Work Hours
8:00 am - 6:00 pm UTC+3

Demyan Seleznev

Setting access permissions in Bitrix24 CRM

Why do you need security access in your CRM?

Every company that wants to establish order must implement access control in their CRM. Access control is needed so that all employees fulfill their roles without being distracted by the tasks and duties of other employees. In Bitrix24 CRM, this is easy to set up.

Setting correct access control in your Bitrix24 CRM has positive effects on the organization and discipline of employees. It leads to an increase in overall efficiency and productivity. In addition, differentiating access permissions increases information security within a company.

In order to set security access correctly, you must first understand what they are, and where they can be applied.

Access control for Bitrix24 Workgroups and Projects

There are three types of workgroups in Bitrix24 CRM: Public, Private and secret.

  1. Public workgroup - Any employee can see this group in the workgroups list, and can join the group by clicking on the “Join” button.

  2. Private workgroup - A private workgroup is also displayed on the list of workgroups in the CRM. Any employee can see this group, and view information about it.
    Employees can join this workgroup by invitation or when their request to join is approved by the group moderator.
    In addition, the Bitrix24 CRM administrator has his own settings with which he can control and manage the access permissions of moderators and group members.

  3. Secret Workgroup - This workgroup does not appear on the list of workgroups, and so, employees who are not a part of it may not know it exists, unless they are told.
    Employees can join the group by invitation only.

The Bitrix24 CRM administrator can see and manage all the three types of workgroups.

How to set access control for Bitrix24 workgroup:

You can grant different levels of access to different tasks in the groups - viewing, editing, deleting, creating, commenting, etc.

Access Control for Bitrix24 CRM entities

The CRM module of Bitrix24 has a wide range of security access settings. These settings are implemented using "CRM roles". Each role has a list of entities which it has access to, and the type of access. For each entity, you can configure access control for specific actions, for example, viewing or editing.

It is also possible to set access permission based on the stage of each entity in the CRM. "CRM Roles" can be attached to Bitrix24 users, user groups, employees and departments.

You can find access permission settings for Bitrix24 CRM entities in CRM-> Settings -> Access permissions

Here, you can see the CRM roles, and the users, user groups and departments which have these roles.

You can change the CRM access permissions of a role by clicking on the pen icon beside the role you want to change.

It’s also possible to create multiple pipelines in CRM Deals. This is convenient for companies that implement several business lines or have different types of deals.

How to create a deal pipeline or funnel:

CRM -> deals -> sales funnels and tunnels -> Add sales funnel

You can set CRM access permissions for each CRM role for each deal pipeline separately.

In our example below, we set CRM access permissions for the sales team for the Bitrix24 projects pipeline.
Each stage of this “Bitrix24 Projects” deal pipeline also inherits their access permissions from what we set.

Let's consider an example:

We set the manager of one deal pipeline to be in charge of the deal pipelines of another manager. For this, it is possible within the framework of a single CRM Role to grant this manager reading and adding permissions for the pipelines he oversees.

Create a CRM Role and set the necessary access permissions: for the desired deal pipeline in the columns "Reading" and "Editing" we will grant "All open" access permissions:

After that, you need to set a user for the role:

And then choose the appropriate CRM Role for this user:

Telephony Security Access Permissions

It is also possible to set user roles in telephony, just like the CRM. For each role, You can define access to all entities associated with telephony.

Access permissions that can be assigned to roles in telephony are not identical to those in the CRM, but most of them are similar.

You can find telephony access permissions in Bitrix24,
Telephony -> access permissions. 

If you can’t find telephony in the left menu bar, type it into the top search bar of your Bitrix24 CRM. 

For some telephony entities, like “Manage numbers” and “telephony settings”, there are only 2 access permissions possible - 

  1. “Access denied” and

  2.  “any”. 

For other entities, the following access permissions are possible:

  1. Access denied

  2. Personal

  3. Personal and department

  4. Any

As in the CRM access permission settings, you can assign roles to Users, User Groups, Employees and Departments, and Social Network Groups.

