Re: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc.
I am working on coming up with a reasonable compromise for this as well, but focused on SRM. Goals: * HR tickets (those assigned to HR support groups, or using HR services, perhaps) should be viewable only by HR personnel and the ticket submitter/contact. * HR employees have the same access to IT and other regular services and are listed in reports as part of the total company data. * HR employees have access to other employees' People data. So, to walk through this, 1. Set up Calbro as an operating company (for IT and other support groups), with all non-HR departments and employees in it. 2. Set up Calbro-HR as an operating company, with only HR departments and employees. 3. Give HR employees access to Calbro and Calbro-HR. The problem as I see it is with this set-up is that it does not restrict access from the customer company; say, a Calbro customer submits a ticket that is assigned to an HR person in Calbro-HR, the current workflow will add both the customer and assignee companies into the Assignee Groups field, which means that every other employee in Calbro can still see the ticket, even if it is assigned to Calbro-HR support groups. In other words, I don't see how multi-tenancy allows you to segregate data to prevent viewing by employees that are in the same company, which is the goal with HR requests. Since OOB workflow (filters SHR:SHR:UpdateGroupList...) automatically adds the customer company in, the only choice I see is to modify that workflow in some fashion. The simplest solution seems to be to keep HR in the same company, but create custom code that short-circuits the regular workflow and puts in the assignee group(s) into field 112 (instead of the company permission group) when that group is in the HR organization. I think a more complex, but better solution would be to replace it entirely with code that determined assignee group based on a set of rules that could be data configured, perhaps using computed groups instead? Kelly Logan, Sr. Systems Administrator (Remedy, Planview), GEMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2012 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Stroud, Natalie K Sent: Thursday, October 11, 2012 6:02 PM To: arslist@ARSLIST.ORG Subject: Re: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc. ** We had customers with a similar requirement, only both they and our Service Desk wanted to be able to assign their tickets back and forth across both companies in the case of a misroute or a request needing to be forwarded (Service Desk on restricted side to HR on unrestricted side to some HR IT group back on the restricted side, for instance). We could not find an option we liked for that, so that set of users elected not to come on board with us. The issue I question with Aditya's solution is that it looks to me like it allows one-way assignment only - from unrestricted HR company to restricted regular company. And if you put the Service Desk on the unrestricted side to allow assignment both ways, you're the sensitive HR data is potentially compromised. I wouldn't swear I'm right about this, though, as this request was a while back. As always, test for yourself if you want to be absolutely certain! Thanks, Natalie Stroud SAIC @ Sandia National Laboratories ARS-ITSM Tester Albuquerque, NM USA nkst...@sandia.govmailto:nkst...@sandia.gov ITSM 7.6.04 SP2 - Windows 2008 - SQL Server 2008 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Aditya Sharma Sent: Thursday, October 11, 2012 3:07 PM To: arslist@ARSLIST.ORG Subject: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc. ** Hi Ron, You can achieve this with multi-tenancy. You will need to create separate compony for you HR users. Lets say your compony is Calbro, the new company can be Calbaro-HR. All the foundation data corresponding to your HR department should use this new company. You can have access restriction set for users (Service Desk etc) to Calbro only (Add Calbro in Access Restriction Tab of all the Calbro Users) so that cannot access anything related to Calbro-HR compony. But vice versa you can set allow your HR users to have access to Calbro as well as Calbro-HR companies (or Give HR users Unrestricted Access if only two companies are there in your system). Regards, Aditya On Thu
Re: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc.
