What’s so hard about CiviCRM permissions?

Written By Allen Shaw

I got an email yesterday from someone asking for help because, in their words, "CiviCRM permissions are kicking our butt."

It's a common sentiment.

So what's so hard about CiviCRM permissions? And how could you make it easier?

Here's one good reason:

Permissions are easy to change but hard to keep track of.

You can very easily add or remove permissions for any of your user roles. And you can easily add or remove roles. You can even give multiple roles to some or all of your users.

It's easy.

And it gets complex very quickly. If you're not careful, it gets messy.

This just means you have to be more careful. For example:

  • Resist the temptation to create a new user role, until you can articulate clearly who that role is for and why they need it.

  • Write that explanation down somewhere, so you can refer back to it. Because it will be hard to remember when things get complicated.

  • Avoid changing the permissions on a role just for the sake of one user, until you've carefully thought through the implications for everyone who has that role. Is this actually a change that everyone needs? Or does it represent the need for a completely new role?

  • Test. Add or remove one permission at a time, and then test to verify that it has the expected effect.

  • Document changes. Keep a running log somewhere (a Google doc is fine), noting the changes you make, the date you make them, and the rationale. It's an extra 5 minutes of work that might just save your sanity two months from now.

CiviCRM’s permissioning features are awesome, and allow you to build a customized experience for a wide range of users.

With a little extra care, you can make them work for you, instead of against you.

All the best,
A.

Allen Shaw
Previous

How to test permissions and ACLS in CiviCRM
Next

You can’t force it