Access control overview
This section describes user and group access, role-based access, multitiered access, and how licensing affects access control.
- User and group access overview
- Role-based access overview
- Multitiered access control model
- How licensing affects access control
Keeping information secure can be a major undertaking in client/server environments. It is sometimes a balancing act for administrators. You want to rigorously control who can access data, yet you do not want security to be so complex that it intrudes on your user community or is difficult for you to implement or maintain.
BMC Remedy AR System enables you to meet these seemingly opposing security goals. It enables you to control which users can access data and perform certain actions such as modifying a request or triggering an active link. User access is determined by these conditions:
- The groups to which users belong
- The licenses users are granted
BMC Remedy AR System uses a multitiered approach to control access at these points:
- Form (or table)
- Field (or column)
- Active link and active link guide
- Request (or row)
This approach provides a wide range of control over data access, enabling you to restrict access broadly at the highest levels (server and form) and narrowly at the request and field levels. Because you can refine your data access criteria so precisely, you can use a single form for many different purposes simply by setting the appropriate permissions.
When users start an BMC Remedy AR System client, they must enter a user name and a password, which are checked against every AR System server with which the client is trying to connect. After a connection is made, each request that goes between the client and the server has the current user name and password checked to verify that the values are still valid.
In addition to having a unique user name and password on a server, every user is a member of zero or more groups. Groups are defined and maintained with the Group form, where each record is a different group definition. For example, there might be groups defined for First-Level Support, Back-Line Support, and Support Management. Groups are used to control information access to forms, requests, fields, and active links/guides. As a practical matter, most users are likely to belong to the Public group.
You could use group access to forms so that a particular form is visible to users in the Support Management group, but not to users in the First-Level Support and Back-Line Support groups. For a particular form, an administrator can determine that certain requests are accessible only by members of one group and that other requests are accessible by members of a different group.
In addition, every field on a form has access control. You set field permissions when you define the field properties in BMC Remedy Developer Studio. Each field can have a list of groups that can view the field and the data entered into it. Some or all of the groups with View permission might also have "change" access so that they can enter and modify the data. If a user opens a form on his or her workstation and the groups he or she is a part of do not have View access to some of the fields, those fields are not displayed on the form. A field can also be visible to users or hidden so that it is accessible only through workflow.
Finally, each active link and active link guide has its access control assigned when it is created. A user who has access to an active link does not automatically have access to the field associated with it. Similarly, a user who has access to a guide does not automatically have access to the active links in the guide.
Access control in BMC Remedy AR System is additive. That is, each user starts out with no access permissions; administrators then add permissions as needed. In this way, BMC Remedy AR System implements strict access control. Administrators must make a conscious decision to grant access to specific groups on a case-by-case basis. However, if desired, the default permissions can be changed.
Only BMC Remedy AR System administrators or subadministrators can modify security parameters.