Overview
This section describes how to manage teams, users, and roles.
User Management
Use the User Management option to create, edit, activate, and deactivate users in Sugar. You can create a Regular User, a System Administrator, and a Group User.
A Regular user can access and use Sugar modules but does not have administrative privileges.
A System Administrator is a user who has administrative privileges in Sugar to perform tasks such as creating users. The System Administrator can access all modules and records. Role restrictions, discussed later in this chapter, do not apply to System Administrators.
A Group User is a bucket that is used for inbound emails, and does not count toward the number of Sugar licenses that you purchase for your organization. For example, creating a group mail account for Support creates a group user named Supportto handle customer support issues. Users can distribute the emails to other users from the group inbox. You can create a group user from the Users Home page or when you create a group for incoming emails as described in Inbound Email.
The user name displays in the list on the Users Home page and the employees list on the Employees Home page after you create a Regular user or an Administrator. Group user namesand Portal API user names display in the Users list but not in the employees list.
You can assign users to roles depending on the tasks they perform for the organization.
To create a regular user or an administrator user
1.
|
Click User Management in the Users panel of the Administration Home page.
|
This displays the Users Home page.
2.
|
Select Create New User from the Actions bar on the Users tab,and enter the following information under User Profile:
|
a.
|
In the User Profile section, enter the user’s name, user type, and current status.
|
b.
|
In the Employee Information section, specify information such as the user’s current status, title, department, phone numbers, IM (Instant Messenger) type, and home address. You can add additional comments in the Notes field.
|
c.
|
In the Email Settings section, you can set one or more email addresses for the user’s mail accounts. You can further specify whether an email address is the user’s primary email address or whether it will be used for an automated response to email. You can also specify an email client from the drop-down list, and specify the user’s account information for the pre-configured email provider. For more information on setting up and configuring emails, see Configuring Email Settings .
|
3.
|
If the system-generated password feature is not enabled, you can create a password on the Password tab. You can manually send the password to the user along with the username. Alternatively, you can enable the system to generate a temporary password automatically and email it to the user. For more information on system-generated passwords, see Password Management. The user will need a username and password to log into Sugar and change the password on the User Preferences page.
|
4.
|
On the Advanced tab, you can specify default system settings, such as locale settings, as described in Editing your User Preferences.
|
5.
|
On the Access tab in the Detail View, you can add or remove a role to change the user’s access permissions for a Sugar module, and to perform specific actions, such as editing and deleting records within the module. You can enable or disable access to any Sugar module and to any action within a module. By default, the user has permissions to access any module and perform any action.
|
Scroll down the Access page, and in the Roles section, click Select to assign the user a role from the Roles list. For information on creating roles, see Role Management.
6.
|
To create the user, click Save.
|
Sugar creates the User record, and a corresponding Employee record. You can now assign the user to roles and teams.
To assign roles to a user
1.
|
Select the user from the Users list.
|
This displays the user’s Detail View page.
2.
|
To assign a role to the user, scroll down the page, click Select in the Roles section and select one or more roles that you want to assign to the user.
|
The user is assigned to the role, which is now listed in the Roles sub-panel.
To manage user information
•
|
To update the status of some or all users, select multiple records in the Users List View, and click Mass Update in the Actions drop-down list. For more information, see Editing and Deleting Multiple Records .
|
•
|
To view a user’s details, click the name in the Users list.
|
•
|
To edit user details, click Edit on the user’s Detail View page, change the information as needed, and click Save.
|
•
|
To duplicate the user details, click Duplicate on the user’s Detail View page, edit the information as necessary, and click Save. The following field values cannot be duplicated: Publish key, Layout options, Email addresses, UserPreferences, and Locale settings.
|
•
|
To import user data, click Import Users from the Actions bar on the Users tab and follow the steps listed in the Import Wizard.
|
•
|
To reset to the default values for User preferences, Homepage, or Dashboard, click the appropriate button in the Detail View.
|
To delete a user
1.
|
Click the user’s record in the List View.
|
This displays the user’s Detail View page.
