I had discussed this issue with Remedy several months back and it was reported as ARSystem bug SW00221647.
Shweta
Carey Matthew Black <[EMAIL PROTECTED]> wrote:
Parikshit,
Hidden access is still permission to access. The users can open the
form in the User Tool if they are tricky enough, or if you have
workflow that does it. (not as easy as changing a URL, but not much
harder either.)
If the users have access to the data then it is not a security problem
for them to see the form or the data that they _ALREADY_ have access
to. ( If they should not see the data then look at row level access,
or other filter based ways of getting at the data.)
If you want to block people from opening a form then you could create
Window Open active links that would give an ERROR message and/or close
the form for them. ( This might be their last Mid-tier window and
might "close the browser" too. Which would make them loose their
session with the mid-tier and cause a higher incident of "your already
connected from another IP and you can not override that address yet"
on the re-login attempts too.)
NOTE: Active links will not "protect" data from an API client. But
they could block the form from being opened in the Mid-tier client if
that is the only place that this logic should be applied. ( or in both
the User Tool and Mid-Tier if you want as well.)
HTH
ARS101
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Love, then teach
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
On 11/10/06, parikshit saxena <[EMAIL PROTECTED]>wrote:
> **
>
> Hi All
>
>
> We are trying to limit the accesss for a particuler group of user on our
> application vies on mid tier 6.3.
> The issue here is that the URL can be manipulated now by any user logging
> into the application and hence all sensitive data is exposed.
> We are trying to give Hidden permissions on the critical forms for this
> group, so that data can be accessed from those, but the forms are hidden on
> the web client.
> But this doesn't seem to work here.
> Though the forms are not coming in the object list on ARUser now, but they
> are still visible on mid tier (despite of cache flush).
>
> Would be grateful if someone can provide some insights on this.
>
> Regards
> Parikshit
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
Everyone is raving about the all-new Yahoo! Mail beta. __20060125_______________________This posting was submitted with HTML in it___
