Understanding Admin and Developer Access in Roles

Overview

System Administrators can configure roles with various access types for Sugar modules. The role's access type for a particular module determines how much control users in that role have over the module. The Access Type column may be set to Normal, Admin, Developer, Admin & Developer, or Not Set. The Not Set option is effectively the same as the Normal option except when a single user belongs to multiple roles. This article explains the difference between the capabilities of an Administrator user and regular users who have Admin, Developer, or Admin & Developer access type for roles.

System Administrator Users

In Sugar, System Administrators, or admins, are users whose user record specifies the type as "System Administrator User."

Admins can access all modules and all records in Sugar and are not subject to team or role restrictions. Admins also have administrative rights to perform functions such as creating and editing users and editing system-wide settings, and they can access all of the developer tools in Studio, SugarBPM, Workflow Management, and Dropdown Editor.

All instances of Sugar require at least one administrator. The first administrator user created in Sugar has a user ID of "1". As a best practice, try to have at least two administrator users for your instance in case one of the administrators is not available or cannot log in. Take care not to have too many administrators, though, to minimize potential conflicts.

Admin Access Type

System Administrators can grant a regular, non-admin user "Admin" access to one or more modules via their role's Access Type.

When a role is configured with Admin access to a module, users in that role are not subject to team restrictions, and can, therefore, perform the following actions on any record within that module:

• Delete
• Edit
• Export
• Import
• List View
• Record View
• Mass Update

Note: When a user is assigned multiple roles, the most restrictive access set up across roles in the module's operation-related columns ( e.g., Edit, Delete, etc.) supersedes the Admin access. 

Despite the similar name, regular users with Admin access to a module cannot see the administration panel in Sugar unless they also have Developer access to at least one module.

As an example use case, you may choose to grant Admin access type to the Leads module for users on the corporate Marketing team. These users typically need to manage all of the records in the Leads module and check for potential duplicates when entering new data, but should not be allowed to customize any part of Sugar.

Developer Access Type

System Administrators can grant a regular, non-admin user "Developer" access to one or more modules via their role's Access Type.

When a role is configured with Developer access to a module, users in that role have access to Studio, SugarBPM, Workflow Management, and Dropdown Editor. Developer access to some modules also enables additional administration functions as listed in the Module-Specific Developer Options table on this page. The user's access to Sugar records remains subject to team restrictions and action-related role restrictions for this module.

When a user has Developer access to any module, they can see the Admin option in their user profile dropdown:

From the Admin screen, the user can navigate to the Workflow Manager, Dropdown Editor, and Studio via the Developer Tools panel:

The user can leverage these tools to customize the module(s) that they have Developer access to. For example, if the user has Developer access to the Accounts module, then the Accounts module is available to them in Studio:

For example, you may choose to grant Developer access type to the Customer Service Manager for the Cases module. This will empower the manager to create new fields and layouts for Cases as needed by his team without compromising any team-related security measures or relying on the System Administrator to make these changes.

In the navigation bar, the Process Business Rules, Process Email Templates, and Process Definitions modules can be viewed and configured by users with a role that provides developer access to one or more modules for which a SugarBPM process can be triggered (e.g., Accounts module, Cases module). For example, a regular user with developer access to the Accounts and Cases module can see the SugarBPM functions so that they can design process definitions, business rules, and email templates targeting the Accounts and Cases modules. Regular users without developer role permissions will only have access to the Processes module. 

Module-Specific Developer Options

Some modules offer additional administration options for users with Developer access. The following table outlines these options. When a user has Developer access to the module listed on the left, then they can see the corresponding item on the Admin panel in Sugar:

For more information on these administration tools, please refer to the Administration Guide specific to your Sugar product and version.

Admin & Developer Access Type

System Administrators can grant a regular, non-admin user "Admin & Developer" access to one or more modules via their role's Access Type.

Note: For instances that use SugarIdentity, the administrator can grant regular users "Admin & Developer" access to Users, Teams, and Roles in Sugar as well as access to SugarIdentity to manage certain user data by assigning them to the system-generated SugarIdentity User Management Role. For more information on configuring and assigning this role to users, refer to the SugarIdentity Guide.

When a role is configured with Admin & Developer access to a module, users in that role have the increased capabilities of both the Admin access type and the Developer access type. They will have access to Studio, SugarBPM, Workflow Management, Dropdown Editor, and any other administration functions that are specific to the module as listed in the Module-Specific Developer Options table. In addition, users with Admin & Developer access to a module are exempt from team or role restrictions for that module and can, therefore, perform the following actions on any record within the module:

• Delete
• Edit
• Export
• Import
• List View
• Record View
• Mass Update

Assigning Multiple Roles to a User

When a single user belongs to multiple roles, the most restrictive setting for each cell of the roles table will win. For example, if Role A specifies Normal access type for the Accounts module while Role B specifies Developer access, a user assigned to both roles will only have normal access to the module. The Not Set access type is not a factor when combining multiple roles. You can see how multiple roles are combined and see a user's resulting access by viewing the Access tab on their user profiles. 

Summary

• System Administrator users have unlimited access to all areas of the Sugar application. They can work with all records in all modules regardless of team membership and can use Studio, SugarBPM, Workflow Management, and Dropdown Editor to customize any module in Sugar.
• A regular user with Admin access to a module can access all records in that module regardless of team membership.
• A regular user with Developer access to a module can only access records for their teams in that module, but they can also use Studio, SugarBPM, Workflow Management, and Dropdown Editor to customize the module.
• A regular user with Admin & Developer access to a module can access all records in that module regardless of team membership and can use Studio, SugarBPM, Workflow Management, and Dropdown Editor to customize the module.
• If a user belongs to more than one role, the most restrictive access type wins for each module.