This article has been prompted by a some recent questions about nature of data privacy in Sage CRM. And specifically I want to think about access to diaries and calendars.
Consider the following business requirements:
- Is there any way to restrict a particular users calendar being viewed by other user?
- A user wanted some other Sage CRM users to be able to see their private appointments but didn't not want any of the notes or other info to be visible in Sage CRM. In other words, the user only wants part of the task/appointment to be visible rather than make and entire item "private".
I am thinking out loud here, so anything I say needs to be taken with a pinch of salt.
I have not tested my ideas thoroughly but based on my experience everything below is reasonable. I've tried to be as broad as possible in my thinking as communications can be added into the system either by the user themselves, through classic Outlook integration, Exchange integration and even programmatically using the different APIs.
I think there are three main ways of controlling a users access to another's calendars.
The first is that a user may not access the other persons calendar.
The second is that a user may not see what is on another persons calendar. (They can access the tab but nothing shows up)
Thirdly the communication can be marked as private.
The access control to calendar is quite limited. A system administrator can set up a user within the screen e.g.
Administration -> Users -> Users -> William Dolan
And give that user rights to access other peoples 'My CRM' data including the calendar with the setting 'My CRM Lists'. The options are either 'All Users', 'User Only' or 'No Users'. The last means that the My CRM menu disappears entirely for the users interface.
If users should not see anybody else's information then change the option to 'User Only'.
Note - you will also have to consider the Team tab if the users are on the same team. The visibility rights will for those will need to be set. Also a user could still investigate another persons diary by searching for communications in the Find screens.
This option then becomes more critical. If a user really should not see other peoples calendar then that data needs to be in a territory that other people can not access. This will involve considering the way in which territories and security profiles work.
It is worth remembering that in Sage CRM for a user to be able to see the another users communications then they will need to have rights not only to the communication but also to the other data to which the communication is linked. For example, if a certain user creates an appointment in Exchange, perhaps they just quickly reserve some time in their diary, this will be synched into Sage CRM. This maybe added to a territory that anyone can read. But within Sage CRM if the communication is then associated to a Company, Person or Opportunity to which there is restricted access then only people with access to that data can read the communication. For an appointment the time would still be blocked out in the Sage CRM calendar when trying to schedule a meeting in CRM with that user.
This is the simplest. A communication marked as private is exactly that. The users however would need to remember to mark the sensitive data as private or you would need to establish the rule that categorises data as 'private' and therefore when the communication is saved it is changed to private automatically.
If it is synchronized to Sage CRM from Exchange or Outlook it will be added to CRM but people will not be able to see the details of the appointment - only that they are unavailable for the duration of the meeting. Tasks are synched from Sage CRM to Exchange/Outlook and if private they can not be viewed by other users.
But what if a user wants people to see their diary but also wants to hide some specific details about the individual appointments or tasks? We need to be clear that a private communication is private. If however he wants some aspects of a public communication to be private... then there maybe some options.
Note: Some people think that private Communications in Outlook mean that nobody else can see them...but that is not strictly true. If the user has other people who can read his folders then they could use could use programmatic methods to look at 'private' information. A programmatic method could be as simple as using another email program that can connect to the exchange server.
Another thought strikes me and that is that subfolders in Exchange are not synced which opens up other possibilities for differentiating public and private information. See
We can do different things depending on where the communication (appointment/task) is created and principally accessed by a particular user. If a user mainly uses Outlook then additional fields can be added in Outlook/Exchange to both Appointments and Tasks. I am not terribly up-to-date with adding custom fields in Outlook/Exchange so do make sure that you read up around this area. These custom fields would only exist in Outlook/Exchange and not be synched to Sage CRM.
Both the Classic Outlook and new Exchange Integrations work in a very particular way. And the mappings are pretty fixed.
These articles discuss Classic Outlook Integration
The Exchange Integration is fixed and can not be extended with custom fields being mapped from Exchange into Sage CRM.
This means that you could add additional custom fields in Outlook/Exchange that are not synced to Sage CRM. The information in these fields would remain private to the user (and to anyone who can read his calendar). The information that is synced to Sage CRM (which excludes the custom fields) would then be available to anyone with rights in CRM to read that data.
That brings me back to the second point I raised above about Sage CRM rights and security.