×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

This documentation supports the 20.02 version of Remedy Action Request (AR) System.

To view an earlier version, select the version from the Product version menu.


Remedy Action Request System 20.02 ... Administering Security administration Access control Access to requests

Using the Assignee Group and dynamic groups--Examples

Use Assignee Group access, dynamic group access, or both to set up permissions so that users have conditional access to requests.

Imagine that you are working for Acme Outsource Help Desks, Inc. Three computer companies hire you to manage all of their help desk responsibilities. For security reasons, each computer company must not know about the existence of the other two. Therefore, you must create one form all three companies can use, but allows each company to see only the requests they create.

Explicit groups for each company have already been created, and each user belongs to one of these company groups.

To use the Assignee Group to control access to requests

  1. Create the groups (or roles) and users to which you want to assign access. In this example, the four groups are:
    • Acme Help Desk Staff (who will have access to all requests)
    • Beta Computers
    • Gamma Computers
    • Delta Computers
      Beta Computers, Gamma Computers, and Delta Computers users must belong only to their company group. Acme employees can be members of more than one group.
  2. Create a form, and give the appropriate groups Visible permission for it.
    For example, giving the Public group Visible permission for the form enables all of the users to see it.
  3. Add Assignee Group access to the form.
    The Assignee Group capabilities of BMC Remedy AR System are activated when you add a character field to the form with field ID 112 and a database input length of 255.

  4. Restrict access to the necessary requests.
    Because only groups or roles with permission for the Request ID field can access a request, restricting access to the Request ID field is the key to restricting access to a request. In this example, the Acme Help Desk Staff and the Assignee Group groups have the appropriate permissions for the Request ID field, as shown in the following figure.

    Field permissions for the Request ID field
    (Click to expand the image.)



    With Assignee Group access, a user from Beta Computers can submit requests, and anyone from Beta Computers can query them. However, no one from Gamma Computers or Delta Computers can query Beta Computer's requests.

    Note

    You might want to give permissions to a single group to begin with and submit a sample request to determine if any group other than the designated group can access it.

  5. Add workflow that inserts at least one explicit group, role, or user name into field ID 112 according to the business rules at your site. If Enable Multiple Assign Groups is selected on the Configuration tab of the BMC Remedy AR System Administration: Server Information form, you now can enter more than one explicit group, role, or user name into field ID 112. For sample syntax, see Defining access to requests at the group level.
    For more information about all settings in the BMC Remedy AR System Administration: Server Information form, see Configuring AR System servers.
    Because field ID 112 is designed for administrators and your help desk staff, deny access for most groups to this field. You can define a filter to set the contents of this field and use an active link Change Field action to allow your help desk staff to see and change the field as needed. 
    If you must change the group or role in the field, field ID 112 includes system-defined menus of all groups on the server and roles in the application (if the form is owned by a deployable application). Administrators can override these menus in Remedy Administrator as needed. Users without administrative privileges can only see groups they are assigned to in the User form Group List menu. 
    In the example, Acme allows access to its service call database from a browser but limits users to view only requests submitted by members of their company. An access control group was created for each different company name, and a filter that copies the company name into field ID 112 (labeled Assignee Group in the following figure) executes when users submit requests.

    Using Assignee Group access in workflow
    (Click to expand the image.)



    When the filter executes, the Assignee Group for this request is Beta Computers.
    You also could have created individual filters, one that enables Beta Computers to see their requests, another that enables Gamma Computers to see their requests, and so on. Use appropriate filter qualifications to make sure that only users from the Beta Computers group can execute the filter, set field ID 112 to "Beta Computers," and so on. For more information about creating and using filters, see Introducing workflow.
  6. Change the permissions of other fields in the form to grant access as needed. Include the Assignee Group where appropriate.

As a result of carefully defining access control in your system, when members of Acme Outsource Help Desks search all open help desk requests, they see a results list that includes requests submitted by Beta, Gamma, and Delta Computers. In contrast, if users from Delta Computers perform the same search, they see only the requests where Delta Computers is the Assignee Group (that is, the requests submitted by anyone at Delta Computers).

To use a dynamic group to control access to requests

  1. Create the groups (or roles) and users to which you want to assign access.
  2. Create a dynamic group in the Group form.
    For example, create a group called Dynamic Access with a group ID of 60001.
  3. Create a form, and give the appropriate groups Visible permission for it.
  4. Add a character field to the form with field ID 60001, the same ID number as the dynamic group ID.
  5. Restrict access to requests in the form by granting the group Dynamic Access permission to the Request ID field.
  6. Add workflow that inserts at least one explicit group name or ID, role name or ID, or user name into field ID 60001 according to the business rules at your site. If Enable Multiple Assign Groups is selected on the Configuration tab of the BMC Remedy AR System Administration: Server Information form, you can enter more than one explicit group, role, or user name into field ID 60001. For sample syntax, see Defining access to requests at the group level.
    For more information about all settings in the BMC Remedy AR System Administration: Server Information form, see Configuring AR System servers.
    Like field ID 112, dynamic group fields can be modified manually. They include system-defined menus of all groups on the server and roles in the application (if the form is owned by a deployable application). Administrators can modify these menus as needed.
Was this page helpful? Yes No Submitting... Thank you
Last modified by Anagha Deshpande on Oct 12, 2020
roles workflows groups permissions ids security dynamic requests assignee

Comments

Log in or register to comment.

Using the Request ID field with implicit groups
Controlling access to requests for hierarchical groups
© Copyright 1991-2021 BMC Software, Inc. © Copyright 1991-2021 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.