Re: Data level Security
Great! thanks. This is working if a user search based on the Incident ID, but when a user does an unqulified search this does bring in the that record which user suppose not to have access. Is any way I can restrict that. Regards, Sugan From: Brittain, Mark mbritt...@navisite.com To: arslist@ARSLIST.ORG Sent: Thursday, February 26, 2009 9:30:26 PM Subject: Re: Data level Security ** I have something similar. First I assigned the Assignee Group as the only permission in the Request ID field. The I created a field with a ID of 112. Using your example, workflow on create places YYY in the 112 field. After that only members of the YYY group can see the ticket. If you are not a member of the group and search with the Request ID, you get a system message data does not exist on the server (or something like that). You can list multiple groups in the 112 field. This could be when company YYY and your coworkers need to see the tickets. You must select “Enable Multiple Assign Groups under the Server Information/Configuration. This should address your issue unless your report (button) is evoking and external program like crystal reports. Hope this helps. mjb From:Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG ] On Behalf Of Lyle Taylor Sent: Thursday, February 26, 2009 6:48 PM To: arslist@ARSLIST.ORG Subject: Re: Data level Security You could potentially use multitenancy to accomplish this. You would essentially create another company with a support group that corresponds to group YYY and add the users to that group. You would then add the new company to their list of Access Restrictions on the People form and make sure that people that shouldn’t see those tickets don’t have Unrestricted Access selected on their profile. In that case, access to tickets in that group would be limited to people that have the new company added to their access restrictions (or that have a role on that specific ticket), and it would not be possible for other people to report on that data unless they go to the database directly, because it would not be returned in search results. That’s a high-level view of it (sorry if it doesn’t make sense), but suffice it to say for now that I think you could probably accomplish what you need using OOB multitenancy functionality. It may not be as elegant and seamless as what you were trying to accomplish here, but should still be doable. Lyle From:Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG ] On Behalf Of Sugavanam K K Sent: Thursday, February 26, 2009 4:12 PM To: arslist@ARSLIST.ORG Subject: Data level Security ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This e-mail is the property of NaviSite, Inc. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail, or the information contained herein, to anyone other than the intended recipient is prohibited. __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___
Re: Data level Security
Before taking an approach like this, keep in mind that there are potential problems with this or other approaches using field 112. First, ITSM already uses this field to control access to records. By default, it will create a permission group for every company and every support group configured in the system. When a record is created, it automatically adds the company group to the list, giving everyone in that company access to the record. It then also adds the assigned support group to the record, giving that support group access (if they didn't already have it from the company). In addition, by default Unrestricted Access has permissions to field 1 which allows anyone with unrestricted access to view the record. If you change these permissions and how field 112 is used, you will break multitenancy. In addition, if you only allow Assignee Group to view the record, you have just made it so that only specific groups can view every Incident rather than just enforcing it only for group YYY. Just a couple of things to keep in mind. Lyle From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Brittain, Mark Sent: Thursday, February 26, 2009 8:30 PM To: arslist@ARSLIST.ORG Subject: Re: Data level Security ** I have something similar. First I assigned the Assignee Group as the only permission in the Request ID field. The I created a field with a ID of 112. Using your example, workflow on create places YYY in the 112 field. After that only members of the YYY group can see the ticket. If you are not a member of the group and search with the Request ID, you get a system message data does not exist on the server (or something like that). You can list multiple groups in the 112 field. This could be when company YYY and your coworkers need to see the tickets. You must select Enable Multiple Assign Groups under the Server Information/Configuration. This should address your issue unless your report (button) is evoking and external program like crystal reports. Hope this helps. mjb From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Lyle Taylor Sent: Thursday, February 26, 2009 6:48 PM To: arslist@ARSLIST.ORG Subject: Re: Data level Security You could potentially use multitenancy to accomplish this. You would essentially create another company with a support group that corresponds to group YYY and add the users to that group. You would then add the new company to their list of Access Restrictions on the People form and make sure that people that shouldn't see those tickets don't have Unrestricted Access selected on their profile. In that case, access to tickets in that group would be limited to people that have the new company added to their access restrictions (or that have a role on that specific ticket), and it would not be possible for other people to report on that data unless they go to the database directly, because it would not be returned in search results. That's a high-level view of it (sorry if it doesn't make sense), but suffice it to say for now that I think you could probably accomplish what you need using OOB multitenancy functionality. It may not be as elegant and seamless as what you were trying to accomplish here, but should still be doable. Lyle From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Sugavanam K K Sent: Thursday, February 26, 2009 4:12 PM To: arslist@ARSLIST.ORG Subject: Data level Security ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ NOTICE: This email
