Field level access control

pragneshc · 18 May 2018 05:15

Hi,
Can you explain how to create field level access control in suitecrm. If there is any plug in like sugarcrm. If you have plugin for field level access control then please share the link.
If we achieve using code then how to code?

Thank you

pgr · 18 May 2018 09:11

I’ve seen this requested before, but to my knowledge, it’s not possible, and there is no plug-in for that (although you can always search the SuiteCRM Store - if it exists, it’s there).

Normally you can find ways to achieve the same business requirements without this feature, but of course that depends on your specific case.

loba85 · 9 March 2019 14:05

Hi everybody,
I found a solution to handle the field level access. I’m gonna show you my case.
I added a custom field “cost” to the Project Task Module. Users belong to the group “Professionisti” can access to the Project Task Detail View and have just the “view” permission, setted as usual under Security Suite. Well, now I want to hide just the custom field “cost” from them, nothing else.
In custom/modules/ProjectTask/metadata/detailviewdefs.php, under “cost” definition, I add the “hideFrom” array:


array (
 0 =>
  array (
   'name' => 'cost_c',
   'label' => 'LBL_COST',
   'hideFrom' => array('Professionisti',[OTHER GROUPS]),
   ),
...

“hideFrom” array brings all the names of the groups I want my custom field to be hidden from. This change should be upgrade-safe if I’m not wrong.
After that, I make my Custom Detail View with my own display() method:


class CustomProjectTaskViewDetail extends ViewDetail
{

  public function display(){

    require_once 'modules/Administration/QuickRepairAndRebuild.php';
    $repair= new RepairAndClear();
    $repair->show_output = false;
    $repair->clearThemeCache(); //Always clear theme cache

    global $current_user;
    $userGroups = SecurityGroup::getUserSecurityGroups($current_user->id);

    foreach ($this->dv->defs['panels'] as &$panel) {
      foreach ($panel as &$row) {
        foreach ($row as &$field) {
          if(is_array($field) && array_key_exists('hideFrom', $field)){
            foreach ($userGroups as $group) {
              if(array_search($group['name'], $field['hideFrom']) !== false){
                $field = ''; //hide the field
                break;
              }
            }
          }
        }
      }
    }

    parent::display();
  }

}

As the first step, I need to clear the theme cache because our view is dynamic now, and we cannot use the cached version (thanks to this post). After that, I get the current user groups and I’m looking for them in the array “hideFrom”, loaded to the view object by predisplay() method. If I find a group in the black list, I delete that field from the layout definitions. In the end, call display() method.
If you want to hide other fields, just do the same additions in the view definition file.

Hope this helps.
Bye

pgr · 11 March 2019 11:17

Thanks for that, it looks clean and useful.

A couple of questions come to mind -

You could probably make the cache cleaning conditional - clean only if ‘hideFrom’ intersects with fields array, meaning: only if we have something to hide.
I am assuming you used code from the current ViewDetail function to start your own override code. Where exactly is that located? I am wondering if we couldn’t just put this into the core code and make it a generic feature for everyone… that would be quite cool.

loba85 · 12 March 2019 08:54

Hello pgr,
really thank you for your interest!

You are right. The cache cleaning part should be place inside the ‘if condition’, but if I put it there, I got an unexpected behavior: imagine that I open the project task detail view as administrator (I can see everything), and after that, I logout and login as one of the group that I would to hide something from. Well, I still see the field that should be hidden, and after one refresh of the page, sometimes two, the field disappears. Cleaning the cache each time fix the problem. This is just a workaround, do you have any idea why? It seems that something is cached anyway if I do not clean the cache each time.

2)I extend the Module Detail View with mine. Anyway, I work on make the code more clear and usable. I create a Class inside custom/include/ folder and use the object ‘handler’ (what ugly name!) as I need.


