Susan,
Permissions in ARS are in layers... Additive layers.
A) First a user must have access to the Form.
B) Next the user needs to have access to Field 1.
C) Next the user needs to have access to any of the other fields on the form.
The key here is that the user does not have to gain access to all
levels via the same Access Control group.
So...
A) Lets say you have a form that is "Public (Hidden)".
So all users can "use" the form, but not see it in there "Object list"s.
B) The permissions on Field 1 have these three groups:
Helpdesk, (some groupID)
AllCustomers, (some groupID)
Dynamic60001 (groupID=60001)
So any user that is in "Helpdesk", or "AllCustomers" would have access
to all records (field 1 values) in the form.
However the third group is a reference to data in each record. So to
know who fits in that group the Application server has to look at the
record in question and check the data in $USER $'s 'Group List'
against the data in the field $60001$ for that record. (Any match
grants access to the record.)
C) Then the server will check the permissions on each field and see if
the $USER $ has access to the field.
Again... dynamic groups, or "static" groups can be used on any
field and not just field 1.
Also... the "dynamic groups" are a list of: Static Groups, User Names,
or Roles (for Deployable applications only). To keep things a bit
simpler... think of Roles as "Static groups". The thing about "dynamic
groups" is that they are defined on a record by record basis. So if
one record has a value of : 'bob';"Helpdesk" then for that record all
members of the group "Helpdesk" and also the user 'bob' would be a
member of that dynamic group for that record.
So let's say we have two other fields to talk about.
'Status'
Permissions: Public (View), HelpDesk(Change)
'Short Description'
Permissions: HelpDesk(Change), Dynamic60001(Change)
If the $USER $'s group list is blank then they will be able to see 'Status'.
They MAY also be able to see 'Short Description', If and only if
their user name appears in the 'Dynamic60001' field in single quotes.
If the $USER $'s group list contains "HelpDesk" then they will be able
to see both fields.
If the $USER $'s group list is not blank, and does not contain
"HelpDesk" then they will be able to see 'Status'.
They MAY also be able to see 'Short Description', If and only if
their user name appears in the 'Dynamic60001' field in single quotes.
So... the question becomes.... What are the permissions on the fields,
and what fields should these users (the ones that you put into the
'Dynamic600001' field) be able to access?
That may not have been the best example... but I hope it helps.
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Love, then teach
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
On Wed, Feb 13, 2008 at 6:28 PM, Susan Palmer <[EMAIL PROTECTED]> wrote:
> **
> Hi everyone,
>
> For the most part our system deals with external customer companies. Until
> now we all access pretty well everything with no problems. Now we want to
> give access to a distributor we use and allow them to access particular
> customers they work with on our behalf. In actuality only about 3-5% of our
> customer records.
>
> So I thought this would be a good opportunity to try dynamic group access
> (first time user). First I thought I could just create the group 60001, a
> few regular groups to distinguish between US, UK, CHINA, and the character
> field with ID 60001 on a particular form. I did that and in the character
> field 60001 on several records I put the different values of US, UK, CHINA.
>
> Then I logged in as various users that are in those particular groups
> thinking I'd only see those records. Well it didn't work that way I could
> see all the records. I re-read all the documentation I could find etc etc
> etc, drove myself a little crazy because this shouldn't be that hard, seemed
> like a slam dunk in class a year ago ..... lol
>
> So back to basics, created a test form with the 60001 field. I also had a
> problem since I thought instructions said to put users in the 60001 group
> but on my new form I was getting errors which I didn't get before. So I
> removed them and left them in their US, UK, CHINA groups respectively (among
> others).
>
> Created records and made a few of each type of 60001 group choice. Did a
> query as one of the test users and got all the records but no data. So I
> added 60001 permission to Request ID field. That limited my query return
> but didn't show any data. Then added 60001 permission to another field and
> whaalaa I could see that data.
>
> So this is where I need the reality check help.
>
> Do I have to put that 60001 group permission on every field on every form I
> want them to have access to? It's literally thousands of fields. Tell me
> this ain't so, that I've gone overboard.
>
> Is there a way to do this that won't produce carpal tunnel syndrome?
>
> Any suggestions, comments are appreciated. Chuckles are ok if somewhat
> subdued but outright laughter at the pain of it not appreciated.
>
> Thanks for your help,
> Susan
>
> ARS 7.0.1P3 including clients and admin tool
> Oracle 10g
> Windows 2003
> Part of application used to be HD V5 but now it's a customized system.
>
>
>
> Susan Palmer
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
