Can I remove Team Security from SugarCRM?

Any SugarCRM Commercial Edition has a great feature for segmenting data, called Team Security.

In a nutshell, all non Administrator Users can only see SugarCRM records associated with at least one of the Teams they are part of.

…but what if in my organisation I do not want to limit who can see which records on the CRM system? Keep reading to find out the answer!

Not everybody knows that SugarCRM recently introduced the Visibility and ACL Layer that gives Partners and tech savvy End Users, a great granular control when customising record visibility and permissions.

Moving one step further, It also gives the possibility, if required, to remove completely the Team filtering functionality!

In SugarCRM 7 it is possible to override the TeamSecurity class by creating the file: custom/data/visibility/TeamSecurity.php

with the following content:

Then it is just a matter of running a “Quick Repair and Rebuild” and that’s it.

It is still possible to use Teams (for example for your Territory Management), but they won’t be used anymore to restrict the record visibility. If in the future there is a need for the Team Security functionality again, it is just a matter of removing the custom file and run a Quick Repair, and eventually fix up the data to obey the new requirements.

As a final note, last but not least, this small change is also a great and inexpensive way to improve your SugarCRM system performance (eg: loading ListViews and running Reports) as a normal user!

Share this post and add your comments below!

5 thoughts on “Can I remove Team Security from SugarCRM?

  1. Checked your solution out. This is good in some cases. But I have another scenario. Throughout SugarCRM, we’re able to see that Teams security will limit record visibility. However, if we were to choose or add a new Team to any record, we see all available Teams in Sugar, as opposed to just the Teams the user is a part of. Would we be able to use this override to further enforce Team Visibility at the popup level, and only display Teams this user is a part of, and no more?

  2. Hi Emilio,
    Thank you for your comment!
    The whole purpose of the enhanced Sugar Visibility model, is to give more granular control to customers/partners to build the “where” and the “from” of the SQL statement based on the needs, therefore almost any type of record filtering should be possible.
    Just keep in mind that this filter is applied everywhere, not only to popups, or part of the system, and I am not sure you have any way to identify what is the user interaction happening at that specific point in time. I do think that if there are security visibility rules, should be applied consistently throughout your solution. As a final note, make sure you profile properly any change you do to the Sugar Visibility, as it may affect the system’s performance if queries are not optimised.
    You can read a bit more at this official url: http://support.sugarcrm.com/04_Find_Answers/02KB/02Administration/100Migration/Migrating_from_Sugar_6.x_to_7/#Sugar_Visibility/ACL_Layer
    Does this answer your question or did I misinterpret what you were asking?
    Thanks

  3. Thanks Enrico,

    We had a recent request to override how SugarCRM Teams and User popup functions out of the box.

    By default, The Teams popup will show ALL TEAMS in Sugar for the user to select.

    However, our client only wants TEAMS that the USER is a MEMBER of to appear in the popup.

    Also, when it comes to the ASSIGNED USER popup, all users are displayed by default.

    However, our client only wants USERS that share the same TEAMS as the CURRENT USER.

    Is Sugar Visibility where we can apply these Global “Current User” Specific overrides?

    Thanks,

    Emilio

  4. Hi Emilio,
    Right, now it is clearer! Thanks for explaining further.

    I do understand where you are coming from. Sugar lets you search for all teams so that you have the possibility to assign records to teams you can’t see, and make the record visible to others. Let’s say you have a Customer who’s company does business across Australia and New Zealand. Normally Accounts are assigned to teams of each region for Territory Management. It can happen that the Sales Exec. in Australia needs to share some informations about an Account with the Sales Exec. in New Zealand. At that point the
    Australian Sales Exec. can make the record visible to the other Sales Exec., while he could not, if he could not see all Teams.

    Leaving the behaviour aside, let’s try to figure out how you can achieve this (to be honest I never tried in Sugar 7 personally yet). Assuming you are using Sugar7, and therefore (unless using Backward compatibility mode) there should not be many popups around anymore.
    Sugar 7 interacts between the browser and the application almost only via its REST API, and that’s probably the place where I would customise the logic.
    I would suggest you to start looking at your Network tab on Chrome to understand what calls Sugar makes when you “Search” for a Team from inside a module, and also open the API help url (https://crm.yoururl.com/rest/v10/help) to understand what’s possible. Then also discover what call Sugar makes when you click on “Search for more…”.
    You should be able to click around the system and see what are all the calls that you need to customise, of the REST api. Then using this tutorial: http://developer.sugarcrm.com/2014/03/21/sugarcrm-cookbook-so-you-wanna-override-an-endpoint/ you should be able to proceed with your customisation a little further.

    Please do let me know if this is what you were looking for.
    Enrico Simonetti

  5. It is possible to filter the list, both in 6.x and 7.x. In 6.x one has to create a custom view.popup.php and Popup_picker.php in order to reduce the Team list to whichever set of records it is you want. For 7.x, I believe you have to work with the Filter API to accomplish the same.

Leave a Comment