Using the Request ID field with implicit groups
Using implicit groups to control access to requests is a powerful method of access control within Remedy AR System. The Request ID field plays a key role in access control. To see a request, a user must belong to a group with permission for its Request ID field.
Defining access to requests at the user level
You can link access control to a user's login name:
- To give submitters or assignees access to their requests on a single-user basis, grant the Submitter and Assignee groups permission to the Request ID field.
- To give other users access, grant the Assignee Group or dynamic groups access to the Request ID field. Make sure that you also add field ID 112 (the Assignee Group field) or the correct dynamic group fields to the form.
- To grant access to requests for hierarchical groups, use the Dynamic Permissions Inheritance form property. See Controlling access to requests for hierarchical groups.
If you are using a user's login name to assign access, remember these tips:
- In the Submitter or Assigned To fields, enter the user's login name without quotation marks.
- In the Assignee Group or dynamic group fields , enter the user's login name in single quotation marks. Double any single quotation marks that are part of the login name (for example, 'Dan O''Connor' ).
Defining access to requests at the group level
Unlike Submitter and Assignee access, Assignee Group and dynamic group access can extend access control on a conditional basis by using explicit group and role membership.
To permit multiple user, group, and role names in the Assignee Group field and dynamic fields, select Enable Multiple Assign Groups on the Configuration tab of BMC Remedy AR System Administration: Server Information form. To enter users Dan O'Connor and Mary Manager, group ID 12000, role ID -9000, and role Managers, use the following syntax:
'Dan O''Connor';'Mary Manager';12000;-9000;Managers
If a group and role have the same name, the role name is assumed. For example, if a dynamic field contains Managers;Sales, BMC Remedy AR System assumes the Managers and Sales roles, if they exist; otherwise, BMC Remedy AR System assumes the Manager and Sales groups.
For more information about all settings in the BMC Remedy AR System Administration: Server Information form, see Configuring AR System servers.
Assignee Group and dynamic group permissions to the Request ID field, combined with the contents of the Assignee Group field or dynamic group fields, determines who can see the request. If a group or role to which the user belongs is in the Assignee Group or dynamic group field for a request, that user is given whatever access privileges you defined for the Assignee Group or dynamic group, as shown in the following figure.
Controlling access to requests by using row-level security
(Click the image to expand it.)