This documentation supports the 19.02 version of Remedy IT Service Management Suite.

To view the latest version, select the version from the Product version menu.

Row-level security

The BMC Remedy ITSM applications use row-level security (RLS), a BMC Remedy Action Request System feature to control access to BMC Remedy ITSM ticket data. For a detailed description of the BMC Remedy AR System RLS feature, see  Controlling access by using implicit groups: Row-level security

RLS feature of BMC Remedy ITSM enables you to categorize tickets into different typesBMC Remedy ITSM ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. This restricts ticket data access to only those users who require it. 

Using the hierarchical groups, you can extend the ticket access. For example, you can extend the ticket access to the entire IT Staff group and restrict the access to non-IT staff in a company. For details on hierarchical groups, see Hierarchical groups: Using a parent group for permission inheritance.

Related topics

BMC Remedy ITSM data access model

Hierarchical groups: Using a parent group for permission inheritance

Controlling access by using implicit groups: Row-level security

Multi-tenancy

Working with Configuration Items

Row-level access: Permissions defined on Request ID

Every form defined in BMC Remedy AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. The BMC Remedy AR System uses the permissions defined on the Request ID (Field ID 1) field to determine who should have access to a ticket. The following permissions are defined on most BMC Remedy ITSM forms. Individual or groups defined under these permissions can access a ticket.

Request ID permissionDetails
Assignee (field 4)Individual who is assigned a ticket.
Submitter (field 2)Individual who submitted a ticket.
Assignee Group (field 112)

Individuals and groups to whom the ticket is assigned.

For a detailed description of data contained in this field, see BMC Remedy ITSM application usage of Assignee Group (field 112) field.

Assignee Group Parent (field 60989)Parent group of the Assignee Group. For details, see Hierarchical groups: Using a parent group for permission inheritance.
Unrestricted access (role)Individuals with this role.
Vendor Assignee Group (field 60900)

A group or individual defined in this field has access to a ticket. This field is left blank for all BMC Remedy ITSM applications and is meant for customer use. Customers can write their own workflow to populate this field for any additional data access requirement.

Vendor Assignee Group Parent (field 60901)Parent group of the Vendor Assignee Group. For details, see Hierarchical groups: Using a parent group for permission inheritance.

Example

Allen creates an Incident Management ticket with the following details:

  • Customer: Allen
  • Direct Contact: Ian
  • Assigned Group: Backoffice Support (Parent of Backoffice Support is IT Data Access)
  • Owner Group: Service Desk (Parent of Service Desk is IT Data Access)

Who can access the ticket?

  • Allen (Customer)
  • Ian (Contact)
  • Members of Backoffice Support, Service Desk, and IT Data Access (Assigned support group, Owner support group, parent of Assigned and Owner support groups)

As RLS can further be rolled up using the hierarchical groups, in this example, IT Data Access group being a parent of Backoffice Support and Service Desk can access the ticket.

Assignee Group (field ID 112) values for various BMC Remedy ITSM applications

Individuals and groups mentioned in field 112 have access to ticket data. The table below lists the individuals and groups included in field 112 for various BMC Remedy ITSM applications.

BMC Remedy ITSM applicationForm nameField 112 includes
Incident Management

HPD:Help Desk

  • Customer Login ID
  • Contact Login ID  
  • Assigned Support Group ID  
  • Owner Support Group ID
Problem Management

PBM:Problem Investigation

  • Assigned Support Group ID
  • Problem Coordinator Support Group ID
PBM:Known Error
  • Company ID
PBM:Solution Database
  • Company ID
Change Management

CHG:Infrastructure Change

  • Requested For Login ID
  • Requested By Login ID  
  • Coordinator Support Group ID  
  • Manager Support Group ID 
  • Implementer Support Group ID
Release ManagementRMS:Release
  • Assigned Support Group ID
Asset Management


AST:PurchaseRequisition
  • Company ID
CTR:ContractBase
  • Company ID
CTR:ContractBase
  • Company ID
AST:CI Unavailability
  • Company ID

Note: For individual configuration item (CI) records, the tenancy is set by the value in the Company field on the CI, and by the Used by relationship of Company entries associated with the CI. For more details, see Working with Configuration Items.

