In order to change a user’s password, you will have to log into Sugar with the user’s username and password. You can then change the password on the User Preferences page.

Question

Why does Sugar log me out with the message “This session has ended because another session has been started under the same username” ?

Answer

This is due to a change in behavior in the application as of version 5.5.4.  Prior to 5.5.4, a single username could be used to log into a Sugar system under multiple sessions simultaneously. As of 5.5.4, a single username can be used to log into a Sugar system only under one session. Any additional user sessions started using the same username will log out previous sessions.

Beginning in version 5.5.4, SugarCRM enhanced its session functionality which now prevents the same user from logging in to Sugar at the same time from different machines and/or different browsers.  This added functionality increases the security of Sugar.

What does this mean to you?

If you are logged into your Sugar instance and another person logs into Sugar using your credentials, you will be automatically logged out of Sugar and will need to log back in to gain access.  Hence, to avoid conflicts, we highly recommend not sharing your credentials with other users.

Here are examples of what still can be done:

1. A user can log into Sugar directly through the browser login page, and also concurrently log into Sugar via the Sugar Plug-in for Outlook (or other plug-ins and extensions using the Web service APIs).
2. A user can have an unlimited number of pages of a Sugar instance open within a single browser session (i.e multiple tabs in the same browser).
3. A user can be logged in to Sugar through the plug-ins and other extensions, while also logged in to a Sugar instance.
4. Multiple Web Service API sessions (SOAP & REST) are still possible.  Only sessions started by logging directly into Sugar via the browser login page are affected.

Here are examples of what cannot be done:

1. Two different people log into a Sugar instance separately opening two simultaneous sessions using the same username.
2. One person logs into a Sugar instance within two different browsers (e.g. Microsoft IE and Firefox) at the same time.
3. When a second browser session is started, the first session is terminated and the first session’s user is returned to the login page.

Below is a snippet that discusses shared user accounts in the current end user license agreement:

4.1 Subscription User Accounts: Company shall designate a License Administrator and notify SugarCRM of the identity and contact information for said License Administrator.  The License Administrator may add Subscription Users to Company’s subscription to the Service and/or Software, as applicable, by placing an order with SugarCRM.  The License Administrator shall notify SugarCRM in writing prior to switching a Software Subscription User to a Service Subscription User and vice versa.  Company is responsible for all activity occurring under Company’s Subscription User’s accounts.  Company shall notify SugarCRM immediately of any unauthorized use of any password, account, copying or access to the Service or Software, as applicable. Subscription User accounts cannot be shared or used by more than one individual Subscription User but may be reassigned to new Subscription Users replacing former Subscription Users.

Precondition

You are using Sugar Enterprise or Sugar Professional.

Description

If you want to ensure that users can view a field value but not modify it, you can make it a “read-only” field as follows:

1. Log into Sugar as the administrator and navigate to the Administration Home page.
2. Create a role and save it.
3. In the role’s Detail View, click the desired module in the left pane to view its fields, and the existing permissions for each field. The default is “Not Set”.
4. Click “Not Set” for the appropriate field to view permission options in the drop-down list.
5. Select “Read Only”, and click Save.

Every record is assigned to a team. Hence, in order to view a record,  you must be a member of the team assigned to manage it.

In order to make a record visible to all users, assign it to the Global team, and ensure that all users are members of the Global team.

Precondition

You are using Sugar 5.5.x or a later version.

Description

The Sugar administrator creates and manages passwords for users.

When administrators create a  user record in Sugar, they can either enable Sugar to automatically generate a  temporary password and email it to the user, or they can manually create the password and email it to the  user.

Note: In Sugar 5.2.0 and earlier versions, the administrator must manually create passwords and email them to users.

The user can log into Sugar with the temporary password and create a new password.

Administrators also have the  option to display the “Forgot Password” link in the Sugar Login window. When this option is enabled, users who forget their password can click this link to submit their request for a new password. When Sugar receives their request, it automatically sends a link to a page where they can reset their password.

For more information on password management, see the appropriate  Sugar Application Guide for the Sugar version that you use .

Question

What types of  Sugar users count towards licenses in Sugar Enterprise and Professional?

Answer

• Admin users – A System Administrator User counts as a license. You can rename the Administrator user if needed.
• Active users – An active Regular (non-admin) user counts as a license.

These user types do not count towards a license:

• Inactive users – A user whose status is set to “Inactive” does not count as a license.
• Portal API users – This user, used for server-to-server authentication, does not count as a license.
• Group user -  This user, used for inbound email group mailboxes, does not count as a license.

A team consists of one or more users who are assigned to manage a record.  Teams provide data security because users can access a record only if they are members of  a team that is assigned to manage it. All records are assigned to at least one team, and can be assigned to more than one team.

Administrators are implicit members of every team, and therefore can see all records.

Sugar provides the following teams for your use:

• Private: Sugar creates a private team for every user. Only the user can access and manage records assigned to his or her private team.  When you create a record,  Sugar automatically assigns it to your  private team. You can then assign it to another user if needed. Private teams include the reporting hierarchy. Hence, users can see the records of any user who reports to them, regardless of their team membership. You cannot delete or edit this team.
• Global: This is the universal team. When users are created, they are members of the Global team by default. Every user can view all records assigned to the Global team. Do not delete or edit the Global team.
• East: This team is provided for your use and has no special characteristics. You can delete this team.
• West: This team is provided for your use and has no special characteristics. You can delete this team.

You can create any number of teams, depending on the needs of your organization. For example, based on the reporting hierarchy, you may want to create a team of users who report to the same manager. Based on product management requirements, you may want to create a cross-functional team of users who report to different managers but who manage the same product.

