Well, I did find this right after I submitted that: https://docs.bmc.com/docs/display/public/brid81/Update+to+the+multi-tenancy+model
....which says this: The update to the multi-tenancy model addresses issues related to row-level security on the Company ID field (Field ID 112) and Vendor Assignee field (Field ID 60900), which were inaccurately set on the following forms: * Main application transactional forms; for example, Help Desk, Problem, and Change * Multi-tenant aware child forms of the main application transactional forms; for example, Assignment Log and Impacted Areas * Join forms related to the forms mentioned in the preceding two bullets; for example, HPD:HelpDeskAssignmentLogJoin and CHG:CostAssociationJoin William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson Sent: Friday, February 27, 2015 10:11 AM To: arslist@ARSLIST.ORG Subject: Re: Yet another tenancy question... ** Hi, This is working as expected. As you mentioned, Multi-tenancy is based on either of those fields on an Incident so as long as you have membership to one of the Group ID's you will see the Incident. So if Support Group 1 has access to the Customer "common" Company, then they would see all requests, same for Support Group 2, etc as tenancy is done at the Company level. To separate out this there is the concept of "Supporting Companies" introduced I think around version 7.6 where you can have a Support Company work a request (Assignment) without the need to give them full Company access and they only see those requests - however I believe this uses the Vendor fields to control access so can be somewhat tricky to setup. You could not have the "common" Company for the People though as the above still applies. ________________________________ Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: 27 February 2015 15:42 To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Yet another tenancy question... ** Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company "MyCompany" 2.) Support users are in a company for their business unit, e.g. "Group 1, Group 2, etc". To be very clear, these are defined as separate companies - they are NOT under "MyCompany". 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting this to work? Is it supposed to work how we want it, or is that a customization? All of the docs I read make me think it should work this way. I'm not even 100% sure anything is broken. I opened an issue with support too and I'm waiting to hear what they think. William Rentfrow wrentf...@stratacominc.com<mailto:wrentf...@stratacominc.com> Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 _ARSlist: "Where the Answers Are" and have been for 20 years_ ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 2014.0.4800 / Virus Database: 4257/9192 - Release Date: 02/27/15 _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"