++

Sasori Oshigaki,

Hello , this Code should work 
{
  request: "crt.LoadDataRequest",
  handler: async (request, next) => {
    // Check if this is your MultiSelect's data source
    if (request.dataSourceName !== "MultiSelect_lf952eo_List_Items_DS") {
      return await next?.handle(request);
    }
 
    try {
      // MAIN filter group for the lookup
      const filter = new sdk.FilterGroup();
      filter.logicalOperation = sdk.LogicalOperatorType.And;
 
      // Build a nested OR group for the 3 roles
      const roleOrGroup = new sdk.FilterGroup();
      roleOrGroup.logicalOperation = sdk.LogicalOperatorType.Or;
 
      // Role 1
      await roleOrGroup.addSchemaColumnFilterWithParameter(
        sdk.ComparisonType.Equal,
        "[SysAdminUnit:Contact:Id].[SysUserInRole:SysUser:Id].SysRole.Name",
        "Marketing"
      );
 
      // Role 2
      await roleOrGroup.addSchemaColumnFilterWithParameter(
        sdk.ComparisonType.Equal,
        "[SysAdminUnit:Contact:Id].[SysUserInRole:SysUser:Id].SysRole.Name",
        "Sales"
      );

 
      // Add the OR group to the main filter
      filter.add(roleOrGroup);
 
      // SDK workaround for versions < 8.1.1 (copy items)
      const newFilter = Object.assign({}, filter);
      newFilter.items = filter.items;
 
      // Push the filter into the request
      request.parameters.push({
        type: "filter",
        value: newFilter
      });
 
      return await next?.handle(request);
    } catch (error) {
      console.error("Error filtering contact list:", error);
      // Continue with original request if filtering fails
      return await next?.handle(request);
    }
  }
}

Hello Sasor,

To achieve the requirement where specific organizational and functional roles can only see records relevant to their combination (e.g., Europe/Marketing can only see Europe/Marketing records), you can configure access permissions in Creatio by following these steps:

1. Create Organizational Roles:
Ensure you have the organizational roles "Europe" and "Asia" set up in the system.
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/organizational-roles

2. Create Functional Roles:
Ensure you have the functional roles "Marketing" and "Sales" set up.
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/functional-roles

3. Assign Users to Roles:
Assign users to the appropriate combination of organizational and functional roles (e.g., users in Europe/Marketing should be assigned to both the "Europe" organizational role and the "Marketing" functional role).
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/assign-a-user-role

4. Configure Record Permissions:
- Go to the System Designer and open the Object permissions section.
- Select the object for which you want to configure permissions (e.g., a specific entity or section).
- Set up record-level permissions to restrict visibility based on both organizational and functional roles.
This can be done by creating filters or conditions in the access settings that check for both role types assigned to the user.

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/access-management/record-permissions

Let me know if you have any more questions - happy to help further.

Hello Valeriia,

Thank you for the answer. Are you suggesting that this combination might achieve what we need?

Thank you 

Sasor

+++

Hey Sasori, 

It is possible to create a hierarchy for organization and functional roles. While you have one highlighted/selected with your cursor, press "new" then select new division. 

Unfortunately, there is no way that I know of to re-arrange hierarchy so you would have to re-create 1st-line support, 2nd-line support, etc. 

I know these are tied to support functionality out of the box, so be careful if you delete them. May want to create the new ones first, then work on updating business processes, then delete the old ones. 

Example: In this image, to create 1st-line support within "support" select "Support" > New+ > Division.

Hi Joshua,

Thank you. I only mentioned the support groups as a reference. We have custom roles that we need to re-organize. I think the correct way to do it, is via scripts in SysAdminUnit table, but i need some confirmation prior to proceeding.

Sasor

+++

Hello,

There is no out-of-the-box functionality in the system to group user roles as described.

However, this can be achieved by updating the ParentId field of the user role records. You can implement this change either through a business process or directly via an SQL query.

Best regards,
Ivan

Hello!

My apologies I am not sure about your setting due to a lack of knowledge of your language. But basically here is an example of how you can set elements to remove rights from the case for All employees role:

Basically you are not able to remove rights from the Owner of the record, so this could be the reason.

Anybody have any experience of working with such a setup?

It would be great to have the view be able to inherit permissions from some object that the view has as a lookup column. However, I don't believe that is possible. What I typically do is this:

1. Create a view and include as a column some other object that has permissions (for example, if the view includes an Opportunity lookup column and the account has permissions)
2. Anywhere the view is used, include a filter condition that some column on that related object is not null (that would never be null). Plus it cannot be the Id or the column used as the display value. Example, if my view has a lookup for Opportunity, I could use Opportunity.Stage is filled in.
3. Using this approach, the user will only see the rows corresponding to the related record that they have access to, since if they cannot view the related opp the Stage will return a null value. 

