in CiviCRM. For more information on the Drupal functioning, see the Drupal Handbook

PERMISSIONS

PERMISSIONS let you control what users can do on your site. Each user ROLE (see ROLES below) has its own set of permissions. View the default permissions here.

ROLES

ROLES allow you to fine tune the security and administration of Drupal. A role defines a group of users that have certain privileges as defined in PERMISSIONS. Examples of ROLES include: anonymous user, authenticated user, moderator and administrator.

You will need to decide which roles you need, based on your workflows (see PLAN)

ACCESS RULES

These rules allow you to limit accounts that are allowed to be created or logged in.

Example:
If there are staff members who you want to allow to view basic contact info, but not contribution info, you would check view all contacts and not access CiviContribute. If you do this, staff members with permissions set in this way won't see the CiviContribute tab when viewing contacts. In this example, you would also want to create a Group for those staff members you DO want to allow to access CiviContribute information. If you wanted to then restrict the permissions of the group that can access CiviContribute to say, not view contributors tagged as "High Value", you could do this through CiviCRM ACL's. You would also want to be sure you have a group that CAN access those "High Value" contributors.

Overview - How Permissions, Roles and Access Rules work

If you are giving multiple users access to CiviCRM data and tasks, it's a good idea to assign/limit which tasks and/or groups of contacts each user can manipulate. You will use ROLES and PERMISSIONS to determine what each user can see and do.

ROLES are a way of assigning one or more specific PERMISSIONS to a group. Users assigned to the ROLE are granted specific permissions assigned to the role. You can create as many roles as needed and users can be assigned to one or more roles. You can only assign ROLES to groups of contacts.

PERMISSIONS are the actual tasks which are granted to a ROLE. These may be functional - e.g. edit (all) contacts, or they may relate to a specific subset of your data, e.g. a defined group of contacts (enewsletter subscribers). You could allow only enewsletter subscribers' to view custom data (enewsletter subscriber interests) by assigning the PERMISSION "View enewsletter subscriber interests" to the ROLE of enewsletter subscriber.
Étiquette
  • Aucun