Re: Data level Security
You could potentially use multitenancy to accomplish this. You would essentially create another company with a support group that corresponds to group YYY and add the users to that group. You would then add the new company to their list of Access Restrictions on the People form and make sure that people that shouldn't see those tickets don't have Unrestricted Access selected on their profile. In that case, access to tickets in that group would be limited to people that have the new company added to their access restrictions (or that have a role on that specific ticket), and it would not be possible for other people to report on that data unless they go to the database directly, because it would not be returned in search results. That's a high-level view of it (sorry if it doesn't make sense), but suffice it to say for now that I think you could probably accomplish what you need using OOB multitenancy functionality. It may not be as elegant and seamless as what you were trying to accomplish here, but should still be doable. Lyle From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Sugavanam K K Sent: Thursday, February 26, 2009 4:12 PM To: arslist@ARSLIST.ORG Subject: Data level Security ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are
Re: Data level Security
You need to read about row level permission. Using Assigned Group (112) you can make is so that only users who have the group value that is in that field can see the record. On Thu, Feb 26, 2009 at 6:12 PM, Sugavanam K K suga...@yahoo.com wrote: ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are
Re: Data level Security
That's a pretty horrid way of doing it. If the data is sensitive, you aren't protecting it with this approach. Read up on row level access, which is controlled by setting the permissions on field id 1. Bear in mind that active links are processed on the client side. You can trust them to work as much as you trust the client. Axton Grams On Thu, Feb 26, 2009 at 5:12 PM, Sugavanam K K suga...@yahoo.com wrote: ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are
Re: Data level Security
I have something similar. First I assigned the Assignee Group as the only permission in the Request ID field. The I created a field with a ID of 112. Using your example, workflow on create places YYY in the 112 field. After that only members of the YYY group can see the ticket. If you are not a member of the group and search with the Request ID, you get a system message data does not exist on the server (or something like that). You can list multiple groups in the 112 field. This could be when company YYY and your coworkers need to see the tickets. You must select Enable Multiple Assign Groups under the Server Information/Configuration. This should address your issue unless your report (button) is evoking and external program like crystal reports. Hope this helps. mjb From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Lyle Taylor Sent: Thursday, February 26, 2009 6:48 PM To: arslist@ARSLIST.ORG Subject: Re: Data level Security You could potentially use multitenancy to accomplish this. You would essentially create another company with a support group that corresponds to group YYY and add the users to that group. You would then add the new company to their list of Access Restrictions on the People form and make sure that people that shouldn't see those tickets don't have Unrestricted Access selected on their profile. In that case, access to tickets in that group would be limited to people that have the new company added to their access restrictions (or that have a role on that specific ticket), and it would not be possible for other people to report on that data unless they go to the database directly, because it would not be returned in search results. That's a high-level view of it (sorry if it doesn't make sense), but suffice it to say for now that I think you could probably accomplish what you need using OOB multitenancy functionality. It may not be as elegant and seamless as what you were trying to accomplish here, but should still be doable. Lyle From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Sugavanam K K Sent: Thursday, February 26, 2009 4:12 PM To: arslist@ARSLIST.ORG Subject: Data level Security ** Following is the Requirement which I received form my client, I need some help to put this into place: We have a group YYY which will be using Incident Management system to create tickets and tickets created by them should not be seen by the any other users of the system. Following is what i did I created a new Group called YYY and assigned members to it, also I created a Opt cat for them to use. If any user does a search on the incident form I have an active link to check if the user is of YYY group and the ticket has the Opt Cat value, if yes, I throw a message saying you are not authorized to view this ticket and hide all fields on the incident form. But, here is the problem, user was able to create report on this ticket using he in built reporting button on tne menu and view the details of the ticket. Please let me know is there any I can disable Reporting option only on this instance. Other Way - I did try to close the Incident form when they hit these tickets but system is giving a message asking if is it ok close the window with out saving the ticket, If I say Yes no issues and Incident form is closed, when I say no form is not closed and user still able to generate a report to see the information on the ticket. Please sugesst me some soulution to do this. -Sugan __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. __Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are html___ This e-mail is the property of NaviSite, Inc. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail, or the information contained herein, to anyone other than the intended recipient is prohibited. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: RMI Solutions ARSlist: Where the Answers Are