This example explains a simple company setup where individual users have limited access to CRM functions.

Assumptions and requirements

Consider a very small organization with almost no hierarchical order as shown in Figure: Small Sample Organization.



For this company, we would be perfect probably with two roles, one for the administrator and one for the company staff. However, we will introduce 6 roles such as corp_manager, admin. Assistant, sales, service, and accounting in order to be prepared for further company expansion. We assume a very flat hierarchical order where the sales and service staff operates on the same information level.

Let us define the following security requirements:

  • The head of the company, as well as the assistant and the administrator, have all privileges.

  • The sales team is responsible for all contact information, the service maintains the helpdesk. Both are allowed to browse, create, to modify or to delete the data.

  • Accounting has is done by a third party and has only access to the invoice, purchase order and sales order data.

 CRM System Configuration 

  1. set default organization sharing access privileges, so that all users have access to all data

  2. set default organization field access privileges, to control the fields shown

  3. create profiles, to set privileges

  4. create roles, to implement the companies hierarchical order

  5. assign the privileges to users

Default Organisation Sharing Access

We set the privileges so that all users have access to all data as shown in Figure: Organisation Sharing Access for Small Company.

Organization Sharing Access for Small Company


Default Organisation Fields Access

For the purpose of this example, we do change the field access.


The privileges for each role are based on profiles. We need only 4 profiles:

  1. Sales Profile

Global Privileges:

All privileges for edit and view any data should be given as shown in Figure: Global Privileges for Sales.

Tab Privileges: 

We do not restrict access to the CRM modules for the sales representatives as shown in Figure: Tab Privileges Sales Team.

Standard Privileges:

We limit some privileges to some modules as shown in Figure: Standard Privileges Sales Team. The Create/Edit, as well as the Delete privileges for the modules HelpDesk and PurchaseOrder, are revoked.

Field Privileges:

All privileges are granted.

Utilities Privileges: 

All export privileges are revoked.

  1. Service Profile 

The Service Profile is almost identical to the Sales Profile with the following exception:

Standard Privileges:

We do not want the service to delete sales-related data. Therefore some privileges are revoked.

We would like the external accountant to see the accounting data only. The Accounting Profile is we need to set up the following privileges:

Global Privileges:

The accountant may see any data as allowed by the settings shown in Figure: Global Privileges Accounting.

Tab Privileges:

We would like to restrict access to sales-related data.

Standard Privileges:

We do not want the service to delete sales-related data. Therefore some privileges are revoked.

Corp Head Profile 

The Corp Head Profile has all privileges.

Administrator Profile 

The administrator profile should have all privileges. A restriction does not make any sense since the administrator has permission to change the configuration anyway.


We do not need to build any groups.


To have the structure shown in Figure: Small Sample Organization represented by the CRM system 6 roles must be created as shown in Figure: Sample Role Setup.

Sample Role Setup


Sample Role Setup

Each individual user of the CRM system must be assigned to an appropriate role.

Assign Privileges to Users

At the last step, the privileges defined will be assigned to the users as shown in the following table:

Privilege Assignment

Name Role Profile
Person 1 corp-manager Corp Head Profile         
Person 1-1 admin Administrator
Person 1-2 assistant     Corp Head Profile
Person 2 sales Sales Team Profile
Person 2-1 sales Sales Team Profile
Person 2-2 sales Sales Team Profile
Person 3 service Service Profile
Person 4 accounting Accounting Profile



Admin Manual
Developer Manual