Okay findings are as follows...
Config (in this sequence of steps as sequence change will have an impact on results):
- Created a custom module called Unit with one extra field called Registration Number
- Created a group called Sales
- Created a role called Sales
- Assigned Sales group to the Sales role and added all fields for Accounts and Leads for both viewing and editing
- Deselected everything in the Default role's access and permissions settings
- Deselected everything in the Sales role's access and permissions settings except for Accounts (view + create) and Leads (admin)
- Created a user called Sales1 and added user to the Sales group
Results logging in as Sales1:
- Can see the Leads, Accounts and Unit links in top bar and nothing else
- Can view, create, edit and delete records in Leads
- Can view and create records in Accounts but cannot edit or delete
- Cannot view, create, edit or delete any records in Unit even though I can click on the module name in top bar. It just displays an empty list.
- So all in all except for the display of the Unit link everything is working 100% as configured and expected
- Any new fields created for new modules are automatically added with view and edit permissions to existing roles and hence my comment about sequencing being important unless you go back after the fact and clean up after yourself
- The view and edit permissions under Manage Roles function independently from the permissions under Edit User Permissions and Access Rules.
As an example if you omit to add fields under the edit permissions for a particular module (in Manage Roles) and you then go and assign rights (in Edit User Permissions and Access Rules) for that module (let's say admin), you will be able to view and delete records in that module but not do anything else. Now if you understand the system, its doing 100% what you asked it to do, but for someone unfamiliar with it, things can become confusing very quickly.
- Not all modules are represented in the Edit User Permissions and Access Rules list. Charts is currently missing and can therefore not be configured for any custom roles.
- Some modules (Reports) have got limited configuration options. You can only set view rights and full admin rights, so its an all-or-nothing situation.