RSS

In our most recent release of OroCRM Enterprise Edition, 1.8, we have continued to improve the support for multiple organizations. Two new features were introduced: Global access to data from multiple organizations in a single view and optimizations to user login experience.

Organizations with global access to data.

The main advantage of using multiple organizations instead of business units is that they allow for greater separation of data: the records created in one organization will not be accessible from another organizations even to the users with the broadest permissions.

However, sometimes there is a need to see data from multiple organizations in one view. Imagine the CEO of an international organization who wants to get a consolidated report on global sales performance. Or think of a business of independent sales teams that all ply their trade in different ways and therefore require organization-level separation, but nevertheless report to the same regional coordinator who will require a broad, cross-organizational picture.

Now all these needs are served in OroCRM with an organization that has System Access. Once configured, such organization will provide access to data from all organizations that exist in the system.

Figure 1. Designating an organization with the System Access in order to provide global access to data within it.

Figure 1. Designating an organization with the System Access in order to provide global access to data within it.

The organization with the system access to data will look no differently from “normal” organizations, but its grids will contain all records that exist in the system, with the additional Organization column, as shown on Figure 2.

Figure 2. Grids in organization with system access display all data records from all organizations.

Figure 2. Grids in organization with system access display all data records from all organizations.

The global access to data is not restricted to viewing—it is possible to edit and delete existing entity records, as well as create new ones. However, records cannot be moved between organizations.

Two-factor control of user access to global data.

Global access to data is a powerful tool, so access should be granted only to the most trusted users. In order to prevent accidental assignments, we designed a system where two independent conditions must be met by the user in order to view global data, thus greatly reducing the risk of unwanted access by the wrong person.

First, the user should be assigned to an organization that has system access, as shown on Figure 3. Without this step, the user will not be able to switch to the global view at all.

Figure 3. Assigning the user to the organization that has system access is the first step necessary to provide him with the global data access.

Figure 3. Assigning the user to the organization that has system access is the first step necessary to provide him with the global data access.

But in order to see actual entity records while in the Global view, the user must have sufficient permissions for his role on the entity level. If he has Organization or lower, no data will be displayed. Only System level grants the access, as shown on Figure 4.

Figure 4. In order to be able to access records in the Global view, the user must get System permissions for his role.

Figure 4. In order to be able to access records in the Global view, the user must get System permissions for his role.

We strongly recommend keeping permissions for most roles at the Organization level and configuring a separate role with System-level permissions to be used by Global view users only.

Optimized user login experience.

If you have already tried the new 1.8 version in the multi-organization environment, you probably have spotted the difference: the login screen looks exactly like it used to be in older versions, with no organization selector visible. Why did we remove it? Because sometimes less is more.

Instead of asking you to select the organization every time you log in, the system now remembers the last organization you have worked in, and logs you there automatically, saving you a click. For additional convenience it is remembered across different devices and browsers too. And if you need another organization, simply use the switcher in the top left corner.

Familiar users of multi-organization environment should find themselves comfortable with the new login almost immediately, but what about novices? We have thought about them as well. When the user logs into the system for the first time, he is simply logged to the first organization that is available for him. And if there are many, the system displays a welcoming prompt, effortlessly informing the user about his current environment and at the same time guiding them how to switch between organizations.

Figure 5. The prompt is displayed upon first login if the user has access to multiple organizations.

Figure 5. The prompt is displayed upon first login if the user has access to multiple organizations.

Further plans.

We are continuing with the development of multi-organization environment in OroCRM EE, and look forward to expand it further in the upcoming 1.9 release. The most prominent new feature will be the ability to configure each organization differently—e.g. make them appear in different languages and under different locales, or have different display settings. We will explain this feature in greater detail on our blog, so stay tuned!

2 comments
ssossossosso