Thanks everyone for the thoughts, I'm just catching up. We will be testing whatever we go with. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Stroud, Natalie K Sent: Thursday, October 11, 2012 3:02 PM To: arslist@ARSLIST.ORG Subject: Re: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc. ** We had customers with a similar requirement, only both they and our Service Desk wanted to be able to assign their tickets back and forth across both companies in the case of a misroute or a request needing to be forwarded (Service Desk on restricted side to HR on unrestricted side to some HR IT group back on the restricted side, for instance). We could not find an option we liked for that, so that set of users elected not to come on board with us. The issue I question with Aditya's solution is that it looks to me like it allows one-way assignment only - from unrestricted HR company to restricted regular company. And if you put the Service Desk on the unrestricted side to allow assignment both ways, you're the sensitive HR data is potentially compromised. I wouldn't swear I'm right about this, though, as this request was a while back. As always, test for yourself if you want to be absolutely certain! Thanks, Natalie Stroud SAIC @ Sandia National Laboratories ARS-ITSM Tester Albuquerque, NM USA nkst...@sandia.govmailto:nkst...@sandia.gov ITSM 7.6.04 SP2 - Windows 2008 - SQL Server 2008 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG]mailto:[mailto:arslist@ARSLIST.ORG] On Behalf Of Aditya Sharma Sent: Thursday, October 11, 2012 3:07 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc. ** Hi Ron, You can achieve this with multi-tenancy. You will need to create separate compony for you HR users. Lets say your compony is Calbro, the new company can be Calbaro-HR. All the foundation data corresponding to your HR department should use this new company. You can have access restriction set for users (Service Desk etc) to Calbro only (Add Calbro in Access Restriction Tab of all the Calbro Users) so that cannot access anything related to Calbro-HR compony. But vice versa you can set allow your HR users to have access to Calbro as well as Calbro-HR companies (or Give HR users Unrestricted Access if only two companies are there in your system). Regards, Aditya On Thu, Oct 11, 2012 at 3:48 AM, Peters, Ron rpet...@columbia.commailto:rpet...@columbia.com wrote: ** Hi all, I believe we are currently running in multi-tenancy mode though we only use a single company. Our help desk assigns tickets to various support groups as normal. Now, were looking into bringing our HR department on board so we can assign tickets etc. to them. I believe the main sticking point is that they don't want anyone seeing what could be sensitive information in their tickets. I've heard that we can do something where only they see their tickets and nobody else can. I've been reading about multi-tenancy and support organizations but it wasn't super clear about a situation like this. What recommendations do you have for this type of scenario? We're just starting down this path and are thinking about the possibilities. These are some of the ones I've thought about but may not be exhaustive (or correct for that matter). Most users should: Be able to assign tickets to HR users Not be able to see any of the HR tickets or ticket contents HR users should: Be able to assign their tickets back to non-HR groups, mainly service desk but possibly others Be able to work their tickets. Probably be able to see non-HR tickets and contents Thoughts? Thanks, Ron _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc.
We had customers with a similar requirement, only both they and our Service Desk wanted to be able to assign their tickets back and forth across both companies in the case of a misroute or a request needing to be forwarded (Service Desk on restricted side to HR on unrestricted side to some HR IT group back on the restricted side, for instance). We could not find an option we liked for that, so that set of users elected not to come on board with us. The issue I question with Aditya's solution is that it looks to me like it allows one-way assignment only - from unrestricted HR company to restricted regular company. And if you put the Service Desk on the unrestricted side to allow assignment both ways, you're the sensitive HR data is potentially compromised. I wouldn't swear I'm right about this, though, as this request was a while back. As always, test for yourself if you want to be absolutely certain! Thanks, Natalie Stroud SAIC @ Sandia National Laboratories ARS-ITSM Tester Albuquerque, NM USA nkst...@sandia.govmailto:nkst...@sandia.gov ITSM 7.6.04 SP2 - Windows 2008 - SQL Server 2008 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Aditya Sharma Sent: Thursday, October 11, 2012 3:07 PM To: arslist@ARSLIST.ORG Subject: [EXTERNAL] Re: Multi-tenancy, Human resources, field ID 112 etc. ** Hi Ron, You can achieve this with multi-tenancy. You will need to create separate compony for you HR users. Lets say your compony is Calbro, the new company can be Calbaro-HR. All the foundation data corresponding to your HR department should use this new company. You can have access restriction set for users (Service Desk etc) to Calbro only (Add Calbro in Access Restriction Tab of all the Calbro Users) so that cannot access anything related to Calbro-HR compony. But vice versa you can set allow your HR users to have access to Calbro as well as Calbro-HR companies (or Give HR users Unrestricted Access if only two companies are there in your system). Regards, Aditya On Thu, Oct 11, 2012 at 3:48 AM, Peters, Ron rpet...@columbia.commailto:rpet...@columbia.com wrote: ** Hi all, I believe we are currently running in multi-tenancy mode though we only use a single company. Our help desk assigns tickets to various support groups as normal. Now, were looking into bringing our HR department on board so we can assign tickets etc. to them. I believe the main sticking point is that they don't want anyone seeing what could be sensitive information in their tickets. I've heard that we can do something where only they see their tickets and nobody else can. I've been reading about multi-tenancy and support organizations but it wasn't super clear about a situation like this. What recommendations do you have for this type of scenario? We're just starting down this path and are thinking about the possibilities. These are some of the ones I've thought about but may not be exhaustive (or correct for that matter). Most users should: Be able to assign tickets to HR users Not be able to see any of the HR tickets or ticket contents HR users should: Be able to assign their tickets back to non-HR groups, mainly service desk but possibly others Be able to work their tickets. Probably be able to see non-HR tickets and contents Thoughts? Thanks, Ron _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
