Permissions condition customization

krzaq4

Hi there everybody,
for some time I'm trying to construct criteria in record browser permissions. I added Contacts/Access (from Common data) to both 'Companies' and 'Contacts' recordsets and I need to create condition where companys are displaying only if their Contacts/Access group is the same as currently logged in contact.

Is there any way to achieve this? Or maybe my approach is incorrect?
Any ideas? I'd really appreciate any help!

Cheers
Michal

ajb

Hi,

but wait... Contacts/Access is already assigned to user/contact. In permissions management you have option to choose required clearance. You can create different rules for Manager and Employee clearance. Use mentioned field, that you've created for company to specify crits. Clearance:Manager -> Crits: <your field with Contacts/Access> = manager. Clearance:Employee -> Crits: <...> = employee.

Unfortunately it will multiply your permissions rules...

Regards,
Adam

krzaq4

Thanks for fast reply! I think that I didn't explain what I want to achieve correctly 😉

Let's consider situation where I have Companies and Contacts, and I want to allow viewing, editing and adding of companies to users according to what group they are in. Is there any possibility to create such a criteria in Companies? Especially when you create some restrictions in Comapny recordset, you've got access to Company fields only? Right? Correct me if I'm wrong 🙂

Cheers, Michal

ajb

I was writing about companies permissions. Go to Menu -> Admin -> RecordBrowser -> Select "Companies" -> Tab "Permissions".
By default every employee has access to companies. Delete all rules and add only those that you want. Clearance is obtained from Contacts/Access. So create desired group in this commondata array, and then create appropriate rules for add, edit, view, delete. Use your custom field that you've added to company as crits.

Unfortunately there is one limitation in such permissions. You cannot set default value for any field from GUI (only in code 🙁 ). So you can't disable "group" field for company in add mode.

Please have a look at this topic.

Regards,
Adam

krzaq4

Hi!

But what about such situation:
I created a new recordset named "Departments", now I got it listed here in record browser:

Now 'Departments' fields:

And here from commmon data 'Departments_Groups':

I added "department::depname;::" to both 'Companies' and 'Contacts'.

To each department record I added some users, as in here:

Now I want to filter companies accordingly to what departments are added to particular company and particular user. For example I add Contact#1 to Department#1, then I add Department#1 to to Company#1 and I want to have only this company listed if I'm logged in as this contact.

How to do it beacouse it doesn't work 🙁

It actually filter companies, but I receive weird presentation with blank company name and other fields listed in browse:

I'll really appreciate any help with this!

Regards,

Michal

edit:::

I removed department:Depname from Contacts as it's redundant, I control this in departments, where I'm adding Contacts to.

jasiek

Michal,

First of all EPESI's Record Browser permission system handles this kind of access automatically. There is no need to write custom module to accomplish this goal.
First you create a company. Then assign to this company contacts. This is your first (main) company and every user/contact is your employee.
There are 2 levels of access defined by default, or rather 3: employee, manager and none (if left empty).
Employee can create records, edit and delete them. But employee can not delete records created by other users.
Managers can delete all records by default.
If set to none a user can access only his/her own record and his own company (a company to which he/she was assigned).
Then you can easily modify rules using Record Browser's permission system or create new access level in addition to employee and manager - for example "customer" and create new rules.

By default every employee can see all companies in the database, but this can be easily changed via admin -> Record Browser Permissions tool.

When you create new company and add several contacts/users to it you can easily restrict access to certain records. An example of this is Account Manager module (optional under CRM module). Whit this module you can set Access Permissions to show a user only these companies to which this user was assigned as Account Manager. Look at this example:

Permissions

As you can see here - if a user has no access level assigned (All users = not specified access level) then this user can delete only companies created by him/her: Created by is equal to User Login. Also look at View criteria - this user will see only his/her own company.
These criteria can be easily modified using this GUI tool without writing a line of code. I explained also how to create new access levels in this post: viewtopic.php?f=8&t=1077&hilit=+access

Several versions ago we decided to abandon the idea of Main Company in favor of multiple companies. There is a module called Parent Company where you can build a hierarchy of companies/departments. If the Parent Company field is left blank it means that this is a Mother company. If this field is not empty than it means that the company is a Child of the Parent Company.
Therefore what you are building is redundant in my opinion.

