Controlling CiviCRM access with Drupal permissions

Question

I'm trying to set-up an access control system in CiviCRM to restrict access of certain users to certain custom data field sets. I'm planning to use Civi ACLs to achieve this, though my understanding is that they are overridden by Drupal permissions, and therefore the 'CiviCRM: access all custom data' checkbox must be unchecked within Drupal permissions. I will then be able to use ACLs to allow access to these fields to only the users I want.

My problem is that I've created a Drupal role 'crm user' with this box unchecked, but when I log in as a user with this role I can still see all the custom data, which I shouldn't be able to do. Does anyone know what I might be doing wrong? Are there any other Drupal permissions that need to be removed?

Answer 1

Ensure that your 'crm user' role has the minimum required permissions. As noted in @Flying's answer, the 'Administer CiviCRM' permission gives users access to thee whole of CiviCRM and therefore overrides the 'access all custom data' permission.

Note that if you are using custom data fields in exposed profiles or forms that need to be accessible to anonymous users or logged in users then those roles will need to have the 'access all custom data' permission so that they can see and complete those fields, so you'll need to be careful about setting up your user roles and permissions.

Once you have your Drupal permissions doing the right thing you can then move on to setting up the ACLs that you need within CiviCRM.

Answer 2

If the user has the Drupal access of "Administer CiviCRM", that would override the "CiviCRM: access all custom data"-setting.

So any user with the Drupal access of "Administer CiviCRM" can access CiviCRM custom data, regardless of the "CiviCRM: access all custom data"-setting.