Using the Request ID field to control access

Using implicit groups to control access to requests is an efficient method of access control within BMC Helix Innovation Suite. The Request ID field plays a key role in access control. To see a request, a user must belong to a group with permission for its Request ID field.

Related topics

Controlling-access-to-requests

Controlling-access-to-requests-by-using-implicit-groups-Row-level-security

Defining access to requests at the user level

You can use the Request ID field with implicit groups to link access control to a user's login name to achieve the following goals:

  • To grant access to submitters or assignees to their requests on a single-user basis, grant the Submitter and Assignee groups permission to the Request ID field.
  • To grant access to other users, grant the Assignee Group or dynamic groups access to the Request ID field. Make sure that you also add field ID 112 (the Assignee Group field) or the correct dynamic group fields to the form.
  • To grant access to requests for hierarchical groups, use the Dynamic Permissions Inheritance form property. See Controlling-access-to-requests-for-hierarchical-groups.

If you are using a user's login name to assign access, remember the following tips:

  • In the Submitter or Assigned To fields, enter the user's login name without quotation marks.
  • In the Assignee Group or dynamic group fields, enter the user's login name in single quotation marks.
    If the login name itself has a single quotation mark, add another single quotation mark after the quotation mark in the login name. For example, a login name such as Dan O'Connor must be entered as 'Dan O''Connor'

Defining access to requests at the group level

Unlike Submitter and Assignee access, Assignee Group and dynamic group access can extend access control on a conditional basis by using explicit group and role membership.

To permit multiple user, group, and role names in the Assignee Group field and dynamic fields, perform the following steps:

  1. Log in to Mid Tier and open AR System Administration Console.
  2. Navigate to the Configuration tab of Server Information form.
  3. Select Enable Multiple Assign Groups.
  4. To enter users, groups, and roles, use the following syntax: 'user 1';'user 2';groupID;roleID;role
    For example, to add users Dan O'Connor and Mary Manager, group ID 12000, role ID -9000, and role Managers, use ;.
    'Dan O''Connor';'Mary Manager';12000;-9000;Managers

If a group and role have the same name, the role name is assumed. For example, if a dynamic field contains Managers;Sales, AR System assumes the Managers and Sales roles, if they exist; otherwise, AR System assumes the Manager and Sales groups. For more information about all settings in the AR System Administration: Server Information form, see Configuring-AR-System-servers.

Assignee Group and dynamic group permissions to the Request ID field combined with the contents of the Assignee Group field or dynamic group fields determine who can see the request. If a group or role to which the user belongs is in the Assignee Group or dynamic group field for a request, that user is given whatever access privileges you defined for the Assignee Group or dynamic group, as shown in the following figure:

The following image shows controlling access to requests by using row-level security:

221_Using the Request ID field with implicit groups.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*