2.
|
Click Delete.
|
Sugar displays a message alerting you that corresponding employee record will also be deleted.
To create a Group User
1.
|
Select Create Group User from the Actions drop-down list on the Users tab.
|
2.
|
Enter a username for the Group User in the User Name field. For example, you can enter Support Queue for the Support team.
|
3.
|
In the Status field, select Active to indicate the Group User is being used; or else, select Inactive.
|
4.
|
In the Email Settings section, set one or more email addresses for the user’s mail accounts. You can further specify whether an email address is the primary email address or whether it will be used for an automated response to emails.
|
5.
|
Click Save to create the user; click Cancel to exit the page without creating the user.
|
Role Management
Roles control user actions on records, teams control record data access. A role defines a set of permissions to perform actions such as viewing, editing, and deleting information. You can control user actions by using roles to restrict access to modulesand module fields, and to limit the actions that a user can perform in Sugar.
System Administrators cannot be restricted with roles, and they can access any module and perform any action.
Users are affected by a role only if they are assigned to it. That is, users who are not assigned a role can, by default, access and take any action in any module. Users can have multiple roles assigned to them, and a role can be assigned to multiple users.
Some examples are:
•
|
You can assign engineers in your organization to a role that prevents access to the Opportunities module.
|
•
|
You can assign junior sales representatives to a role that allows them to edit opportunities, accounts, and contacts, but not delete them.
|
Creating Roles
When you create a role, you specify whether access is permitted or not, the modules that the role can access, the access type such as Normal (for Regular users) or administrator, and the actions that they can perform.
When a user is assigned multiple roles, the more restrictive settings prevail.For example, if a user is assigned to two roles pertaining to a module where one role grants administrator access and the other grants Regular User access, then the user has only Regular User access because it is more restrictive.
Not Set:
A special case is the Not Set value in a role definition. You can use this setting to ensure that a role does not affect a particular setting. This allows simple roles to be constructed and then combined to achieve the desired security level.
For example, if users are assigned to both the following roles:
Role A, where Access Type = Admin and Export (action) = None
Role B, where Access Type = Normal and Export (action) = All
Then, users can see records that are assigned to the team to which they belong, but they cannot export the data.
If you change the Access Type to Not Set:
Role A, where Access Type = Admin and Export (action) = All
Role B, where Access Type = Not Set and Export (action) = None
Then the user can see all records in the module, but cannot export the data.
When new roles are created, the default value of Access, User Type, and Operations is Not Set. The default value of Not Set applies a permission to each role option as follows:
Access: Not Set = Enabled
User Type: Not Set = Normal
Action (Delete, Edit, etc): Not Set = All
When you create a role, you specify the following permissions for each Sugar module:
Access: This setting specifies which modules the role is permitted to access. Options are as follows:
¢
|
Not Set: Ensures that the role does not affect a particular setting. This is the default setting for new roles.
|
¢
|
Enabled: Permits the user to view the module.
|
¢
|
Disabled: Hides the module from the user’s view.
|
Actions: This setting lists the following actions:
•
|
Delete: Grants permission to delete records in the module. If None is selected, the Delete button is disabled on the Detail View page.
|
•
|
Edit: Grants permission to edit records in the module. If None is selected, the Edit button is disabled on the Detail View page. Additionally, the user cannot use the Mass Update panel to update records for the module.
|
•
|
Export: Grants permission to export record data in the module. The Export link located at the top of List View page is removed when this privilege is not available to the user.
|
•
|
Import: Grants permission to import record data in the module. The Import link in the navigation bar does not appear when this privilege is not available.
|
•
|
List: Grants permission to access the List View pages in the module.
|
•
|
View: Grants permission to view records in the module.
|
You can specify who can perform each of the above actions. Options are as follows:
¢
|
All: All users who are assigned to the role can perform the action
|
¢
|
Owner: The person who created the record can perform the action
|
¢
|
None: Nobody can perform the action
|
¢
|
Not Set: Ensures that the role does not affect a particular setting
|
To create a role
1.
|
Click the Role Management link in the Users section of the Administration page.
|
This displays the Roles List View page.
