ACLs and Groups Case Study
USNC is the USA national committee for the international UN Women organization. USNC is mainly a membership-based organization. They have campaigns and events on a national level, but USNC is divided into many regional membership chapters throughout the USA.
USNC approached me in the in the spring of 2010 with a comprehensive plan to import over 25,000 rows of offline data consisting of: Contacts, Contributions and Memberships. CiviCRM would serve as the central data warehouse for the national organization.
After this import, the national staff were trained on CiviCRM and learned how to view and update all national and chapter data. USNC hoped their new online CiviCRM database resource could eventually be extended to volunteers and various chapters throughout the USA, but they wanted to proceed with caution.
After some discussion, these rules were established.
- Only admins (leaders) at each Chapter can access CiviCRM.
- Chapter admins should only be given access to CiviCRM data relevant to their own chapter.
- Chapter admins should have the ability only to view data, not to change it.
This is easily accomplished using User Permissions in Drupal. We created a role for each chapter in Drupal and set appropriate permissions to: access CiviCRM, access CiviContribute, access CiviMember. Edit and delete permissions were avoided.
First we needed to associate members with a chapter, and give new members using the online contribution form the ability to select their own chapter. We did this with a Custom Data field.
Secondly we create a Smart Group using this Custom Data field as the criteria. Now each Contact who selects a chapter will show up in the Smart Group for that chapter automatically.
Next we create static Groups for each of the Chapters, and place the Contacts who are admins (leaders) into those groups.
Through Access Control (ACL) in CiviCRM, we create links between:
the Drupal Role for each chapter admin to...
...the CiviCRM static Group for each chapter admins to...
...the CiviCRM Smart Group for all the chapter members
While create the ACL we only allow “View”...not “Edit”.
Chapter admins (leaders) can view Contacts, Members, and Contributions but only those relevant to their own chapter. It's illustrated here by the Georgia admin, with only a few hundred results when the do a full search.
National staff and admins can view all Contacts, Members and Contributions – and their results are over 7000.
It's generally not advisable for the staff to create and edit their own ACLs since it is sort of complicated. When a new chapter is started (an event that happens a few times per year) we are hired to do the ACLs and make sure it's dialed in right.
Since ACLs rely heavily on Groups in CiviCRM, there are a lot of groups on the Manage Groups page. Since each ACL requires a pair of groups, we reached a few dozen groups quite quickly. There is only one permissions for edit Groups, and most staff at some point have the need to edit or create a group that is not ACL-related. We can't very well remove their permission to edit all groups, so we've come up with a naming system and train everyone to not delete the ACL groups. So far we haven't run into any trouble.