Janet, IMHO, there is only one way to do "security" and that is "the right way". :)
In ARS, that means access controls in the form of Group membership via the Group List. Then using those groups in Row Level access on field 1 with fields like 'Submitter' (2), 'Assignee' (4), and the Assignee Group fields (112,60000-60999). Anything that is client based (Active links/dialogs/table fields/displays), can be circumvented by a creative/smart user, or even a broken client. However, any data that is guarded at the ARS server level can not be circumvented by a smart, creative, tricky and ... (you get the idea.. uber)... user. So... start doing the hard work and make an access control model that works from the ARS server down. That will be as "fool proof" as you can get in ARS. Give each Access control Group a Group ID. Give each user the right 'Group ID's. Mark each record with the right 'Group ID's and all should be just fine. BTW: Another approach would be to use a join technique that would let you not use real ARS Group ID's but map 'Login Name' to some kind of "Company record" then join that record with the tickets based on "Company". That could work too, but it means a lot of extra joins and likely just as much data to be maintained in the long run. HTH. -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On Nov 20, 2007 8:58 PM, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: > ** > > Thanks for the quick response. This is basically what I have been doing > except just allowing them to login to the mid-tier instead of a separate web > page. The question my manager is asking is how fool-proof is it that they > can see only their tickets. And I can't think of any way to make it mistake > proof, if I leave out a qualification then they can see tickets they should > not. I wanted to make sure there wasn't a mistake proof way out there I was > not aware of. Do you think it is better to direct them to a web page > outside of the mid-tier that displays the information from Remedy? > > > Janet Mahan > Network Systems Administrator II > EMBARQ > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > Email: [EMAIL PROTECTED] <snip> > From: Action Request System discussion list(ARSList) [mailto: > [EMAIL PROTECTED] On Behalf Of Mahan, Janet L [EQ] > Sent: Monday, November 19, 2007 8:47 AM > To: arslist@ARSLIST.ORG > Subject: External customers viewing tickets > > > > I would like to hear how others have reduced the risk of customers being > able to see another customer's records in Remedy. We have external > customers that are wanting to view their tickets and related information. > One large customer has various departments that it wants to see only their > departments information while the IT group sees tickets for the entire > company. I thought I had this locked down with filters on the customer and > site name but someone found a hole by doing a partial search. I have fixed > that issue but now I am tasked to find the Best Practice for allowing > customers to view tickets. Any suggestions are appreciated. > > Janet Mahan > Network Systems Administrator II > EMBARQ > > Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 > Email: [EMAIL PROTECTED] _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
