Controlling access by using implicit groups: Row-level security
You can limit access to requests on a per-group or per-user basis. (This is often described as "row-level access," because each request is a row in the database table.) Membership in implicit groups (and their corresponding permissions) is implied when specific values are entered into certain BMC Remedy AR System fields.
The following table shows the differences and similarities among these implicit groups and their associated fields.
Implicit group | Group ID | Associated default field name | Field ID | Core field? | Associated field contents |
|---|---|---|---|---|---|
Submitter | 3 | Submitter | 2 | Yes | User name |
Assignee | 4 | Assigned To | 4 | Yes | User name |
Assignee Group | 7 | None | 112 | No | User, group, or role names |
Dynamic groups | 60000-60999 | None | 60000-60999 | No | User, group, or role names |
You can also grant parent groups row-level access. For information, see Controlling access to requests for hierarchical groups.
Fields with row-level security in searches are handled differently than regular fields to ensure that indexes (if used) are used properly and performance is not impacted.
For example, a form might contain two fields (Field1 and Field2) and two dynamic groups (DynamicGroup1 and DynamicGroup2). DynamicGroup1 controls access to Field1, and DynamicGroup2 controls access to Field2.
A user (not an administrator) performs a search with the following qualification:
'Field1' != $\NULL$ OR 'Field2' != $\NULL$The following SQL WHERE clause is used in the search:
(Field1 is not NULL OR Field2 is not NULL)
AND (user is member of DynamicGroup1)
AND (user is member of DynamicGroup2)
If regular fields were used, the following SQL WHERE clause would be used:
(Field1 is not NULL AND (user is member of DynamicGroup1))
OR (Field2 is not NULL AND (user is member of DynamicGroup2))
Comments
Log in or register to comment.