Custom Permission Extension for Multi-Level Organization

2019-12-12 06:45
Written by
skornien - member of the CiviCRM community - view blog guidelines

CiviCRM role-based security solution gets a fundamental boost as Agiliway releases an extension to streamline permission management within multi-unit hierarchically structured nonprofit organizations.

Who will benefit?

Suppose your organization is multidivisional with the structure that is defined by its head and subordinate entities; divisions that are spread across a country, and management tiers that are multilayered with only few overlapping responsibilities. The picture presents a sample of such organization. In this case the core CiviCRM access control functionality may not be your best fit.

By default, permissions in CiviCRM can be configured to assign the roles, set access rights to certain areas of CiviCRM and restrict or grant access to such operations as view, edit, create, delete and search. Custom Permission extension levels up role-based functionality to distribute access permissions by units. In other words, a head office is delegated full authority in a form of unlimited access for managerial positions and extended access for other officers. The access narrows down with every hierarchically lower unit.

This type of permission allocation is known as orgstructure based access control.

The Custom Permission extension is now publicly available in the extension directory as a free add-on to CiviCRM.

Configuring Permission Allocation

To capitalize on orgstructure-based access control functionality, go to admin panel, select Administer => System Settings => Extensions and install Custom Permission Extension from the directory.

Hierarchical org structure is built and permissions assigned when Relationship Types form is adequately configured. You’ll easily give certain contacts access to view and edit contact profiles included in the hierarchy by setting up relationships for profiles in the Relationship Type form

Common relationship type (Parent-Child) you create would be that which exists between the main organization (profile type organization) and a subordinate organization (profile type organization) as well as between organization (profile type organization) and user (profile type individual).

Follow these steps to configure relationship types and distribute permissions:

  • Start by specifying the main organization. Go to admin panel and select Administer => Сustom Permissions settings

  • Recreate a pyramid-shaped structure in hierarchical organization by setting up parent/child relationship type for the head and subordinate organization units. Select Administer => Customize Data and Screens => Relationship Types.
  • Once redirected to Relationship Types form, define both sides of the relationship. Contact A, labelled as Parent organization and Contact B, labelled as Child organization. Now assign permissions.

Assuming an organization has a central office and two divisions spread across the country: main Organization, sub Organization and child Organization. The relationships are set as Parent - Child between:

  • Main Organization and Sub Organization, where Main Organization is Parent, while Sub Organization - Child.
  • Sub Organization and Child Organization, where Sub Organization is Parent, while Child Organization - Child.

The Organizations hierarchy (Contacts => Organizations hierarchy) will be displayed as shown below.

  • Now set up Parent-Child relationship type between employer (profile type organization) and employees (profile type individual) to assign related permissions. To configure this relationship type select Administer => Customize Data and Screens => Relationship Types

As illustrated above, a contact labelled as Individual enters into the Parent- Child relationship type with a contact labelled as Organization. The former is entitled to view and edit the contact profiles set up as Main Organization, Sub Organization and Sub Employee. Permissions narrow down for lower levels in the hierarchy. Sub employee will have the view option available for Main Employee profile and edit option for Sub Organization, Sub Employee, Child Organization and Child Employee. Accordingly, child employee will edit Child Organization profile only and view the rest.

The Organizations hierarchy (Contacts => Organizations hierarchy) will be displayed as shown below.

The Custom Permission extension provides fine-grained permission control for nonprofits looking to administer different level of access for users over a multi-unit geographically dispersed organization. By configuring and updating CiviCRM Relationship types, the users will now assign permissions both by roles and units. This way hierarchical orgstructure is adequately represented in CiviCRM, while security risks and concerns are less likely to befall the organization.


Looks good, is this extension Open Source or Propietary?

update: just found it out -->