Table of Contents

  1. Introduction

  2. Why Provide Clients with Secure Access to Dolibarr?

  3. Core Features Available for Clients in Dolibarr

  4. Security Considerations Before Granting External Access

  5. Prerequisites: What You Need Before Starting

  6. Step 1: Activate and Configure the Third Party and Contact Modules

  7. Step 2: Create a Client Contact User with Limited Rights

  8. Step 3: Assign User Permissions Carefully

  9. Step 4: Configure Dolibarr to Show Only Client-Specific Data

  10. Step 5: Test the Client Login and Visibility Restrictions

  11. Optional: Customize the Client Dashboard with Menus

  12. Creating and Assigning Public Notes for Client View

  13. Sending Client Login Credentials Securely

  14. Enabling Two-Factor Authentication for Clients (Free Option)

  15. Restricting IP Access or Country-Based Access

  16. Using Apache/Nginx Rules for Additional Hardening

  17. Limiting File Downloads and Invoice Access Per User

  18. Implementing Time-Restricted or Expiring Access

  19. Monitoring Client Activity in Logs

  20. Conclusion and Maintenance Tips for Long-Term Security

1. Introduction

Dolibarr ERP/CRM offers native capabilities to create secure client access without the need for paid extensions. Whether you want to allow clients to download their invoices, track their quotes, or view support tickets, this guide shows how to enable a clean and secure client portal inside Dolibarr using only core functionality.

2. Why Provide Clients with Secure Access to Dolibarr?

Allowing clients to access their documents and updates via Dolibarr reduces admin time, enhances client satisfaction, and brings transparency to your business processes.

3. Core Features Available for Clients in Dolibarr

With the right configuration, clients can:

  • View their own proposals, orders, and invoices

  • Download documents (PDFs)

  • Send messages or update their contact details

  • Check support tickets (if enabled)

4. Security Considerations Before Granting External Access

  • Ensure your Dolibarr instance uses HTTPS

  • Enable strong passwords and optionally 2FA

  • Regularly audit user permissions

  • Isolate clients from internal company views

5. Prerequisites: What You Need Before Starting

  • Dolibarr version 12 or higher

  • Admin-level access

  • A client already created as a third party

  • Email server configured to send login details

6. Step 1: Activate and Configure the Third Party and Contact Modules

Go to:

  • Setup > Modules > Third Parties

  • Enable Contacts/Addresses module

  • Check settings to allow creation of external users linked to a third party

7. Step 2: Create a Client Contact User with Limited Rights

  • Navigate to the client record

  • Add a new contact (name, email, etc.)

  • Under Actions, click "Create user from contact"

This generates a new user linked to the third party.

8. Step 3: Assign User Permissions Carefully

Go to:

  • Home > Users & Groups > Select User > Permissions

  • Grant access to:

    • Read third-party data

    • Read own invoices, orders, proposals

Avoid granting rights to:

  • Modify system settings

  • Access to all third parties

  • Internal CRM modules

9. Step 4: Configure Dolibarr to Show Only Client-Specific Data

  • Activate multicompany protection if needed (for SaaS setups)

  • Use Dolibarr’s default filters that restrict user to their linked third party

10. Step 5: Test the Client Login and Visibility Restrictions

  • Log in with the client’s credentials

  • Attempt to view another third party’s data (should be blocked)

  • Try downloading documents and verify access

11. Optional: Customize the Client Dashboard with Menus

  • Setup > Menus

  • Create a simplified top or left menu profile for client users

Display only:

  • Home

  • Invoices

  • Orders

  • Contact info

12. Creating and Assigning Public Notes for Client View

Use public notes on:

  • Invoices

  • Orders

  • Projects

Clients will see only these comments on their interface.

13. Sending Client Login Credentials Securely

  • Send credentials via email or password reset URL

  • Encourage users to change password at first login

14. Enabling Two-Factor Authentication for Clients (Free Option)

Dolibarr includes basic TOTP 2FA:

  • User profile > Enable two-factor authentication

  • Scan QR code with Authy or Google Authenticator

15. Restricting IP Access or Country-Based Access

  • Use Apache’s .htaccess or Nginx rules to restrict by IP

  • Use tools like Cloudflare to implement geofencing

16. Using Apache/Nginx Rules for Additional Hardening

Examples:

<Directory "/var/www/html/dolibarr/htdocs">
    Require ip 203.0.113.5
</Directory>

Use SSL-only rules, rate limiting, and fail2ban for brute-force protection.

17. Limiting File Downloads and Invoice Access Per User

Ensure that permissions do not include:

  • Access to the entire /documents/ folder

  • Download links outside of user’s third party scope

18. Implementing Time-Restricted or Expiring Access

  • Deactivate the user manually after contract end

  • Use database triggers (advanced) to disable after date

  • Use scheduled tasks to audit active external users

19. Monitoring Client Activity in Logs

  • Enable logging in conf.php

  • View user log activity in Admin > Tools > Audit

  • Filter logs by user type or IP address

20. Conclusion and Maintenance Tips for Long-Term Security

Providing secure client access in Dolibarr doesn’t require a premium plugin or third-party tool. With built-in modules and careful permission management, you can create a reliable client portal experience. Make it a habit to:

  • Audit external users quarterly

  • Update Dolibarr regularly

  • Restrict access intelligently with firewall or web server rules

Done properly, this setup improves client satisfaction while keeping your Dolibarr environment secure and scalable.