2.
|
Click the Create Roles List View page.
|
This displays the Roles >> Create page.
3.
|
Enter a name and description for the role.
|
4.
|
Click Save.
|
This displays the Detail View page of the role with a list of available modules along with the action type.
5.
|
To specify access to a module, double-click the Access field corresponding to that module, and select the desired option from the drop-down list.
|
6.
|
To specify who can perform a specific action, double-click the action field and select the desired option from the drop-down list.
|
7.
|
Click Save.
|
To assign users to a role
1.
|
Scroll down to the Users sub-panel in the role’s Detail View page and click Select.
|
2.
|
Select users from the Users list.
|
The system assigns the selected users to the role and displays the username in the Users sub-panel of the Roles page. Alternatively, you can also assign users to a role in the User Preferences sub-panel of the User Management page. Role restrictions do not apply to Admin users.
3.
|
Click Save.
|
To manage roles
•
|
To view the role details, click the role name on the Roles List Viewpage.
|
•
|
To edit the name of the role and its description, on the Detail View page, click Edit, revise the information, and clickSave.
|
•
|
To edit the access rights of a role (for example Mass Update) per module, follow the steps listed below:
|
a.
|
Go to the Role’s Detail View page.
|
The Role’s Detail View page displays its access control information, per module.
b.
|
Double-click on a cell.
|
c.
|
Select a value from the drop-down list in the cell.
|
d.
|
Click Save.
|
•
|
To duplicate the access control information, on the Detail View page, click Duplicate, enter a new name for the role, and then click Save. Note that the users list associated with the role is not duplicated.
|
•
|
To delete the role, click Delete on the Detail View page.
|
•
|
To remove a user, click the Remove (rem) icon corresponding to the user name in the Users sub-panel.
|
To view roles for a user
Follow the steps listed below to view access permissions for a specific user:
1.
|
Click List Roles by User on the Actions bar on the Roles tab.
|
2.
|
Select the user from the drop-down list.
|
This displays the details of the user’s privileges for each module. The restrictions are then merged and the more restrictive settings across all roles are assigned to the user. You cannot change any of the privileges because they are associated with the role.
Password Management
As a System Administrator, you can use the Password Management section to create and manage passwords that apply to all users in your organization.
You can enable the System-Generated Password option to generate and send temporary passwords automatically to new users when you create a record for them. Users can log into Sugar with this password and create a new password for themselves on the User Preferences page. If you do not enable this option, you will need to create the password manually and provide it to the user.
You can create and manage templates to send system-generated passwords and links to reset passwords. Sugar provides default email templates to send system-generated passwords and links to reset user-generated passwords. You can view these two templates when you select Email Templates from the Emails Actions bar. Sugar uses these templates, unless you specify a custom template. For more information on creating and editing email templates, see Creating Email Templates.
Sugar also provides an option to display the Forgot Password link in the Sugar Login window. Users who forget their passwords can click this link to submit their request for a new password. When Sugar receives such a request, it automatically sends a link to a page where the user can create a new password.
For security purposes, you can set an expiration date for system-generated passwords.
Enabling Authentication in Sugar
LDAP Authentication
You can enable authentication in Sugar if your organization has implemented Lightweight Directory Access Protocol (LDAP) or Active Directory authentication. When users in your system attempt to log into Sugar, the application authenticates them against your LDAPdirectory or Active Directory. If authentication is successful, the user is allowed to log into Sugar. You need to specify the encryption key for the system and forward it to your users if you are using LDAP with SOAP.
SAML Authentication
If your organization has implemented Security Assertion Markup Language (SAML) for single sign-on, you can enable it in Sugar.
Note:
|
Settings for Sugar password requirements, password reset, and password expiration are not applicable whenLDAP authentication or SAML authentication is enabled.
|
To specify and manage password settings
1.
|
Click Password Management in the Users sub-panel of the Administration Home page.
|
This displays the Password Management page.