Users can belong to multiple teams.  Hence, if users who need to access a record are spread across multiple teams, the record can be assigned to those teams. In such cases, the user who creates the record can select a primary team and one or more secondary teams.

Users who are assigned to a record can access it regardless of team membership.

For more information, such as creating a team, see the Sugar Application Guide (Sugar 5.5 and later versions) or the Sugar Administration Guide (earlier versions).

Roles are used to control access to modules.  A role defines a set of permissions to perform actions such as viewing, editing, and deleting information within a module.  Only users who are assigned to the role can perform actions defined by it.

Users who are not assigned to a role can, by default, access and perform actions in any module, provided the record is assigned to them (in all Sugar editions), or a member of  the team(s) assigned to manage the record (in Enterprise and Professional only).

You have to be an administrator to create roles and assign  them to users. System Administrators have full privileges in all modules, and this cannot be modified.

When a user is assigned multiple roles, the more restrictive setting prevails. For example, if a user is assigned to two roles pertaining to a module where one role allows record deletion and the other does not,  the user will not be able to delete records because it’s the more restrictive setting. The user’s record displays the access permissions.

When you create a role, you must specify the modules that the role can access and the actions that can be performed.

Access Options in Roles

You can set one of the following access options when you create a role:

Enabled: Permits the user to view the module.
Disabled: Hides the module from the user’s view.
Not Set:  This value, which is the default, ensures that the role does not affect a particular setting. This allows simple roles to be constructed and then combined to achieve the desired security level.

For example, users assigned to the roles, shown below, can see records assigned to their team but they cannot export the data:
Role A, where Access Type= Admin and Export (action) = None
Role B, where Access Type = Normal and Export (action) = All
However, in Role B, if you change Access Type to Not Set, then the user can see all records in the module, regardless of team membership, but cannot export the data:
Role A, where Access Type = Admin and Export (action) = All
Role B, where Access Type = Not Set and Export (action) = None

Actions in Roles

You can allow one or more of the following actions in a role:

Delete: Grants permission to delete records in the module. If None is selected, the Delete button is disabled on the Detail page.
Edit: Grants permission to edit records in the module. If None is selected, the Edit button is disabled on the Detail page. Additionally, the user cannot use the Mass Update panel to update records for the module.
Export: Grants permission to export record data in the module. The Export link located at the top of List View is removed when this privilege is not available to the user.
Import: Grants permission to import record data in the module. The Import link in the navigation bar does not appear when this privilege is not available.
List: Grants permission to access the List Views in the module.
View: Grants permission to view records in the module.

You can further  specify who can perform each of the above actions, as follows:
All: All users who are assigned to the role.
Owner: The person who created the record.
None: Nobody can perform the action.
Not Set. Ensures that the role does not affect a particular setting. That is, the role allows the action.

Additional Role Settings in Sugar Enterprise and Sugar Professional

Sugar Enterprise and Sugar Professional include “Teams” functionality in addition to “Roles” functionality. Simply put, Teams govern what records a user is allowed to see, and Roles govern what a user can do with the records he can see. In other words, Teams control access to records and Roles control what actions can be performed on those records.

You can use roles not only to restrict access to a module but also restrict access to specific fields within a module.  This is called “Field Level Access Control”  and is a features of  Sugar Enterprise and Sugar Professional. For example, you can create a role that hides the Amount of an opportunity if you don’t want the people outside your sales department to know this potentially sensitive information. You can make a field “read only” or hide it completely for a particular role.

Sugar provides different Access Types within a role to enable delegation of  ownership for specific tasks to groups or individuals .

These access types are as follows:

Normal: Allows users to view and manage records depending on team membership. Regular users are granted Normal access type.
Admin: Allows users to administer all records in the specified module regardless of team membership. However, the user does not have access to developer tools such as Studio and Workflow Management.
Developer: Allows assigned users to access Developer tools in Sugar, namely Studio, Workflow Management, and Dropdown Editor, which are required to customize a module. However, appropriate team membership is still required to view records in the module.
Admin & Developer: Allows users to not only view and manage all records in the module(s)  but also access to administration and development tools available to manage them. The user does not require team membership to view records in the module.

Sugar provides the following set of pre-defined Admin & Developer roles for your use:
Customer Support Administrator: This role has administrator and developer privileges for Accounts, Bug Tracker, Cases, Contacts, and Knowledge Base.
Marketing Administrator: This role has administration and developer privileges for Accounts, Contacts, Leads, Campaigns, Targets, and Target Lists.
Sales Administrator: This role has administrator and developer privileges for Accounts, Contacts, Forecasts, Forecast schedule, Leads, Opportunities, and Quotes.
Tracker: This role grants access permission to create and manage tracker reports. Users assigned to this role can view the Tracker page and its contents in the Home module, run pre-defined tracker reports, and create custom tracker reports, you will need to add them to this role.

For more information on roles, refer to the Sugar Application Guide that is appropriate for the Sugar edition that you are using.

Precondition

You must be an administrator.

Description

To create a new user in your Sugar instance, follow these steps:

1. Log into Sugar as the administrator.
2. Click the “Admin” link in the System Links in the top of your screen.
3. Click “User Management”.
4. Click “Create User”.
5. Enter the new user information.
6. Click “Save” to create the record.

You cannot delete users but you can deactivate them. For more information, see this article.

For detailed instructions on creating users,  see the Sugar Application Guide (version 5.5.0 and above), or the  Sugar Administration Guide (version 5.2.0 and below), or the How Do I … Manage Users learning guide on the Admin tab in the Sugar University Online Library.