It's not ideal and definitely not secure, but it does limit the view rows to what the user can see on the related object.

Ryan

Yeah that's a clever workaround, many thanks Ryan! Agreed about the security aspect, but for the the cases where it's just about having those record permissions used to define non-security visibility as I currently have for the base entity it will work for now.

It would definitely be good for the view entities to be able to inherit permissions from lookup columns though, and feels like it would be a relatively quick win for Creatio to add, as most of the functionality around that would already exist. It could even be done in a no-code way by enabling the creation of these view-based entities directly in the config, effectively adding a logical layer to the platform which would be great for filtered views into the data and adding virtual calculated fields. So much utility to be had with such a logical layer.

Hello,

Unfortunately, it is not possible to grant permissions to selected users/roles to access particular lookups. At the moment, it is possible to manage permissions only for all users/roles at once.

Bogdan,

I have been able to achieve this with a business process.

Hi!

If you remove all roles/users from default permissions (managed by records access rule settings), users who created the record and records owner will still be able to see/edit/delete the record. 

To change this behavior, there are several options: 

- open the record in the System Designer and set the rule for the author to grant himself the rights for "not reading" the record

- the database command to remote the specific rights in the sys[object]right table. You can check some details on the example of granting the rights and change the logic of the provided script: https://community.creatio.com/questions/there-way-provide-record-creato…

Here are some more details on how these system tables impact the record permissions: https://community.creatio.com/articles/what-database-tables-should-i-ta…

- design a business process with the "Change access" element to remove the rights from the record author

Hope this info helps you with the described case.

Hello Aurora,



Could you please let us know what portal license do you have on this local instance?



Also, could you please verify whether this DCM object is added to those lookups in order to be visible to portal users?

And one last question, does it appear on the portal the DCM for the cases section?

 

Hello,

I am having the same problem. I added the DCM object to both lookups, and I am also having an error in the console.



I check the DCM in the cases section, and I can see it.

Hello All!



Please check the following article for steps on how to add DCM to the portal: https://community.creatio.com/articles/enable-dcm-portal-users

In case you would still receive the error - please contact us on support@creatio.com

As I see it - this error is not the same for all and would require an individual approach.

Best Regards,

Dan

Bogdan,

Hello Bogdan,

The portal license that I am using in my local instance are as in the photo attached:

Is added object of Application Form (section) but not the case object (should be with the name "Application Form case in the Portal) :

Related to the last question DCM does not appear in the portal section (but as you can see to the image attached the section of the task appear but no the stages one).

Thanks,

Denis Bidukha,

Hi Denis, 

Images attached to the link are not clear.

And another question please , this solution is available for  the latest version of Creatio ?

(I am using Creatio  v8.0)

Thanks,

Aurora Leka,

Hi! The pictures are not representative anyway as they are made in Old UI. The information should be still relevant though. Please check if the specific portal user has required access rights and it the object has an "SSP available " checkbox checked.

If that did not help - please contact Support individually for investigation to be held

Best Regards,

Dan

Hi all,

I want to share with you solution that Creatio support team helped me.

You have to check in object permissions if  "Portal Users" have permission to use  "SysDcmSettings" .

Hello Teresa,

If there is a need to restrict access to one specific record you can delete the access rights for this record directly on this record page with a help of "Set up access rights" option. Still the record will be available for the system administrators.

If you need to change the access rights for the contact records connected to this account, it can be done with a hep of custom business process that will read all the contact records where the Account = the_needed_account_record and with a help of "Change access rights" business element will delete or grant needed access permissions.

I'd also suggest to test the solution first on test- or dev- site before applying it in the production site.

Best regards,

Anastasiia

Hello,



we have solved similar task with Stored procedures. 

1) Create stored procedure with input parameters (Contact name, Contact surname)

2) Procedure returns set of found existing records, but with limited information (e.g. Contact name, surname, country, date of birth and owner)

3) These records are displayed to user when he enters Name or Surname, but just for information

4) We also save found records into special detail to see what information user has ingored entering new Contact



We did the same for Accounts, Leads (for names, web, email domain etc) and Communication options



Kind regards,

Vladimir

Hello,

You need to check several options:

- Сheck that the object has no publishing errors, and compile the application. 

- Check the rights to the section/workspace and that the user has the right license.

- Check the mapping in the SysModul table. It is possible that the section was added to the same workplace twice and there are some duplicates at the database level, in this case, the section will simply not show up. You need to delete the entries at the database level and add the section again.

If the above tips do not help, it is better to contact technical support.