2.
|
You can specify the following information:
|
System-generated passwords
You can enable Sugar to email a system-generated link to users who need to reset their passwords in this section. Ensure that you have configured an email server for outbound emails on the Email Settings page, and that you have valid email addresses for all your users.
For security reasons, you can set an expiration date for system-generated passwords. You can specify a time period or the number of logins after which the password expires. To specify a time period, select Password Expires in and enter the time period in days, weeks, or months. To specify the number of logins, select Password Expires upon and enter the number of logins.
User Reset Password
You can configure settings to enable users to reset their passwords using the Forgot Password link that displays in the Login Window in this section. By default this link is disabled for LDAP authentication purposes.
Enable Forgot Password Feature. This option, which is enabled by default, enables users who forgot their passwords to use the Forgot Password link on the Login window to submit their user name and email address to Sugar. The system automatically sends them an email with a link to the page where they can reset their password.
Generated Link Expiration. Use this option to specify whether the Forgot Password link expires or not. Select None if you do not want the link to expire. Or else, select Link Expires inand enter the time period in minutes, hours, or days, when the link remains active.
Enable reCAPTCHA Validation. You can select this option only when the Enable Forgot Password feature option is enabled. When you enable reCAPTCHA validation, the Public key and Private key fields display below. Enter the Public key and the Private key that you received from reCAPTCHA for your Sugar instance in the appropriate fields.
Email Templates
In this section, you can create message templates to use when sending out generated passwords and links to reset passwords.
Email template containing system-generated password. To create an email template for system-generated passwords, select System-generated password email from the drop-down list and click Create.
Email template containing system-generated link to reset password. To create an email template to send a link to users who forgot their passwords, select Forgot Password email from the drop-down list, and click Create.
Sugar creates the template and displays it in the Email Templates Home page. On the Emails tab, select Email Templates from theActions bar to view available email templates.
Note:
|
If you choose to create your own templates to send passwords, copy the password variable provided in the default template, named System-generated password email, into your email template. The password variable is not available in the Insert Variable drop-down list of the Email Template form.
|
LDAP Support
You can enable LDAP authentication in this section.If you are using LDAP authentication, you must disable the Forgot Passwordoption.
To enable LDAP authentication, select the Enable LDAP box, and enter the following information in the fields below:
Server. Enter the LDAP server name.
Port Number. Enterthe server’s port number.
User DN. Enter the user DN name; for example, ou=people, dc=example, dc=com.
User Filter. Enter any additional parameters to apply when authenticating users. For example, is_user_id=1.
Bind Attribute. Enter the attribute name that is used to bind the user’s name in LDAP. For example, in openLDAP, the attribute name is userPrincipleName.
Login Attribute. Enter the attribute name that is used to search for the user in LDAP. For example, in openLDAP, the attribute name isdn.
Group Membership. Select this checkbox if you wish to specify that the user is a member of a specific group, and enter the following information:
Group DN. Enter the group DN name; for example, ou=groups, dc=example, dc=com.
Group Name. Enter thegroup name; for example, cn=sugarcrm.
User Attribute. A unique identifier used to check if the user is a member of the group. For example, uid.
Group Attribute. The attribute of the group that will be used to filter against the User Attribute. For example, MemberUid.
Authentication. Select this checkbox to use specific user credentials to bind to the LDAP server, and enter the user name and password in the fields that display below.
Auto Create Users. Select this checkbox to create the user name in the Sugar database if it does not already exist.
Encryption Key. If you are using LDAP with SOAP, enter the encryption key to encrypt user passwords in the Sugar Plug-in for Microsoft Outlook. The php_mcrypt extension must be enabled in the php.ini file.
SAML Authentication.
Use this section to enable SAML authentication. You must disable the Forgot Password option if you are using SAML authentication.
Select the Enable SAML Authentication checkbox and enter the following information:
Login URL: Enter the SAML URL for authentication. This is the path to the SAML server you are authenticating to.
X509 Certificate: Enter the SAML X.509 certificate public key.
5.
|
Click Save.
|
