Macros are but one manifestation of bypassing hidden/visible attributes to access things. API's are another one, they allow you to update that to which you have permissions (not to be confused with visibility). Active link push fields actions are another, you can push to any form/field pair to which you have the appropriate permissions (has nothing to do with form/field visibility).
What one has to understand is that the permission model is completely independant of any visibility to things that a client offers (hidden, read only, not in the current view, etc.). Just because the flag on the form says 'hidden' and the user tool chooses to not list that object based on that flag has no bearing on whether you have real (permission based) access to that form, its fields, or its data. Axton Grams On 4/19/06, Will Du Chene <[EMAIL PROTECTED]> wrote: > I dunno if I agree with this one either, but that is the nature of the > list, yes? > > Public permission is a good concept, but - IMHO - is something that is way > overly used and again - IMHO - is more or less an excuse to be lazy. It is > more or like granting db_datareader to all of your accounts on sql server, > rather than taking the time to construct an appropriate permissions > schema. > > One of the first questions that should be asked right after the > complimentary 'you want what' should be 'who is going to access it.' With > this in mind, a new group should be created, or an existing group should > be used to grant permissions to the workflow. Setting up the default > permissons for new objects in the admin tool only takes a couple of > moments to do. > > Macros? I thought that these were supposed to go the way of the dinosaur > and become extinct. > > > > Axton, > > > > I have to disagree with you. If I want a form to hold data which menus > > will > > be built from, I don't want anybody being able to change the data accept > > those given access to the form, like APP-Administrator. But to allow menus > > to be built for all users I have to give access to them to the actual > > data. > > Hence using Public Hidden access on the form. How can you explain away the > > word "hidden" if a macro will quite happily make it visible! > > > > All it is hiding it from is the list of forms on the Object List. > > > > Brian Bishop > > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) > > [mailto:[EMAIL PROTECTED] On Behalf Of Axton > > Sent: 19 April 2006 17:38 > > To: arslist@ARSLIST.ORG > > Subject: Re: Hidden permissions > > > > Hidden does not imply any type of security what-so-ever. If you realy > > need to protect/restrict something then revoke/apply the permissions > > appropriately. Same goes for fields as well. > > > > Axton Grams > > > > On 4/19/06, Brian Bishop <[EMAIL PROTECTED]> wrote: > >> ** > >> > >> > >> Hi Sarah, > >> > >> > >> > >> This issue is also applicable to the User Tool. If you write a macro to > > open > >> a form, as a basic user, and then amend the macro to open a form with > > just > >> "Public Hidden" access it will open and give you access to the data. I > >> raised this as a security issue with Remedy but was told it was "as > >> designed" so had to raise an enhancement requesting the facility to be > > able > >> to create forms that users can access data in but not be able to open. > >> > >> > >> > >> Mind you I thought that was what hidden forms were!! > >> > >> > >> > >> > >> Brian Bishop > >> > >> > >> ________________________________ > >> > >> > >> From: Action Request System discussion list(ARSList) > >> [mailto:[EMAIL PROTECTED] On Behalf Of Evans, Sarah (Outsourcing) > >> Sent: 19 April 2006 10:18 > >> To: arslist@ARSLIST.ORG > >> Subject: Hidden permissions > >> > >> > >> > >> > >> Hi > >> > >> > >> > >> I've found on the product defects this: > >> > >> > >> > >> ID SW00222152: It is still in the status of New. > >> > >> > >> > >> The form can still be accessed through Mid-Tier directly if Hidden > >> permissions are set on the form. > >> > >> > >> > >> Has the person who logged it heard anything back from Remedy? If so > >> what > >> did they say? > >> > >> > >> > >> Also anyone at Remedy is there a time estimate for this fix? > >> > >> > >> > >> Thanks > >> > >> > >> Sarah > >> > >> > >> > >> This e-mail and any attachment is for authorised use by the intended > >> recipient(s) only. It may contain proprietary material, confidential > >> information and/or be subject to legal privilege. It should not be > >> copied, > >> disclosed to, retained or used by, any other party. If you are not an > >> intended recipient then please promptly delete this e-mail and any > >> attachment and all copies and inform the sender. Thank you. > >> __20060125_______________________This posting was submitted > >> with HTML in it___ __20060125_______________________This > >> posting was submitted with HTML in it___ > > > > ____________________________________________________________________________ > > ___ > > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
