|
| Example II | ||
|---|---|---|
 | Appendix A. Administration Examples |  |
This example demonstrates how the access to certain data can be controlled by a combination of groups with sharing rules.
Let us assume we have a sales team as displayed as an organization chart in figure: Example Sales Team 2. The sales manager is the supervisor for Person 1 to 4, all organized in Team A and B, as well as the sales assistant. This sales assistant supports the sales teams.
Let us assume we want to have the following rules for Leads implemented:
Person 1-4 have the permission to create Leads which are owned by any person or by the Team A or B.
Person 1-4 have Read/Write privileges to all Leads regardless who owns it.
The Sales assistant has Read/Write privileges to Leads of the Team A only and cannot access the Leads of Team B.
The Sales manager has all access privileges to all Leads.
In order to implement these rules I set the following privileges:
We need one profile for Persons 1-4 and the Sales manager, called Sales that should include all CRUD privileges. In addition, we need a profile for the Sales assistant called Assistance which should have the Edit all check box under Global Privileges deactivated. Besides, the Delete permission for the Leads module must be deactivated, too.
We need one role for the Sales manager called Manager, one subordinated role for the Sales assistant called Salesassistant and one subordinated role for all Persons 1-4 called SalesAll. The roles Manager and SalesAll are based on the Sales profile whereas the role Salesassistant is based on the Assistance profile.
We create a group called Team A with the members Person 1 and Person 2 and a group called Team B with the members Person 3 and Person 4. We create a group called Assistant with the user Sales assistant as the only member.
![[Note]](images/note.png) | Note |
|---|---|
As described in section: Sharing Access sharing rules cannot be specified to share data between users. Since we want to use sharing rules for the Sales assistant, we have to create an additional group with only one member. |
This will cause that users cannot access other users Leads.
Leads of Group Team A can be accessed by Group Team B, we set the access privilege with Read/Write permission.
Leads of Group Team B can be accessed by Group Team A, we set the access privilege with Read/Write permission.
Leads of Group Team A can be accessed by Group Assistant, we set the access privilege with Read/Write permission.
Leads of Group Team A can be accessed by Group Team A, we set the access privilege with Read/Write permission.
Leads of Group Team B can be accessed by Group Team B, we set the access privilege with Read/Write permission.
| Note |
|---|---|
Since we have set the Global Access Privileges for Leads to private, Rules 4 and 5 are necessary to allow that the group members of Team A and B can see each others Leads. |
As a modification to the example above let us assume we want to have the same rules for Leads implemented:
Person 1-4 have the permission to create Leads that are owned by any person or team.
Person 1-2 have Read/Write privileges to all Leads owned by Person 1-2 and Team A. They have Read only permissions to Leads owned by Person 3-4 or Team B.
Person 3-4 have Read/Write privileges to all Leads owned by Person 3-4 and Team B. They have Read only permissions to Leads owned by Person 1-2 or Team A.
The Sales assistant has Read privileges to all Leads.
The Sales manager has all access privileges to all Leads
In order to implement these rules we set the following privileges:
We need only one profile, called Sales that should have the Edit all check box under Global Privileges deactivated.
We need one role for the Sales manager called Manager, based on the Sales profile.
We need one subordinated role for the Sales assistant called Salesassistant, based on the Sales profile.
We need one subordinated role for the Person1 and Person2 called Team A, based on the Sales profile.
We need one subordinated role for the Person3 and Person4 called Team B, based on the Sales profile.
As a result, the roles Salesassistant, Team A, and Team B are on an equal hierarchical level subordinated to the Manager role.
We create a group called Team A with the members Person 1 and Person 2 and a group called Team B with the members Person 3 and Person 4. Note that the Sales manager has to be included in both groups since groups of users are independent of the role based hierarchy and he will need access to the Leads assigned to Team A as well as Team B. We create a group called Assistant with the user Sales assistant as the only member.
| Note |
|---|---|
As described in section: Sharing Access sharing rules cannot be specified to share data between users. Since we want to use sharing rules for the Sales assistant we have to create an additional group with only one member. |
This will cause that users cannot access other users Leads.
Leads of Role Team A can be accessed by Role Team B, we set the access privilege with Read Only permission.
Leads of Role Team B can be accessed by Role Team A, we set the access privilege with Read Only permission.
Leads of Role Team A can be accessed by Role Salesassistant, we set the access privilege with Read Only permission.
Leads of Role Team B can be accessed by Role Salesassistant, we set the access privilege with Read Only permission.
Leads of Role Manager can be accessed by Role Salesassistant, we set the access privilege with Read Only permission.
Leads of Role Team A can be accessed by Role Team A, we set the access privilege with Read/Write permission.
Leads of RoleTeam B can be accessed by Role Team B, we set the access privilege with Read/Write permission.
| |  | |
| Appendix A. Administration Examples |  | Administration FAQ |
© 2004-2011 crm-now GmbH, Berlin, Germany
