Users & Groups¶
Access control in Lime CRM starts with users and groups. A user is the base for any interaction with the CRM application no matter if it is used to log in to any of the client applications or if it's going to be used by external software for API access.
Groups are used to control access to different parts of the application and also data through object access and policies. Both users and groups can be members of a group, to provide efficient and flexible access management.
The time-consuming tasks of creating users and assigning them the appropriate access to the application can be automated by using built-in features for user account provisioning.
Users and groups can be manually managed through both Lime Admin and LISA:
Users¶
Info
- Use a valid email as username, that way you can reset the password in Lime CRM.
- All human users should have user type Standard.
- Always use Lime as login type when creating new users.
| User Type | Description |
|---|---|
| Standard | All normal users of Lime CRM, including Administrators. |
| Administration | This user type is not required to be an Administrator. It provides special access like being able to use the Entra ID (formerly Azure AD) backdoor (force_username_password). |
| Service | Integrations that use Windows service accounts to access Lime CRM. |
| Integration | Integrations that don't need an API key, for example a scheduled task, a SSIS job or the old Lime services Extranet and Mail Gateway. |
| Synchronization | Not used anymore. |
| Test | Troubleshooting and testing purposes only. Should not be counted against licenses. |
| API | This user type can only authenticate using API keys. |
| Login Type | Description |
|---|---|
| Default | The login type allowed for this user is according to the database setting. |
| Lime | The user can only log in using Lime CRM authentication. The database setting is ignored. |
| Lime & Windows | The user can log in using both Lime CRM and Windows authentication. The database setting is ignored. |
| Windows | The user can only log in using Windows authentication. The database setting is ignored. |
Coworkers¶
Warning
Web Client:
Logging in to the web client as a user without a connected coworker is not supported.
Desktop Client:
Users without a connected coworker can not log in to the desktop client.
A user will not be prevented from logging in to the web client without having a connected coworker, but they will most likely run into issues.
These are known issues:
- Problem relating data to the user (for example: "deals I'm responsible for")
- Unable to filter for data the user is related to (for example: "all deals in my office")
- The user data model can not be extended. This must be done on the coworker (for example: manager, office, years in company)
How to connect a coworker to a user¶
Open the coworker card and set the username field.
Note
If more than one coworker is connected to a user, the first match will be used when logging in.
Groups¶
There are two types of groups: normal and dynamic. Normal groups are shown in the Group administration in Lime Admin/LISA, dynamic groups are only accessible through Python APIs. Thus, management of dynamic groups is done by customizations and used to create dynamic object access.
Another difference between the two types is that only normal groups can be assigned policies.
Members of the group Administrators (id = 1) have special administrator access to Lime CRM.
Different ways to log in¶
Users can log in to an application using any of the following:
- The username and password created for the user account.
- By using the configured external identity provider (Microsoft Entra ID or OpenID Connect).
- SSO with Active Directory (Windows desktop client only).
Any user logged in using a password will need to log in again after the login session has timed out. The session timeout can be configured per installation.
In a federated setup with Entra ID or OpenID Connect, the external identity provider will determine when the user has to re-authenticate.
External references¶
External systems that integrate with Lime CRM need a reliable, permanent identifier for users and groups. Usernames and display names can change, making them unsuitable for long-term references.
Each user and group in Lime CRM has an immutable Object ID that never changes, even when other properties are modified.
Object ID vs ID
Don't confuse Object ID with the database ID field. The ID can change during certain operations (such as restoring database backups), but the Object ID remains constant throughout the lifetime of the user or group.
Use Cases¶
Object IDs are essential when:
- User provisioning via SCIM: External identity providers (like Entra ID) use Object IDs to map users between systems.
- SSO integration: Single sign-on systems rely on Object IDs to match authenticated users with their Lime CRM accounts.
- External integrations: Third-party systems can safely store Object IDs to reference Lime CRM users without risk of broken links.
Accessing Object IDs¶
You can view a user or group's Object ID through:
- Lime Admin: Navigate to
System > Security > UsersorSystem > Security > Groupsand view a user or group. - Python API: Via the
object_idproperty on user and group objects. - REST API: Included in user and group resource responses.