Custom Permission Access Module For Multi-Level Organization

Any multi-unit public organization with geographically distributed branches is set up with several levels of management, hierarchically structured units and roles. In our case there were four levels of hierarchy — the central office located in the capital, which manages the entire organization in 25 regions further divided into 12 to 30 districts each and finally the lowest level branches in every village or small town, as shown in pict 1. Such structure presupposes allocation of responsibilities and access hierarchically within a district, region or entire country.

CiviCRM allows building the multi-level organization structure using Relationships. Also CiviCRM by default provides very flexible role based access control which could be implemented through ACLs while permission control for multi-level org-structure is hardly supported. An access level to CRM data differs by roles not by units. Yet NGOs with geographically distributed branches allocate functions and responsibilities by units. Branch, district and regional offices exercise different level of control over an organization and require either extended or restricted access to data.

Read full article here: CiviMobile

When implemented, our Custom Security Module enables CiviCRM users to:

• setup Roles (admin, manager, regular member) for each user which define access permissions to different areas of information
• allow access only to a specified organization(branch/unit) the user belongs to. It’s defined through CiviCRM Relationship between a user and corresponding organization
• extend access to all subordinate organizations for selected Roles (e.g. Administrator or Manager). The relationship between organizations is defined through CiviCRM Relationship
• grant/recall access only to a specific organisation. E.g. when a branch is reassigned from one District to another (this could be done updating CiviCRM Relationship record) then a manager of the first district loses access to the branch data while the second district manager is granted it automatically

In our project we had 4-level organization and 3 main roles as shown in the pictures above. Yet the security solution is built to support any number of levels in the organization structure.