Table of Contents

  1. Introduction

  2. Understanding the SuperAdmin Role in Dolibarr

  3. Overview of User Groups and Their Importance

  4. Default Limitations for SuperAdmin and Group Access

  5. Accessing Group Configuration Menus

  6. Creating and Managing User Groups

  7. Assigning Permissions to Groups

  8. Linking Users to Groups

  9. Advanced Access Configuration for SuperAdmins

  10. Group-Based Module Access and Visibility

  11. Using the Permissions Matrix for SuperAdmins

  12. Managing Cross-Group Permissions

  13. Customizing Visibility of Group Actions

  14. Enforcing Access Policies for Internal Audits

  15. Best Practices for Group and SuperAdmin Roles

  16. Troubleshooting Group Permission Issues

  17. Extending Group Management with Modules

  18. Automating Group Assignments via API

  19. Security Implications and Isolation Principles

  20. Summary and Strategic Recommendations

1. Introduction

Dolibarr ERP & CRM provides flexible role and rights management through its built-in user group system. At the top of the hierarchy is the SuperAdmin — the ultimate user role with the ability to configure the entire platform. However, managing access to user groups even as a SuperAdmin requires careful understanding of Dolibarr’s internal rights structure.

This article provides a detailed guide to configuring access to user groups for the SuperAdmin role in Dolibarr. It also explores best practices, security tips, and advanced configuration scenarios.

2. Understanding the SuperAdmin Role in Dolibarr

In Dolibarr, a SuperAdmin (or main admin user) is typically the first user created during installation. This account has full administrative rights and can:

  • Enable or disable modules

  • Modify user accounts and permissions

  • Access all company data

  • Configure global settings

Despite these privileges, the SuperAdmin must still respect Dolibarr’s logical flow, especially when handling user groups and permission boundaries.

3. Overview of User Groups and Their Importance

Groups in Dolibarr simplify permission management. Instead of assigning module rights to each user manually, administrators can:

  • Create groups (e.g., Sales, HR, Finance)

  • Assign permissions to the group

  • Add users to these groups

Changes made to group permissions automatically apply to all group members. This enables scalable administration, especially in large organizations.

4. Default Limitations for SuperAdmin and Group Access

Although the SuperAdmin has overarching permissions, Dolibarr:

  • Does not show hidden or inactive groups by default

  • May restrict visibility to group data based on user hierarchy

  • Relies on internal module permissions for editing group structures

SuperAdmins may need to explicitly assign themselves to groups or elevate their view rights for auditing purposes.

5. Accessing Group Configuration Menus

To access group settings:

  • Go to "Home > Users & Groups > Groups"

  • Click on a group name to edit

  • Access tabs: Members, Permissions, Assigned Modules, External Users

From here, SuperAdmins can fully configure group roles.

6. Creating and Managing User Groups

Steps for SuperAdmin:

  • Click "New Group"

  • Enter group name and description

  • Set visibility: internal or external (if for clients/partners)

  • Save the group

Each group will appear in the listing, which is filterable by type.

7. Assigning Permissions to Groups

SuperAdmins can:

  • Click on a group > Permissions tab

  • Enable module-specific rights: View, Create, Modify, Delete

  • Use checkboxes to quickly apply common profiles (e.g., read-only)

  • Save and apply to all current and future users of the group

8. Linking Users to Groups

To add users:

  • Edit the group > Members tab

  • Use the search box to find users

  • Assign users with a single click

  • Users inherit permissions from all groups they belong to

9. Advanced Access Configuration for SuperAdmins

Sometimes, even SuperAdmins must:

  • Manually add themselves to restricted groups for visibility

  • Use SQL queries to inspect group-user mappings

  • Configure module-specific rights not visible from the UI

The module permissions matrix provides additional control.

10. Group-Based Module Access and Visibility

Modules like Projects, HR, or Accounting may restrict data views by group. SuperAdmins can override this by:

  • Editing user rights at the module level

  • Assigning themselves temporary group roles

  • Enabling advanced permission features in setup

11. Using the Permissions Matrix for SuperAdmins

The permissions matrix (under "Setup > Permissions") shows a full overview:

  • All groups in columns

  • All modules and actions in rows

  • SuperAdmins can edit cells to toggle rights

This allows bulk adjustments and verification.

12. Managing Cross-Group Permissions

If users belong to multiple groups, permissions are cumulative. SuperAdmins should:

  • Avoid conflicting rights between groups

  • Use naming conventions (e.g., ReadOnly_Projects) for clarity

  • Regularly audit overlapping group assignments

13. Customizing Visibility of Group Actions

Custom modules or extrafields may rely on group membership for visibility. SuperAdmins can:

  • Use hooks or triggers to control UI elements

  • Modify templates based on group context

  • Assign roles that control UI behaviors

14. Enforcing Access Policies for Internal Audits

SuperAdmins should ensure that:

  • Every group has a documented purpose

  • Group changes are logged (Dolibarr logs user actions)

  • Inactive users are removed from sensitive groups

  • Groups are reviewed periodically

15. Best Practices for Group and SuperAdmin Roles

  • Never use the SuperAdmin for day-to-day work

  • Delegate tasks through role-based groups

  • Keep one or two SuperAdmin users for backup only

  • Audit all group rights before upgrades

16. Troubleshooting Group Permission Issues

Common issues:

  • Users not seeing data: check group module rights

  • Conflicts: resolve overlapping permissions

  • Module tabs missing: enable in group rights

SuperAdmins can use debug mode for deeper insight.

17. Extending Group Management with Modules

Consider using:

  • Advanced Permissions module

  • Audit Trail/Logging modules

  • Group Notifications or Workflows extensions

These enhance group dynamics and reporting.

18. Automating Group Assignments via API

Using the REST API:

  • POST to /groups/{id}/users to add a user

  • GET /users/{id}/groups to fetch group membership

  • Automate onboarding scripts or HR syncs

SuperAdmins should secure API access with scoped tokens.

19. Security Implications and Isolation Principles

Group-based access must:

  • Adhere to the principle of least privilege

  • Avoid mixing internal and external users

  • Be tested against data leakage across modules

SuperAdmins are responsible for enforcing these policies.

20. Summary and Strategic Recommendations

SuperAdmins in Dolibarr have broad control, but effective group access management still requires structure. By creating well-defined groups, assigning precise permissions, and regularly auditing assignments, organizations can ensure both flexibility and security.

Use the permissions matrix, APIs, and modules to extend capabilities as needed. Always document group usage and limit SuperAdmin activities to system oversight and governance.