Brian, There is a security difference between read and change access to a field. There is not a security difference between visible and hidden access to a form. (Both gain you the same access to the form.) The only thing that "Hidden" form access does is not show the form in the User Tools "Object List". (BTW: Also applied to "Entry Point" logic in the Application List field too, but those things are really functional equivalents of each other. Just different UI.) "Hidden" forms ARE "visible" at the API level based on the users access to the form. It is just that the client knows to not show it in that one list.
Would it be a nice feature for Remedy to add the ability for a form to only be listed to users that have visible access to the form. Sure. But that SHOULD NOT change how Hidden access to existing forms are handled. What your asking for is a very big change in the model and it should be enforced at an API level not at a client UI level. (IMHO) It should be a feature of the system(form level) model. Many ARS API functions would be affected. ( To be able to search the form is still required as it is required for data access. But to know _show_ the form name in any getListSchema calls, to normal users, would have some advantage.) However, not listing the form really would not stop someone form changing data in the form once they know the name of it and have change access to the field(s) in question. NOTE: This feature would not actually provide security. It would only add a layer of obscurity. Which would be very week as the form name would be in the cached objects in the User Tool anyway. (Just look at what the client caches about a menu. The form name is right there. :) You best bet is (at this point) to create some window open active links that would auto close the form for the users that are not allowed (in your rule, have visible access to the form) to open the form. This would not bock setEntry calls from the API, but it would make the User Tool and the Mid-Tier do what you want them to do. And you can do it right now. -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. Never ascribe to malice, that which can be explained by incompetence. On 4/19/06, Brian Bishop <[EMAIL PROTECTED]> wrote: > Axton, > > I have to disagree with you. If I want a form to hold data which menus will > be built from, I don't want anybody being able to change the data accept > those given access to the form, like APP-Administrator. But to allow menus > to be built for all users I have to give access to them to the actual data. > Hence using Public Hidden access on the form. How can you explain away the > word "hidden" if a macro will quite happily make it visible! > > All it is hiding it from is the list of forms on the Object List. > > Brian Bishop > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Axton > Sent: 19 April 2006 17:38 > To: [email protected] > Subject: Re: Hidden permissions > > Hidden does not imply any type of security what-so-ever. If you realy > need to protect/restrict something then revoke/apply the permissions > appropriately. Same goes for fields as well. > > Axton Grams > > On 4/19/06, Brian Bishop <[EMAIL PROTECTED]> wrote: > > ** > > > > > > Hi Sarah, > > > > > > > > This issue is also applicable to the User Tool. If you write a macro to > open > > a form, as a basic user, and then amend the macro to open a form with > just > > "Public Hidden" access it will open and give you access to the data. I > > raised this as a security issue with Remedy but was told it was "as > > designed" so had to raise an enhancement requesting the facility to be > able > > to create forms that users can access data in but not be able to open. > > > > > > > > Mind you I thought that was what hidden forms were!! > > > > > > > > > > Brian Bishop > > > > > > ________________________________ > > > > > > From: Action Request System discussion list(ARSList) > > [mailto:[EMAIL PROTECTED] On Behalf Of Evans, Sarah (Outsourcing) > > Sent: 19 April 2006 10:18 > > To: [email protected] > > Subject: Hidden permissions > > > > > > > > > > Hi > > > > > > > > I've found on the product defects this: > > > > > > > > ID SW00222152: It is still in the status of New. > > > > > > > > The form can still be accessed through Mid-Tier directly if Hidden > > permissions are set on the form. > > > > > > > > Has the person who logged it heard anything back from Remedy? If so what > > did they say? > > > > > > > > Also anyone at Remedy is there a time estimate for this fix? > > > > > > > > Thanks > > > > > > Sarah > > > > > > > > This e-mail and any attachment is for authorised use by the intended > > recipient(s) only. It may contain proprietary material, confidential > > information and/or be subject to legal privilege. It should not be copied, > > disclosed to, retained or used by, any other party. If you are not an > > intended recipient then please promptly delete this e-mail and any > > attachment and all copies and inform the sender. Thank you. > > __20060125_______________________This posting was submitted > > with HTML in it___ __20060125_______________________This > > posting was submitted with HTML in it___ > > ____________________________________________________________________________ > ___ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