Optional CRM modules

You write in the first post:
[quote:2cx8imd2]I need to create condition where companys are displaying only if their Contacts/Access group is the same as currently logged in contact. [/quote:2cx8imd2]

Let me rewrite it:
You want to restrict access to these companies only to which a user is set as an Account Manager.

If you need different set of rules you may want to construct a different set of permissions, but the way you are trying to achieve is not clear to me and questionable.

Maybe you can elaborate more on this subject so that I can understand better what you are trying to accomplish?

krzaq4

Hi, I installed 'Parent Company' and 'Account Manager' as you advised. I created couple child-companies - in my case these are my departments now - and I say that you're right about redundancy of what I was doing. Actually I needed to modify it a little bit, making 'account manager' record as multiselect, so I can assign more than one user to sub-company. But one thing that still isn't the way I'd like is presentation of Companies and sub-companies, which now is not as clear is it would be if my idea of 'Departments' recordset would work. It would be just great - and here is my new question 😉 - if I could present it in way 'Advanced module view' is organised - tree alike way. Is it possible to modify templates to do so?

Though I am still thinking why I had this weird problem with no-value/blank records listed in data table? Any thoughts? It would be helpful if anyone would like to create similar data structure - with custom recordset - to achieve maybe some other fuctionality.

Once again thank you for your time and of course help you provided me this far, I really appreciate it!

Regards, Michal

jasiek

Hi,
I am glad it worked for you, even though I still don't understand exactly what kind of restrictions you want to put in place.
There are number of ways to accomplish the same result - now when I think of this, after you wrote that you changed the Account Manager field to multiselect - it seems to me that just Parent Company module would be sufficient:
Create the Parent Company - let's say "ABC Company Headquarters" and create contacts and users for this company.
Then create subcompanies - you can call them Departments if you like and you can also rename this using built-in translation tool 🙂
Create again contacts/users for each department/subcompany.
Setup access rights that the employee can see only his/her own company (or create new access level for example "user" which will be a little bit more flexible). This way a user from the department will see only his own company and contacts, but if the user has access rights "employee" he/she can see all contacts and all companies.

The Account Manager module adds additional flexibility: a user with "user" (limited access) rights can see his/her own company/contacts plus all companies of which he/she is the Account Manager of plus all contacts from these companies. Multiselect will give you additional options, but you can also restrict access using other criteria - for example a user will see only companies which matches the zone (state, województwo), or the same Postal (zip) code... Possibilities are endless.

One of our installation setup for an organization that provides medical services needs to comply with US HIPPA regulations which are very strict. We have Medical Provider level and Patients. A user who is not a Medical Provider can see some basic contact info, but none of the medical records. Medical Provides user can see medical info but only for patients to which he/she is assigned. Medical Provider manager can see all records and assign rights as well.

As for the tree-like view of companies - we don't have the option to create organization hierarchy chart. If you would like to see something like this you need to write a special module. For us it is sufficient to use the "tab" (add-on) called Child Companies. If this tab is empty it means it has no child companies. On the other hand if the Parent Company field is empty it means that this is the top-level company.

I hope that this explanation will help you and will clarify even more Advanced Permissions system built into Record Browser engine.

krzaq4

Hi again,
you're right that epesi functionality covers a lot use cases, now after I took a closer look a it, I see it is really true. You exactly got it if about what I wanted to accomplish. I think that only one thing is presentation of data along with priviliges. So for example it is very annoying for me that when I list all companies I get parent companies and child companies together. But since my last post I changed some more things, like I added child companies multiselect. I wrote a function in contactsCommon to retrieve only child companies and I list them in multiselect. I'll write trigger in DB for autocompleting those. I already created a trigger that controls adding of favorite companys basing on company has parent or not, then I turned the default view of companies to "favorites", added "child companies" to datatable listing and now I got presentation I want. I just need to disable "favorites|watched|recent" combobox or find a better way to filter my results on datatable.

That's how companies look in recordbrowser

And that's how they look like for user (note that filtering to favorites must be turned on).

Thanks for everything!
Have a nice weekend!

Regards,
Michal

Epesi ENS | Epesi Academy | epesi.cloud PaaS | GitHub

Help Me! | Download from SourceForge