Using SugarCRM Team-Based Permissions

    Many of our customers ask us what the ‘Team-based Permissions’ option in the Sugar Admin panel is and how it works. In this blog post, we will explain to you how team-based permissions are used (Click on the below images to enlarge).

    With Team-based permissions, Administrators can determine not only which records a user can see but also what the user can do with one, but not another record. Team-based permissions are available in the Sugar Sell, Enterprise and Ultimate editions of Sugar and allow further access permissions to be set along with the regular Team and Role permissions.

    Below example explains how exactly Team-based permissions work!

    The Scenario

    User ‘Will Westin’ has access to Teams ‘National’ and ‘International’. With these Team permissions, Will can see all records that sit in one or both of these Teams.

    Will’s manager wants Will to be able to see National and International records, which is covered in the above Team settings. So far so good! However, Will should only be able to edit the National Account records.

    In the Role settings that have been applied to Will’s user (shown below) you can see that Will’s ‘Edit’ rights have been set to ‘All’. This means that Will can edit any Account record that he has access to via Teams and so he can edit both National and International records.

    These permissions currently do not match what Will’s manager is requesting!

    To re-cap:

    • Teams: Team settings alone will achieve giving the user access to both sets of records (National and International)
    • Roles: Roles alone won’t be able to distinguish the permissions from one Account record to another. Roles only set permissions per module, not per record

    That’s why Team-based permissions were introduced. Team-based permissions allow multiple teams to access records, but with different permissions from record to record.

    In order to use team-based permissions, the function has to be enabled per module by an Administrator user following the below steps (if not already enabled).

    Enabling team-based permissions

    The below steps should be performed by a Sugar Administrator.

    • Navigate to Admin > Team-based permissions
    • If team-based permissions have not previously been enabled, then an Administrator has to select the checkbox ‘Enable team-based permissions’
    • Tick the checkboxes next to each module that you want to enable for team-based permissions. In our example we only tick the checkbox for ‘Accounts’
    • Once all selections are made, click ‘Save’

    Modifying role permissions

    An Administrator user must then configure/amend Roles (Admin > Role Management) for the team-based permissions to take effect. Inside of a role, a new access option will be available on module level permissions, called ‘Owner & Selected Teams‘.


    In the above example, Will’s role has been updated so that ‘Edit’ permissions for Accounts has been updated to ‘Owner & Selected Teams’. This means that the user can edit records for which they are the assigned user (= Owner) OR in which the user’s selected team is unlocked. For example, if in a user’s user profile the selected team is National and in the Account record the Team National is unlocked, then the user will be able to edit the record regardless of if they are the assigned user or not.

    Making a user’s team a selected team

    To set the selected team for a user, an Administrator user should navigate to Admin > User Management > Select the user that should have team-based permissions > Edit > Select the ‘Advanced’ tab > tick the ‘Selected‘ checkbox next to the default team(s) that should be the user’s selected teams. In below example (see screenshot), Will’s selected team is National.

    Record permissions

    After a module has been enabled for team-based permissions, you will see in edit-mode of a record that the Teams field displays a lock button. By default, all teams of a record will be locked (closed lock symbol). Select the lock button to unlock a team (open lock symbol). Below example (see screenshot) shows an Account record where the team National is unlocked.

    Now, what does it mean when a team is unlocked in a record?

    The user Will Westin will be able to edit the Account record ‘XYZ Funding Inc’ as his selected team ‘National’ has been unlocked, even though he is not the assigned user of this record.

    If Will was to create a new Account record, the team would default to his Primary and Selected team ‘National’. This means that the record is automatically unlocked for all users that have the team ‘National’ set as their selected team in their user profile.

    If you have any further questions relating to Team-based permissions please contact us by clicking on the below button.

    Louise heads up Sugabyte's professional services with 6 years experience in building customer systems.