Hello,

The transfer of organizational structure settings and access rights from one stand to another can be implemented using SQL scripts. To do this on the reference environment, you need to generate insert queries based on records from the following tables:

- SysAdminUnit (Administration object: users and roles)
- SysUserInRole (Direct user entries in roles)
- SysFuncRoleInOrgRole (Entry of a functional role into an organizational role)
- SysAdminOperation (System operations, if required)
- SysAdminOperationGrantee (Access to system operations, if required)
- SysEntitySchemaOperationRight (Access to objects)
- SysEntitySchemaRecordDefRight (Access to default records)
- SysEntitySchemaColumnRight (Access to object columns)
- SysAdminUnitGrantedRight (Delegation)
- SysWorkplace - (User Workplace)
- SysAdminUnitInWorkplace - (Users in Workplace)
- SysModuleInWorkplace - (Partition in Workplace)

You can use Microsoft SQL Server Database Publishing Wizard and similar tools to generate queries. The resulting SQL script must be attached to the package: "SQL script" type schema | Creatio Academy

Hello.

In this configuration, the Complaint Manager will obtain all access rights and permissions from the roles Complaints Investigator and Complaints. 

Best regards,
Antonii.

Hi Antonii Viazovskyi,

Thanks for the response, so can I say the same for the Area Manager? ( Area manager is not a manager role ~ just a child role of Customer Care)  

Hello.

Currently, there are no management roles for functional roles. The logic to be implemented depends on the business need for establishing such a hierarchical structure.
If we consider the inheritance of access rights by a manager, there are two possible approaches from a technical perspective:
- Create functional roles as organizational roles (although this is likely not the best option), or
- Configure the required logic using object permissions and business processes.

For example, we could add a rule on the object level so that when an employee with a specific functional role creates a record, a designated person (manager) is automatically granted permissions. Alternatively, more complex logic for granting access rights under different conditions can be implemented through business processes.

Best regards,
Antonii.

++

Sasori Oshigaki,

Hello , this Code should work 
{
  request: "crt.LoadDataRequest",
  handler: async (request, next) => {
    // Check if this is your MultiSelect's data source
    if (request.dataSourceName !== "MultiSelect_lf952eo_List_Items_DS") {
      return await next?.handle(request);
    }
 
    try {
      // MAIN filter group for the lookup
      const filter = new sdk.FilterGroup();
      filter.logicalOperation = sdk.LogicalOperatorType.And;
 
      // Build a nested OR group for the 3 roles
      const roleOrGroup = new sdk.FilterGroup();
      roleOrGroup.logicalOperation = sdk.LogicalOperatorType.Or;
 
      // Role 1
      await roleOrGroup.addSchemaColumnFilterWithParameter(
        sdk.ComparisonType.Equal,
        "[SysAdminUnit:Contact:Id].[SysUserInRole:SysUser:Id].SysRole.Name",
        "Marketing"
      );
 
      // Role 2
      await roleOrGroup.addSchemaColumnFilterWithParameter(
        sdk.ComparisonType.Equal,
        "[SysAdminUnit:Contact:Id].[SysUserInRole:SysUser:Id].SysRole.Name",
        "Sales"
      );
 
 
      // Add the OR group to the main filter
      filter.add(roleOrGroup);
 
      // SDK workaround for versions < 8.1.1 (copy items)
      const newFilter = Object.assign({}, filter);
      newFilter.items = filter.items;
 
      // Push the filter into the request
      request.parameters.push({
        type: "filter",
        value: newFilter
      });
 
      return await next?.handle(request);
    } catch (error) {
      console.error("Error filtering contact list:", error);
      // Continue with original request if filtering fails
      return await next?.handle(request);
    }
  }
}

Hello Sasor,

To achieve the requirement where specific organizational and functional roles can only see records relevant to their combination (e.g., Europe/Marketing can only see Europe/Marketing records), you can configure access permissions in Creatio by following these steps:

1. Create Organizational Roles:
Ensure you have the organizational roles "Europe" and "Asia" set up in the system.
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/organizational-roles

2. Create Functional Roles:
Ensure you have the functional roles "Marketing" and "Sales" set up.
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/functional-roles

3. Assign Users to Roles:
Assign users to the appropriate combination of organizational and functional roles (e.g., users in Europe/Marketing should be assigned to both the "Europe" organizational role and the "Marketing" functional role).
 

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/user-management/assign-a-user-role

4. Configure Record Permissions:
- Go to the System Designer and open the Object permissions section.
- Select the object for which you want to configure permissions (e.g., a specific entity or section).
- Set up record-level permissions to restrict visibility based on both organizational and functional roles.
This can be done by creating filters or conditions in the access settings that check for both role types assigned to the user.

https://academy.creatio.com/docs/8.x/setup-and-administration/administration/user-and-access-management/access-management/record-permissions

Let me know if you have any more questions - happy to help further.

Hello Valeriia,

Thank you for the answer. Are you suggesting that this combination might achieve what we need?

Thank you 

Sasor

+++

Hey Sasori, 

It is possible to create a hierarchy for organization and functional roles. While you have one highlighted/selected with your cursor, press "new" then select new division. 

Unfortunately, there is no way that I know of to re-arrange hierarchy so you would have to re-create 1st-line support, 2nd-line support, etc. 

I know these are tied to support functionality out of the box, so be careful if you delete them. May want to create the new ones first, then work on updating business processes, then delete the old ones. 

Example: In this image, to create 1st-line support within "support" select "Support" > New+ > Division.

Hi Joshua,

Thank you. I only mentioned the support groups as a reference. We have custom roles that we need to re-organize. I think the correct way to do it, is via scripts in SysAdminUnit table, but i need some confirmation prior to proceeding.

Sasor

+++

Hello,

There is no out-of-the-box functionality in the system to group user roles as described.

However, this can be achieved by updating the ParentId field of the user role records. You can implement this change either through a business process or directly via an SQL query.

Best regards,
Ivan

Hello!

Please note that order of organizational roles in the details does not affect anything. So do not pay attention to it.

In case users see different amount of the records, please recheck object permissions and make sure that they are granted for both users.

Hi!

Please use the Prefix for object name (SchemaNamePrefix) system setting to set up the schema prefix:
https://academy.creatio.com/docs/8.x/no-code-customization/customizatio…

Hello,

Please check the permission settings in the Object Permissions section.

 

Perhaps the manager role does not have permission to view records in the Accounts section

Hello,



Such logic was implemented only for portal users since the Self-service Portal was designed only for them and they could be from different companies (accounts).



Best regards,

Bogdan

You can check the SysAdminUnitTypeValue. 

• Functional roles have a value of 6
• Organizational units can have 0 (an organization) or 1 (a department/division in the organization)

If you need code to retrieve a user's roles they belong to, I have an article here with some code you can use https://customerfx.com/article/determining-if-a-user-has-a-specific-rol…

Ryan