Sugar: Error "Access Denied" Explanation

When Riva Cloud or Riva On-Premise attempts to sync with Sugar, four possible scenarios may cause Sugar to issue Access Denied errors.

In the most common scenario, permissions are not set up properly in Sugar to support Riva's "Enterprise" impersonation model. In that model, Riva connects to Sugar with the credentials of an admin user but writes changes to Sugar with the permissions of the Sugar user that Riva is currently syncing, and the user's permissions are insufficient. For example, Riva connects to Sugar using the "admin" user and is syncing to a user "Bob" who has insufficient permissions, and Riva attempts to use Bob's permissions in Sugar when trying to write data to or from Sugar.

Contents:

• Errors observed;
• Versions of Sugar that these errors apply to;
• Possible causes:
  • #1: Patch included in Sugar 6.3.2+, 6.4.0, and 6.4.1;
  • #2: Hidden modules;
  • #3: Insufficient permissions;
  • #4: Team or role restrictions:
    • Example: Security restrictions affecting data synchronization;
• Permissions required for all data to sync.

Errors Observed

Versions of Sugar That These Errors Apply To

This article applies to the following CRM systems:

• Sugar (all editions including CE) and Sugar On-Demand.
• info@hand (all editions) and hosted info@hand.
• intelecrm (hosted).
• DataSync Suite (hosted).

Possible Causes

"Access Denied : You do not have access" errors can be caused by any of these:

• #1: Patch included in Sugar 6.3.2+, 6.4.0 and 6.4.1.
• #2: Hidden modules.
• #3: Insufficient permissions.
• #4: Team or role restrictions.

Possible cause #1: A patch

A patch included in Sugar 6.3.2 or higher, 6.4.0, and 6.4.1 generates "Access Denied" errors. For more information, see Sugar 6.3.2+ and 6.4.0/6.4.1: Resolve "Access Denied" errors.

Possible cause #2: Hidden modules

If the user's permissions grant access to create, modify, and delete, but the user still receives Access Denied errors, the module in question may be hidden from the user, which disables the module.

If the user logs in to the CRM but cannot access the module, no data can be synchronized for that module.

As the CRM system admin, check whether the module is available on the CRM menus.

To check for module visibility:

1. Log in to the CRM as an administrator.

2. Navigate to Admin > Display Modules Tabs and Subpanels, and verify whether the module is hidden from all users. (It is a global setting.)

3. Navigate to Admin > Role Management. For each security role, select its name, and verify whether Access is set to Disabled, or View is set to None.

Possible cause #3: Insufficient permissions

Permissions can be granted globally to specific security roles and to specific individuals. Access control restrictions are a cumulative combination of settings from multiple Roles that the user is a member of. The most restrictive settings apply.

When configuring permissions in security roles, these are the important concepts to understand:

• If Access is set to Disabled for a particular module, no data sync occurs for that module.
• If the permission of a setting is set to Owner, then the user that is assigned to the item (usually the user that creates an item) can modify it, but other users cannot.
• If you want to permit all users to access and modify data, assign All.
• To permit synchronization, the following permissions are required:
  • Set View to All or Owner.
  • Set Export to All or Owner.
  • Set Import to All or Owner.

Because Riva does not have a desktop plug-in and relies exclusively on built-in features, the email client does not know anything about the CRM security model, leaving the possibility that users can modify (in the email client) items to which they have read-only access in the CRM. In these situations, when Riva attempts to sync the change, an "Access Denied" error is logged. Various sync policy options can be set to handle these errors.

Possible cause #4: Team or role restrictions

• Sugar uses the most restrictive role settings. For example, if you have three roles, the most restrictive settings are used. For information on how roles are set up in Sugar, see Sugar role management.
• Sugar has teams, which restrict the visibility of records. For example, module data may be restricted to a team the user is not a member of. For information on how teams work in Sugar, refer to the PDF Sugar team management.

Example: Security restrictions affecting data synchronization

When an item sync attempt receives an access-denied error from the CRM, the item is not synced to the CRM. The item is not updated in the CRM to reflect the change that was made by the user.

Subsequent changes that are made to the item in the CRM overwrite any changes made by the user.

Many access control restrictions lock changes against meetings or contacts so that only the item Owner can delete or modify the item.

In those cases, the process flow would look something like this:

1. User A creates a new meeting in the CRM and adds User B as an attendee.

2. When Riva syncs to Exchange, it creates new appointments on User A (as organizer) and User B (as attendee).

3. User A makes a change from a desktop client.

4. Riva syncs the changes with the CRM and back to User B.

5. User B makes a change from a mobile client.

6. When Riva attempts to sync the changes with the CRM, it receives an Access Denied error.

FOR THIS EXAMPLE, in Sugar, the users' access control listing would look like:

Permissions Required for All Data to Sync

For all data to sync properly, confirm that the user is part of the appropriate teams and permissions outlined below. All organizations have different security models that can be modified.