Return to Access Control Main Page
Context - Uses for Permissions, Roles and Access Rules
Access Control is used to control access to CiviCRM data and functionality. This is done through Access Control Lists (ACL's). An ACL consists of:
1. A Role that has permission to do this operation ('Administrator', 'Team Leader'),
EXAMPLE: "Team Leaders" (Role) can "Edit" (Operation) all contacts in the "Active Volunteers Group" (Data).
CiviCRM provides built-in access control for contact groups, profiles and custom data.
CiviCRM for Drupal includes additional access control features for specific tasks (Administer, Import, etc.), and for component data (contributions, membership, and events). It should be noted that in Drupal you only need to use CiviCRM's ACLs if you wish to control access of certain contacts to certain groups; if you simply want to control the types of data and actions a user can see/perform you can use the Drupal permissions Administer » User Management » Access Control.
Overview - Built-in CiviCRM Access Control
CiviCRM's built-in Access Control is managed by Access Control Lists (ACL's). ACL's allow you to control who can view and edit specific contact groups, specific profiles and/or specific sets of custom data.
For example, you might want to allow only staff on your Development Team to view or edit contacts in your "High Value Donor" group. The basic steps for this are:
Overview - Drupal Access Control
PERMISSIONS let you control what users can do on your site. Each user ROLE (see ROLES below) has its own set of permissions. View the default permissions here.
ROLES allow you to fine tune the security and administration of Drupal. A role defines a group of users that have certain privileges as defined in PERMISSIONS. Examples of ROLES include: anonymous user, authenticated user, moderator and administrator.
You will need to decide which roles you need, based on your workflows (see PLAN)
These rules allow you to limit accounts that are allowed to be created or logged in.
Overview - How Permissions, Roles and Access Rules work
If you are giving multiple users access to CiviCRM data and tasks, it's a good idea to assign/limit which tasks and/or groups of contacts each user can manipulate. You will use ROLES and PERMISSIONS to determine what each user can see and do.
ROLES are a way of assigning one or more specific PERMISSIONS to a group. Users assigned to the ROLE are granted specific permissions assigned to the role. You can create as many roles as needed and users can be assigned to one or more roles. You can only assign ROLES to groups of contacts.
PERMISSIONS are the actual tasks which are granted to a ROLE. These may be functional - e.g. edit (all) contacts, or they may relate to a specific subset of your data, e.g. a defined group of contacts (enewsletter subscribers). You could allow only enewsletter subscribers' to view custom data (enewsletter subscriber interests) by assigning the PERMISSION "View enewsletter subscriber interests" to the ROLE of enewsletter subscriber.