Each sugar user is assigned as either a "Regular User" or "System Administrator User".
The " System Administrator User" user type has all the abilities of a regular user as well as the following additional abilities:
- Access to the "Administration" page, where fields and modules can be updated, and certain system configurations can be updated
- Ability to access, update and create user records
- Unaffected by Teams restrictions - nearly all record types have logic to automatically assign records to the appropriate council's team. Regular users are assigned only to their council's team and therefore can only see records belonging to their own council
In addition to the user type, we leverage sugar's "Roles" feature to limit regular users' abilities to make unwanted changes. including limiting the user's CRUD capabilities for specific modules and fields. Regular users are assigned to one of the following three roles:
- Council Users - By default, all council employees who have access to sugar are added to this role. It prevents the deletion and modification of important record types and disables editing and visibility or certain fields to protect budgets and ensure that users must follow the prescribed order of operations.
- Council Users (Advanced Reporting) - This role is identical to the "Council Users" role, except that it allows users to modify reports created by other users. This role was created to accommodate a couple users who wanted to duplicate universal reports and modify them to more closely meet their needs. Currently only two users are in this role.
- OEC - The OEC role is used by employees of the Office of Early Childhood. It has the same restrictions on deleting important records to avoid accidental issues. However, it's much less restrictive about field-level permissions to allow OEC users to update budgets and perform actions specifically reserved for OEC users.
Anyone can create a login to ecConnect. However, creating your own login will only allow you to see the home page and a couple of static pages. The ability to see any data about a specific provider or to create a spending or coaching request requires a privileged role record (note, this is a custom module, distinct from the user roles described above).
Role records are primarily created automatically when the key contact relationships are updated on an Account record in sugar. Updating any of those relationships automatically triggers several changes. If, for instance, the primary contact field on an account is updated, sugar's custom logic will find the role associated with the site and the former primary contact with a role of "Primary Contact" and update the "End Date" field. Assuming that the former primary contact doesn't have another privileged role e.g., a "Director" role, that individual will no longer be able to see any privileged information about the site in ecConnect and won't be able to create spending requests for that site. Simultaneously, sugar will create a new role record for the new contact listed in the Primary Contact field, granting that individual access to the site in ecConnect. It is possible to create a role record directly, however, we don't advertise this information to encourage users to use the more transparent automated process. In some cases, councils need to grant multiple users access to a site, in which case we generally create the role records manually ourselves. DECC periodically reviews the manually created records to identify and terminate roles for inactive users.
Since DECC doesn't know all the individuals who should or shouldn't fill privileged roles, each Council is expected to monitor and maintain the contacts filling privileged roles for their sites. Any requests for privileged access submitted to DECC's support site are delegated to the appropriate Council. If the council determines that the individual should have access to the site, they will update sugar to indicate the change. Only admin sugar users or regular users with access to the site's council's records can make such a change. The individuals in privileged roles can be identified by looking at the account record or by accessing a report designed to identify all active roles including those created manually.
The roles that have access to coaching are Lead Coach, Secondary Coach, Business Leadership Specialist, QI Navigator and Financial Leadership Specialist. The roles that have access to spending and historical data are Lead Coach, Secondary Coach, Business Leadership Specialist, QI Navigator, Primary Contact, Director and the Grant Lead of the Funding Stream associated with the selected requisition.