Task ManagementTMS:Task
  • Field 112 values from a parent ticket (for example, an Incident Management or Change Management ticket) and the Assigned Support Group ID
Service Request ManagementWOI:WorkOrder
  • Customer Login ID
  • Contact Login ID  
  • Manager Support Group ID  
  • Assignee Support Group ID
SRM:Request
  • Requested For Login ID  
  • Requested By Login ID  
  • Assigned Support Group ID
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Leonard Warren

    For Unrestricted Access statement that this is a Role can be confusing to those who do not understand the difference between Functional Roles and Role. Instead of "Individuals with this role," could it read something like, "Individuals with this permission."

    Jul 29, 2019 04:07
    1. Jyoti Nerkar

      Hi Leonard,


      Unrestricted Access is neither a functional role or permission. These Roles are permissions similar to groups, except that they belong to a particular application, instead of a particular server. For more details, you can see the following topic:


      https://docs.bmc.com/docs/display/ars1902/Defining+roles

      Hope this helps.

      Thanks,

      Jyoti

      Aug 01, 2019 03:16
  2. Leonard Warren

    I am not sure that your scenario based on who can access the ticket is not 100% accurate.

    I ran a ticket in 19.02 for Incident where I put the Application Permission Model setting to Support Group and found the following results: 1. Submitter (Group ID 3/Field ID 2) - populated with my Login ID (NOTE: This would not work if Service Request Management is used as the Submitter would then be Remedy Application Server (or something like that);

    1. Assignee (Group ID 4/Field ID 4) - populated with the Customer's FULL NAME instead of their login ID. This would not work since they need to have access with a Login ID.
    1. Assignee Group (Group ID 7/Field ID 112) - listed the Support Group assigned as the Incident Assignee Group but the Incident Owner Group was no where to be found.
    1. Did not have a Vendor or Hierarchical Group (listed as Assignee Groups_parents (Field ID 60989)), so assumption is that this should work.

    The Contact field was populated but not found in the Assignee Group field for access. Not sure if the user would be able to see the ticket as a contact through Incident Request.

    Overall - - Not sure that the Assignee field utilization would work since this is the Full Name and not the Login ID. - The Owner Group was not listed within the Assignee Group field, so not sure they would be able to see the ticket unless they are also members of the Incident Assignee Group. - Found Field ID 60903 - User ID Permissions field but this field was empty. Not sure what the purpose of this field is used for at this time.

    Jul 29, 2019 04:44
    1. Jyoti Nerkar

      Hello Leonard,


      I had a discussion with the R&D team and confirmed that the field 112 contains the information the way it is mentioned on this page. Request you to contact the customer support team for assistance.


      Thanks,

      Jyoti

      Aug 22, 2019 03:28
  3. Leonard Warren

    When I ran a test on Field ID 112 with Support Group only being populated in the Application Permission Model, ONLY the Incident Assignee Group appeared in Field ID 112. Here it states the Customer Login ID, Contact Login ID, Assigned Group ID, and Owner Group ID appears. I also tested with Support Group and Company beforehand and the Company Group ID and the Incident Assignee Group appeared in Field ID 112. Nothing else. I am using 19.02. So not sure what goes into Field ID 112 at this time, but it is not what is listed here.

    Jul 30, 2019 06:57
    1. Jyoti Nerkar

      Hello Leonard,


      Thanks for your comments.

      I am discussing these comments with the R&D team, and I will get back to you on this, accordingly.


      Regards,

      Jyoti

      Aug 19, 2019 12:36
      1. Jyoti Nerkar

        Hi Leonard,


        I had a discussion with the R&D team and confirmed that the Customer Login ID, Contact Login ID, Assigned Group ID, and Owner Group ID appear in the Field 112. If an Assigned Group and Owner Group are same then the ID appears once. If the Contact ID is not added for a record then it doesn't appear in the Field 112. 

        Hope this helps.

        Please feel free to contact the customer support team in case this doesn't work for you.


        Regards,

        Jyoti

        Aug 22, 2019 03:25