An example:
In a certain company, there are strict guidelines on phone conversations between employees and clients. To ensure control, a certain group of employees called “Call Verifiers'' are hired. Their task is to wiretap and analyze all phone conversations.

Open the list of Telephony Role settings and add a new role:

We name our new role "Call Verifiers" and grant access permissions to call statistics and call recording for any call:

Next, we add employees or Bitrix24 users to the “call verifiers” group:

Apply the created role to the user and save:

Access Control for Workflows

For each workflow being created, there are access permissions settings. They can be applied to users, user groups (which are created and defined in the administrative panel), employees and departments, and social network groups. 

After setting access permissions for a workflow, you need to select the access level.
They range from “access denied” to “full access”.
Access permissions can be set for adding or reading workflows; add and Read in the administrative panel; Edit with or without restrictions.

Separating access permissions is needed to systematize departments that work with workflows. For example, in order to save records of employees, the HR department should be granted “read” access permissions to the workflow - “Vacation application” or “Business trip application”.

Setting Access control for documents in Bitrix24.Drive

Each document or folder on the company’s Bitrix24.Drive has its own access permission settings. Initially, they are set up so that only the creators of folders on drives have full access to the content. 

However, it is possible to grant access to a folder or file, not only to users, but to groups of users and even entire departments. Access permission to content of Bitrix24.Drive can be: read, edit, write, full access. Each subsequent right includes all previous rights, and full access also allows you to delete content.

How to get to the folder access settings menu on the Disk:

This menu looks like this:

We set the type of access permission for each user, group or department we grant access to the folder:

Please note :
When a Bitrix24 user is granted access to a file or folder on, that folder or file will not appear immediately on his personal drive. 

To make the file or folder appear in the added user’s drive, he must accept the invitation to connect the folder to his Drive. 

Bitrix24 sends a notification to users when they have been granted access permissions to files. The user can decline the invitation to connect the folder to their personal drive.

If the user accepts the invitation, the folder will become available on their personal drive:

Access Control in Bitrix24 Open channels

You can set access permissions for the open channels of each social network or messenger in Bitrix24 CRM contact center.

The access settings of Bitrix24 Open channels are very similar to those of Telephony. 

You can find Bitrix24 CRM Open channels access permission settings in Contact center -> (select social network or messenger) -> access permissions (configure)

They look like this:

FAQ on Bitrix24 access control

Question 1 : How can I make a task created in a CRM deal available for viewing to users who are not directly involved in the task? 

Create a Private group for the project. This way, members of the group will see tasks created in the project.

Go to tasks and projects -> create a new task -> more-> project

You will be guided through the process of creating a private workgroup, and adding members and moderators

When a user who is a member of this project workgroup logs in, they would see the list of tasks created in this workgroup, even though they are not the responsible person for the task:

Use the same method for tasks that are attached to a CRM entity.

Question 2: What access permissions can be used to prohibit Bitrix24 users from editing the comments and activities of other users in the CRM? 


Bitrix24 does not have this feature by default. We developed a module to help you solve this problem.
The module does not allow editing or deleting comments of other users. It compares the ID of the current user with the ID of the user who left the comment. If they do not match, the "edit" and "delete" options are removed from the context menu. 

Question 3 : How can I set access permissions for CRM fields?
This feature is lacking by default in Bitrix24. We created a field access permissions module to solve this problem.

You'll be able to grant users access to certain fields in the CRM entity card, while hiding other fields from them. 

Employees will only have access to fields which they need for their work. With the new update, the set access permissions are also active in Bitrix24 Kanban view.

Access permissions can be set for any CRM entity. If there are several deal pipelines, you can set access for them separately.


We understand why access permissions are needed and how they can be implemented in Bitrix24 CRM. We have explained how to set them for different sections of the CRM, and given examples. 

However, if you would like a ready-made solution, send us a request in the form below. We will be glad to help you.

  • 07.06.2022