Michiel,
You're absolutely right save for one thing: Security enforced
via workflow does not come into play via API or ODBC.
Here's an example: Say you want to give a Remedy user access to
a piece of information but you want to do it in a controlled way so they can
only see what you want them to see and modify what you want them to modify.
You build this through workflow because Remedy's built-in security features
aren't granular enough, or are too generalized, to achieve your goal. The
end result is a specific user account that can only run a given Remedy
application and access the data through that application only. This is all
controlled via workflow. All is well and good until you realize that
accesses via the ODBC driver for AR don't fire workflow. You've had to give
the user account row-level access to the data so your application functions
properly but don't want to give them direct access to the data.
Since ODBC connections don't fire workflow using the
AR_CLIENT_TYPE is of no help because there isn't an easy way to act on it.
Or is there?
--- J.T. Shyman
_____
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Michiel Beijen
Sent: Thursday, April 24, 2008 2:19 AM
To: arslist@ARSLIST.ORG
Subject: Re: Locking the Remedy Login only to User Tool
Different approach here!
You say you want to disallow users from using ODBC because of INFORMATION
SECURITY reasons.
But if you want to disallow users from accessing data; you should enforce
permissions on the data - and Remedy will have enough controls to do so.
Just limiting the access methods to the data will NOT make your data secure!
The fact that Remedy applies the same permission model when you log in
through the API as via ODBC, Web Services or User Tool is a very GOOD thing
in my opinion.
Regards,
Michiel.
On Thu, Apr 24, 2008 at 5:33 AM, Carey Matthew Black <[EMAIL PROTECTED]>
wrote:
VB,
If you use the ARS server ar.conf setting:
"
Disable-Client-Operation
"
Then you can establish ARS permission groups that "limit" what clients
the users can use by time of day.
Well, except for the FACT ( I know it can be done ) that the ARS API
allows the client to "tell the server" which client it actually is. So
an API program can "say" it is the UserTool. But I am not sure how
hard it would be to write an ODBC driver for ARS that changes it's
"Client Type" value. (See John Sundberg's post for other details on
this part of the question.)
I am disappointed that the "API" does not have built in identifiers
(like public/private key identification features) so that the compiled
API that BMC publishes for us can only be identified by the ARS server
as one specific client type. But I guess BMC does not see "Client
Type" as a valid security access control. (Well, maybe some day they
can... So who is going to write up that RFE? :) )
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Love, then teach
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
On Wed, Apr 23, 2008 at 6:42 PM, Easter, David <[EMAIL PROTECTED]> wrote:
> **
>
> Perhaps the AR_CLIENT_TYPE is what you're looking for:
>
>
> AR_CLIENT_TYPE_* (integer)
>
> An integer value for the client type. For more information, see
> AR_CLIENT_TYPE_* in the ar.h file.
> You could then use workflow to limit a user's actions based on their
client
> type - in this case the User Tool.
>
>
>
>
>
> -David J. Easter
> Sr. Product Manager, Solution Strategy and Development
> BMC Software, Inc.
>
> The opinions, statements, and/or suggested courses of action expressed in
> this E-mail do not necessarily reflect those of BMC Software, Inc. My
> voluntary participation in this forum is not intended to convey a role as
a
> spokesperson, liaison or public relations representative for BMC Software,
> Inc.
>
>
>
> ________________________________
> From: Action Request System discussion list(ARSList)
> [mailto:[EMAIL PROTECTED] On Behalf Of Viswanathan Balakumar
> Sent: Wednesday, April 23, 2008 2:01 PM
> To: arslist@ARSLIST.ORG
> Subject: Locking the Remedy Login only to User Tool
>
>
>
> **
>
>
> HI,
>
>
>
> Is there a way to make some remedy logins (either by name / group
> permission) to access ONLY User tool and Can not access Remedy data
through
> any other way like Remedy ODBC \ APIs.
>
>
>
> For Information security reasons, we want some logins to be used only with
> in the User tool and throw an error when used in Crystal Reports \ Remedy
> ODBC \ APIs.
>
>
>
> May be like using APIs \ monitoring the Logins \ any other way .
>
>
>
> Any related information will be helpful.
>
>
>
> Thanks,
>
> VB
>
> __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
> html___
>
> __Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
> html___
____________________________________________________________________________
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
