Today I want to explore a customisation possibility that is so powerful and still often neglected: customising Sugar’s ACL framework.
The Actions and field visibility part of the ACL in Sugar is normally applied through the use of Roles within the application’s UI, while the visibility of a record is applied through the visibility framework that either allows a user to see a module’s entry or not.
There are two important nuances about Roles in Sugar that I should mention:
- Most restrictive prevails, if a user happens to be assigned to more than one Role
- Roles do not apply to Sugar Admin type users
The power of the ACL framework is due to the fact that it applies both to the back-end of the system (eg: the API will not allow writes) and to the UI as well by driving buttons and visual screen elements that would allow the user to perform or not the actions.