Data Permission Management

ShareCRM provides a hierarchical data permission design, allowing administrators to flexibly control users' access to data.

Data permission management mainly controls whether users can see and edit business data. Combined with functional authority, it can flexibly configure the functional operation authority and data visibility range of each employee in the business process; comprehensively guarantee enterprise data security. Similar to the matrix list, functional permissions determine which fields are visible to the user, such as name, phone number, and email address in the customer object, and data permissions determine which pieces of data the user can see, such as "Mr. Wang" and "Mr. Li".

  1. Basic Data Permissions: control data access permissions according to the person in charge of the data.
  2. Data Permission within Department/Organization: that is, according to the department to which the data belongs, the organization to which the data belongs controls the data access authority.
  3. Data Sharing: According to the data records in the basic data permissions, share them with other users for viewing or editing.
  4. Related Team Data Permissions: For each data record, related teams can be added and the roles of related team members can be configured. Further control over data permissions. Independently configure data visibility permissions for "joint follow-up personnel" or "after-sales personnel" in the relevant teams of accounts/business opportunities.
  5. Each data record can add relevant teams and configure the roles of related team members. Further control over data permissions.
  6. Independently configure data visibility permissions for "joint follow-up personnel" or "after-sales personnel" in the relevant teams of accounts/business opportunities.

1. Basic Data Permissions

For the basic data permission of each object, after setting, the data permission of the object follows the following rules:

  • [Private]: All data in the object follows that relevant team members (including the person in charge) and their superiors are visible to the data, and have the same permissions [read-only, editable] to this data, such as the "customer" object, which is a Objects with strong private attributes cannot be modified at will, or viewed by other non-related personnel to view customer information and follow-up records.
  • [Public Read-only]: All data in the object is open to the entire company, that is, all users can see it. The person in charge of a single piece of data, his superiors, and members of the relevant team with editing permissions can edit the data. For example, the "product" object is relatively open, and each sales person can view product-related information.
  • [Public Read & Write]: All data in the object is open to the whole company, and all employees can edit all data of the object.
  • Remarks: The "superior" here refers to the user's reporting object

2. Data Permissions within Departments & Organizations

Each business object has a department to which it belongs, and for each department, the data permission control method within the department can be set according to the business object. Specifically, it includes the following 3 types:

  • The department and sub-department data at the same level are mutually visible. Example: A is the department at the same level, B is a sub-department of A, and all personnel under departments A and B support viewing all data belonging to departments A and B
  • The data of the department at this level is visible. Example: A is the department at the same level, B is a sub-department of A, and all personnel under department A can only view all data belonging to department A
  • The data of the current and subordinate departments are visible. Example: A is the department at the same level, B is a sub-department of A

Similar to intra-department data permissions, if the tenant has enabled the multi-organization function, you can set the data permission control method for business objects in the organization by organization.

3. Data Sharing

  • Business configuration description Data source: the data that needs to be shared, selecting an employee refers to the recorded data that the employee is responsible for, and selecting a department refers to the recorded data that the employee under the department is responsible for.
  • Shared Data: Select the object to be shared, for example, share the customer data that employee A is responsible for with employee B.
  • Share Data to: To be shared, employees, departments or user groups can be selected, and the selected employees, departments or user group members will be able to see the shared data.
  • Permissions after Sharing: configure the permissions that the shared party can view or edit the data. If it is configured as "read and write" permissions, the permissions of the shared party to the shared data can be compared to the permissions of the person in charge.
  • Data Source: the data that needs to be shared. Selecting an employee refers to the recorded data that the employee is responsible for, and selecting a department refers to the recorded data that the employee under the department is responsible for.
  • Shared Data: Select the object to be shared, for example, share the customer data that employee A is responsible for with employee B.
  • Share Data to: To be shared, employees, departments or user groups can be selected, and the selected employees, departments or user group members will be able to see the shared data.
  • Permissions after Sharing: configure the permissions that the shared party can view or edit the data. If it is configured as "read and write" permissions, the permissions of the shared party to the shared data can be compared to the permissions of the person in charge.
  • Example of Business Scene: A sales department wants Zhang San, the financial officer, to see all the sales order data of the department and allow Zhang San to edit it.
  • Sharing Rule Configuration: [Data Source] is "Sales Department"; [Shared Data] is "Sales Order"; [Sharing Scope] is "Zhang San"; [Sharing Permission] is "Read and Write"; after the configuration is complete, In the [Sales Order] object, Zhang San can see the sales order in charge of all the employees of the sales department under the [Shared to me] scene.

4. Related Team Data Permissions

Record-level Data Permissions: If you want someone to see a piece of data, you can add them to the relevant team for that data record.

  • [Account], [Opportunity] objects can choose to add personnel team roles include: joint follow-up personnel, after-sales personnel, ordinary members (default value); and can set read-only or read-write permissions for associated business objects according to team roles.
  • Joint follow-up and after-sales team members can set special data permissions.
  • The joint follow-up person and after-sales of business opportunities have special operation authority for the sales process.
  • Joint follow-up person of business opportunities: able to operate the pre-sales process.
  • After-sales of business opportunities: can operate the after-sales process.

Other objects Team members are divided into two categories: responsible persons and ordinary members

  • [Responsible person]: has the maximum authority for this piece of data, and can perform all operations on the data that are [have functional authority] and [meet the corresponding business conditions] (except for some special operations)
  • [Ordinary Member]: It can be divided into two types of permissions: [Read Only] and [Read and Write].
      Read-only: Can only view
      Read and write: can perform editing operations except 【Change the person in charge】

5. Temporary Permissions

5.1 What scene does temporary permission solve?

There is no data permission problem for the processor of the pending approval list. Solution without temporary permissions: The person in charge needs to add the approval flow processor to the relevant team, so that the processor has data permissions. Temporary permission solution: For the problem that the three process processors do not have data permission, the function of temporary authorization is provided, and the entry is placed at the temporary permission after the data permission

  1. Enable temporary authorization, which can be configured to enable read-write, read-only permissions, and configure the authorization time.
  2. After the temporary permission is enabled, it will take effect for all three processes.
  3. After it is closed, the authority will be revoked for the data that has been authorized. If it is opened again, the authority will not be restored, and the new data will follow the new temporary authority rules.
  4. The administrator can remove the permission for the data.

5.2 What is temporary permission?

Temporary permissions are for pending approval flows and business processes to be processed. The processors do not have pending data permissions, but temporarily granted permissions. This permission requires the administrator to configure the number of days for temporary permissions according to the company's needs, and the data. Read-write, read-only permissions.

5.3 When does it take effect for what data?

After the temporary permission is enabled, the generated process instance will add temporary permission according to the temporary permission configuration, and the generated process instance after closing will not use the temporary permission. If you need to have data permission for the data for a long time, you need to correctly configure the data permission and data sharing permission , or through the relevant team configuration.

5.4 What impact will temporary permissions have on the system?

After the temporary permissions are enabled, the process to-do personnel do not have data permissions in the original system, and they will also see the data details in the proxy process, because there are temporary permissions configured by the administrator. From the perspective of company management, accurate configuration data permissions are required.

Temporary Permissions List
Can be manually revoked

6. Others

Prevent employees without permission to view data from seeing full account names in workflows

  • For the security of corporate data, if a customer is associated in "Sales Records" or "Work", but does not have the customer's "View Details" permission, the customer name can be partially hidden. For example, "Beijing Century Future Technology Co., Ltd." will be displayed as "Beijing***Company" in the "Work" tab.
2023-02-27 
4001122778
© 2025 ShareCRM | HelpCenter All rights reserved. 京ICP备12021815号-2
0 0