Okay - so this actually works if you do this: Put all people in "COmpany A". This includes all of your support staff.
Create a company "B" and "C". In the Support Company Access Configuration, set company "B" and "C" as a Support company for Company A. Create support groups under company B and C. In the people records for a support group for company "B", LEAVE their company on the "General" tab as company A. But update their access restriction on the permissions tab to only allow access to company B. Repeat for people under company C. Now the people in B and C will be able to create incidents for people in Company A, but Company B and C will NOT be able to see each other's incidents at all. Supervisors/Managers, etc can of course have their access restriction set to include any/all of the companies so they can see everything. This also requires you set some things to Global (Service+) if you want to share those across the board. There are some interesting workflow things you may or may not want to deal with. I'm still working those out. For example, when you create or update a people record it automatically changes the access restriction company to the company on the "General" tab. We may disable this. William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson Sent: Friday, February 27, 2015 10:11 AM To: arslist@ARSLIST.ORG Subject: Re: Yet another tenancy question... ** Hi, This is working as expected. As you mentioned, Multi-tenancy is based on either of those fields on an Incident so as long as you have membership to one of the Group ID's you will see the Incident. So if Support Group 1 has access to the Customer "common" Company, then they would see all requests, same for Support Group 2, etc as tenancy is done at the Company level. To separate out this there is the concept of "Supporting Companies" introduced I think around version 7.6 where you can have a Support Company work a request (Assignment) without the need to give them full Company access and they only see those requests - however I believe this uses the Vendor fields to control access so can be somewhat tricky to setup. You could not have the "common" Company for the People though as the above still applies. ________________________________ Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: 27 February 2015 15:42 To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Yet another tenancy question... ** Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company "MyCompany" 2.) Support users are in a company for their business unit, e.g. "Group 1, Group 2, etc". To be very clear, these are defined as separate companies - they are NOT under "MyCompany". 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting this to work? Is it supposed to work how we want it, or is that a customization? All of the docs I read make me think it should work this way. I'm not even 100% sure anything is broken. I opened an issue with support too and I'm waiting to hear what they think. William Rentfrow wrentf...@stratacominc.com<mailto:wrentf...@stratacominc.com> Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 _ARSlist: "Where the Answers Are" and have been for 20 years_ ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 2014.0.4800 / Virus Database: 4257/9192 - Release Date: 02/27/15 _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"