//custom/modules/ProjectTask/views/view.detail.php

if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');

require_once('include/MVC/View/views/view.detail.php');
require_once ('custom/include/viewHandler.php');

class CustomProjectTaskViewDetail extends ViewDetail
{
  private $handler;

  function predisplay(){
    $this->handler = new viewHandler();
    $this->handler->lockFor_detail($this);
    parent::predisplay();
  }

  public function display(){
    $this->handler->hideFrom_detail($this);
    $this->handler->clearCache();
    parent::display();
  }

}

As you can see, I upgraded my code with ‘lockFor’ function in the predisplay() part. That has the same logic of ‘hideFrom’ but permits to enable or disable the inline edit of the view based on user group. I set the ‘lockedFor’ property in this file:


//custom/modules/ProjectTask/Ext/Vardefs/locked_fields.php
$dictionary['ProjectTask']['fields']['date_due']['lockedFor']=array('Professionisti,[OTHER GROUPS]');

In this way, we can manage single field permission (read&write or read only) in the detail view.
Now I work on extend those functionality to the list view and to the edit view. If you want, I will contact you in a few days to inform you about.

Bye.

pgr · 13 March 2019 12:20

I believe this would be a nice feature to add to the core code, if we can get it to work properly and solve all the caching issues.

The way you’re approaching also seems good to me, it is totally backwards-compatible and only affects people who opt to use the feature by adding to their vardefs.

So, yes, please do keep me up to date on your developments. Thanks!

pbperche · 17 April 2019 10:16

Hello,

Very interesting topic.
I was trying to do similar things and that would be indeed a very good idea to have these kind of feature in the core code.

loba85, could you manage to do similar things with list views or popup views?

I tried, but for the moment, I can’t manage to access list view or popup view metadata the same way you did it in your ‘handler’ class.

$this->dv for detail view works fine
$this->ev for edit view works fine

=> how to access list view or popup view defs ?

Thanks a lot in advance for your help.

PB

Lyk37858 · 17 November 2019 17:05

loba85:

Hello pgr,
really thank you for your interest!

You are right. The cache cleaning part should be place inside the ‘if condition’, but if I put it there, I got an unexpected behavior: imagine that I open the project task detail view as administrator (I can see everything), and after that, I logout and login as one of the group that I would to hide something from. Well, I still see the field that should be hidden, and after one refresh of the page, sometimes two, the field disappears. Cleaning the cache each time fix the problem. This is just a workaround, do you have any idea why? It seems that something is cached anyway if I do not clean the cache each time.

2)I extend the Module Detail View with mine. Anyway, I work on make the code more clear and usable. I create a Class inside custom/include/ folder and use the object ‘handler’ (what ugly name!) as I need.
//custom/modules/ProjectTask/views/view.detail.php

if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');

require_once('include/MVC/View/views/view.detail.php');
require_once ('custom/include/viewHandler.php');

class CustomProjectTaskViewDetail extends ViewDetail
{
  private $handler;

  function predisplay(){
    $this->handler = new viewHandler();
    $this->handler->lockFor_detail($this);
    parent::predisplay();
  }

  public function display(){
    $this->handler->hideFrom_detail($this);
    $this->handler->clearCache();
    parent::display();
  }

}
As you can see, I upgraded my code with ‘lockFor’ function in the predisplay() part. That has the same logic of ‘hideFrom’ but permits to enable or disable the inline edit of the view based on user group. I set the ‘lockedFor’ property in this file:
//custom/modules/ProjectTask/Ext/Vardefs/locked_fields.php
$dictionary['ProjectTask']['fields']['date_due']['lockedFor']=array('Professionisti,[OTHER GROUPS]');
In this way, we can manage single field permission (read&write or read only) in the detail view.
Now I work on extend those functionality to the list view and to the edit view. If you want, I will contact you in a few days to inform you about.

Bye.

Hello dear
I, like the user above, would like to ask if you found a way to modify your code so that will be work "list view and popup’’ too?

or anyone know how to hide field on list view?

Regards

chirag_biz309 · 5 December 2023 04:56

Hello @pragneshc

Thank you for reaching out with your question on field-level access control in SuiteCRM. Field-level access control is crucial for maintaining data security and ensuring that sensitive information is only accessible to authorized personnel.

To address your query, I recommend exploring the SuiteCRM Field Level Access Control plugin available on the SuiteCRM Store. This plugin offers a comprehensive solution for managing field-level access permissions, allowing you to tailor access rights based on user roles and profiles.

You can find the plugin and access more details through the following link: SuiteCRM Field Level Access Control Plugin.

By integrating this plugin into your SuiteCRM instance, you can efficiently configure and enforce field-level access restrictions, providing a robust layer of security for your CRM data.

Should you have any further inquiries or require assistance with the implementation, please feel free to reach out. We are here to support you in optimizing your SuiteCRM experience.

Thanks.