Control View Permissions for User Emails

We’ve set up user email syncing via Google which is working well. However, we’ve run into a problem with visibility.

If you view the page for a particular user, you can see emails that are associated with that user record. There doesn’t seem to be any consistent pattern for which emails show up and which ones don’t, which means that one user could view emails from another user that they should not be able to see.

Ideally, a user would only see their own emails and the emails from other users that are associated to shared contexts. This limit does not appear to be in place or at least is not working consistently.

We tried disabling access to the User list via permissions but this breaks the ability to filter grids by Owner. The Owner list becomes blank for the restricted user and they cannot filter anymore.

Any ideas on how we can limit the visibility to emails to only those which a user SHOULD be able to see?

Topic

[dkrushelnytskyi@magecore.comModerator]

Hi @Rob

You can set different permissions for actions of entities in the role managament.
There is the entity “Email-User Relation”. For action “view” available such values:
– None
– User
– Business Unit
– Division
– Organization
– System

Permission of action View for entity “Email-User Relation” used to check permission to see activity email in activity list.

Dependence of the reflection on the permissions:

• None – User cannot see activity in activity list.
• User – User can see email in activity list if he is participant of email (sender or recipient).
  Also user should set Email synchronization settings and make sync email.

• Business Unit – User can see all email in activity list if users have common Business Unit.
• Organization – User can see all email in activity list if users have common Organization.
• System – User can see all email in activity list.

[RobParticipant]

Thanks for the clarification about the Email User entity. However, the problem here is that if I set the permissions to “User”, a particular user cannot see an email ANYWHERE unless they were included on that email. This includes cases where the email has a particular context.

What I would prefer in this case is that a user can only see an email that isn’t their email if they view it either from:

* A contact page
* The page of another context associated to the email

In this case, then, the real solution may be to delete the “Activity” view from the user profile page so that all of a user’s messages / activity cannot be viewed. What would be the simplest way to turn this view off?

[sadortunParticipant]

Hi @Rob,

Did you manage to make it work as you described ?

Thanks,
Smauel

[Jeroen OlthofParticipant]

Any news on this matter. I also see personal non related mail of different user. I feels like bug, but maybe it’s a feature?

[Jeroen OlthofParticipant]

In a two users scenario

User A:
[Role, Sales Rep]
[Email-User Relation] = user (view,edit and create)

User B:
[Role, Sales Rep]
[Email-User Relation] = user (view,edit and create)

When user A selects “All Emails” in My Email view, he will see all email of user A & B.
When user B selects “All Emails” in My Email view, he will see all email of user A & B.

So user A and B can see all each others personal E-mail.

This probably isn’t the way it’s meant to be?

Thx
Jeroen

ps. is there a way to delete all synced email. Just to try a resync..

[Jeroen OlthofParticipant]

It is fixed in 2.0.11 (also in the 2.1.3 which we run now)

https://github.com/orocrm/crm-application/releases/tag/2.0.11

[Author]

Replies