When some of my users discovered they could see - & in some cases modify - lots of forms using the API interface, they raised a concern. My security people are not happy. This is what BMC sent me from internal KB 20021753:
================ The User form has Public hidden permission. While using the User tool, a user without Administrator access cannot open the User form. When using the Web tool, the user can open the form. Is this a bug or do we need to build workflow to prevent users from accessing User form on the web? ================ The web behavior is not a bug, is normal. Permission and Visibility are two different things (although we tend to club them together): Permission: Whether a User can access an object or not / pull up data from it or not. Visibility: Whether a User can see the object in the Object List or not. For example if a Form has Public-Hidden permissions details attached to it. This means they can pull up data from it / open it but it won't be visible in the Object List. If you use the Mid-Tier object list, you will find that it too shows the same behavior as the User Tool object list. Q. But is it possible to open up forms in User Tool like Mid-Tier which have public hidden permissions? A. Well actually you can. Here are the steps 1) Open up the Object List in User Tool. 2) Right click any form name and select "Create Shortcut" > "Search Form" 3) Save the task file somewhere. 4) Open the ARTask file in notepad 5) Change the Name = <Form Name> to the form name you want to open example Name = User 6) Save and Double Click to open the form. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa Sent: Tuesday, June 22, 2010 11:26 AM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Looks like the original post did not come through which I was referring to. Amanda Pierce asked (back in Jan of 2010): I have imported the Mid Tier Object List form/workflow, when I log in as a regular user with restricted permissions I can see ALL forms even if I don't have permission to view them i.e AR System forms. Is there any way to restrict the visibility of these forms the same way the client does based on Permission Visible/Hidden? Lisa -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa Sent: Tuesday, June 22, 2010 11:24 AM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Has anyone been able to figure this out? Looks like the only forms that show up on this list is the ones with Public Permissions. We want it to act just like the Object List on the client (where the customer can only see the forms that they have access to). Also, is there an easier way for the midtier customer to get to the object list other than an entry link or adding a button on every single form that takes them to the MidTier Object List Form? We enabled the "Enable Object List" setting on the Midtier configuration, but it appears that enabling on the MidTier server is sort of an error trap. The MidTier will bring up the Object List if a bad URL is entered. I can't get this to work even if I try to use a "bad URL" (whatever that is!) I really hope this is one thing that gets taken care of in MT 8.0! Thanks! Lisa Midtier 7.5 p4 ARS 7.1 p7 Oracle 10g -- View this message in context: http://ars-action-request-system.1093659.n2.nabble.com/7-5-Mid-Tier-Obje ct-List-Question-tp4469645p5209293.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
