Users & Groups¶
Access control in Lime CRM starts with users and groups. A user is the base for any interaction with the CRM application no matter if it is used to login to any of the client applications or if it's going to be used by an external software for API access.
Groups are used to control access to different parts of the application and also data through object access and policies. Both users and groups can be members of a group, to provide efficient and flexible access management.
The time consuming tasks of creating users and assigning them the appropriate access to the application can be automated by using built-in features for user account provisioning.
Users and groups can be manually managed through both Lime Admin and LISA:
Users¶
Info
- Use a valid email for username, that way you can password reset in Lime CRM Cloud.
- All human users should be user type Standard
- Always use Lime as login type when creating new users
| User Type | Description |
|---|---|
| Standard | All normal users of Lime CRM. Including Adminstrators. |
| Administration | This user type is not requried to be an Administrator. It provides special access like being able to use the Azure AD backdoor (force_username_password). |
| Service | Integrations that use Windows service accounts to access Lime CRM. |
| Integration | Integrations that don't need an API key, for example a scheduled task, an SSIS job or the old Lime services Extranet and Mail Gateway) |
| Synchronization | Not used. |
| Test | Throubleshooting and testing purposes only. Should not be counted for licenses. |
| API | This user type can only access Lime CRM through API keys. |
| Login Type | Description |
|---|---|
| Database default | The login types allowed for this user is according to the database setting. |
| Windows and Lime CRM Authentication | The user can login using both Windows and Lime CRM authentication. The database setting is ignored. |
| Windows Authentication | The user can login only using Windows authentication. The database setting is ignored. |
| Lime CRM Authentication | The user can login only using Lime CRM authentication. The database setting is ignored. |
Coworkers¶
Warning
Users without a connected coworker cannot login to the desktop client.
Warning
Using the web client without a connected coworker is not supported.
A user will not be stopped from logging in to the web client without having a coworker object attached to its user. But they will run in to issues. These are known issues:
- Cannot relate data that to the user (for example: deals I'm responsible for)
- Cannot filter for data that the user is related to (for example: all deals in my office)
- Cannot extend the user data model with any number of attributes, except you do it on the coworker instead (for example: manager, office, years in company)
How to connect a coworker to a user
Open the coworker card using the web- or desktop client and set the username field.
Note: if more than one coworker record is connected to the same user, the first match will be used when logging in as the user.
Groups¶
There are two types of groups, normal and dynamic. While normal groups are shown in the Group administration in LISA/Lime Admin, dynamic groups are only accessible through Python APIs. Thus, management of dynamic groups are done by customizations and used to create dynamic object access.
Another difference between the two types is that only normal groups can be assigned policies.
Members of the group Administrators (id=1) have special administrator access to Lime CRM.
Different ways to login¶
Users can login to an application using any of the following:
- The password created for the user account
- By using the configured external identity provider (Azure AD, OpenID Connect)
- SSO with Active Directory (Windows desktop client only)
Any user logged in using a password will need to login again after the login session has timed out. The session timeout can be configured per installation.
In a federated setup with Azure AD or OpenID Connect, the external identity provider will determine when the user has to re-authenticate.