Irina,
I would recommended cleaning everything up and moving to a multi-tenancy model. Unrestricted Access should be used sparingly and shouldn't be given to everyone. I normally treat that as an admin function or for auditing. Multi-tenancy is exactly what you are asking for and is out of box functionality, no customizations required. If you try to customize a solution now you will probably regret it in the future. What happens when facilities or security want to come on board and have the same data restriction requirements? Don't over think it and make a complicated solution. Too many developers destroy systems by coming up with solutions that out of box functionality can handle. Think of patches, upgrades, onboarding new customers. Brian ________________________________ From: Action Request System discussion list(ARSList) <[email protected]> on behalf of Murnane, Phil <[email protected]> Sent: Friday, April 21, 2017 8:14:09 AM To: [email protected] Subject: Re: How to "split" Unrestricted Access ** Hello Irina, Most HR applications I've seen store their records in separate tables from non-HR records, partly to make the security scheme simpler. If this is not an option for you, I can think of one solution but it's not a good one at all: add two filters to the Incident form that fire On Get. The first checks for membership in the "HR Incidents" group and stores the result of the check in a display-only field. The second sets the value of all fields to null if the membership check fails. This is very ugly because of 1) the extra load on the system to process all the On Get actions and 2) because a query would still know that a record exists, but would not know the content of the record. Also, the OOB workflows will need a lot of fix-up. FWIW, --Phil ________________________________ From: Action Request System discussion list(ARSList) <[email protected]> on behalf of Irina Solarcuka <[email protected]> Sent: Friday, April 21, 2017 5:18 AM To: [email protected] Subject: Re: How to "split" Unrestricted Access ** Hi, The issue is that all support groups members has unrestricted access and I can't remove that. It is a reason why I need "another unrestricted access" that allows to HR people to see only their incidents. At the same time I need to limit an existing Unrestricted Access so that people can see only non-HR incidents. BR, Irina 2017-04-21 11:33 GMT+03:00 Chris Jones <[email protected]<mailto:[email protected]>>: ** Hi Irina, Another option for you to consider is using parent groups to control access to multiple companies, etc. https://docs.bmc.com/docs/display/public/ars81/Using+a+parent+group+for+permissions+inheritance Maybe you could create an HR parent group and grant access to that so HR people are granted access to anything within this parent group? Regards, Chris Chris Jones, Director www.aramea.co<http://www.aramea.co/> From: Action Request System discussion list(ARSList) [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Irina Solarcuka Sent: 21 April 2017 05:34 To: [email protected]<mailto:[email protected]> Subject: How to "split" Unrestricted Access ** Hi, I would like to "split" Unrestricted Access in two parts - HR Unrestricted Access and Unrestricted Access for the other incidents. Is it possible? I've created an additional field in CTM:People form called HR Unrestricted Access, an additional Role and group with the same name. I can't use multi-tenancy since we have a mix of customers and support companies. Each support company can support each customer. I can't remove Unrestricted access from all the users that have that because of the same reason.. Any help is appreciated BR, Irina _ARSlist: "Where the Answers Are" and have been for 20 years_ ________________________________ [Avast logo] <https://www.avast.com/antivirus> This email has been checked for viruses by Avast antivirus software. www.avast.com<https://www.avast.com/antivirus> _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ DISCLAIMER: The information contained in this e-mail and its attachments contain confidential information belonging to the sender, which is legally privileged. The information is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are notified that any disclosure, copying, distribution or action in reliance upon the contents of the information transmitted is strictly prohibited. If you have received this information in error, please delete it immediately. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
