Restrict activity visibility to owner and managers as well as higher-ups
I have the following requirement:
My organisational structure contains the following roles: VP Sales (1), Sales Manager (2), Sales Team Lead (4), Sales Rep (20)
Each of these roles has the number of employees detailed in the bracket behind the role name meaning that due to the size of the sales team the sales reps are working in 4 different equal teams. Each team reports to an individual Team Lead. The 4 Team Leaders report to 2 different Sales Managers who in turn report to one VP of Sales.
Each of these levels needs to be able to see only the organisation reporting to her/him - either direct or indirect. For example the VP can see everybody's tasks and opportunities and Dashboards are showing the data of the whole sales organisation. Each of the two Sales Managers can only see the data for themselves and of their respective organisation. The Team Leaders can only see their own data and of their organisation.
Since there are several equal employees sharing the same roles (Sales Manager, Sales Team Lead) it is not possible to use the role structure to prevent Manager 2 from having access to the team information of Manager 1.
The only possible way I can see this to be possible would be to create one role per Manager (hence 2 roles with the same security) and one Role per Team Lead (hence 4 roles with the same security). This however is cumbersome and really hard to maintain during restructuring and new team member on-boarding.
I am wondering if the Manager column in the Employee section can be utilized to define the reporting structure.
How else can this requirement be achieved?
thanks a lot
O
Like
What if avoid using the "Managers" role and just create different roles for all groups: sales1, sales2, sales1managers, sales2managers, salesgeneralmanagers and so on? Give different access permissions to each of the groups and they will not see other data.
I had the same idea but this is not sustainable for the customer. All they want to do is to set the Manager of each person and by doing this create sort of a hierarchy. So each Manager can see the info from their own organisation below them without having to duplicate and maintain duplicate security details.
It's a very hard and very complex structure. Once they create that access rights inheritance they will never figure out what exactly can see a specific group manager.
In general, there are 2 access right groups: static and dynamic.
Static: access to sections, operations, objects, columns, etc.
Dynamic: access to records.
You can specify static access rights even personally for each person. It's not hard.
If we're talking about dynamic access rights then you'll need to specify the pairs: created by -> give access to.
Just create a separate group for each manager, and create a separate group for each manager's employees.
Then specify Created by employeesGroup -> visible to managersGroup.
Created by employeesGroup -> visible to managersGroupLevel2
and so on for each level of hierarchy minus one. The latest level in hierarchy is "system administrators". They see everything by default.