Did you try dynamic groups? You also have Parent groups. Without seeing the setup you have. I’m assuming you have all your support staff assigned to the operating company and that operating company supports your thousands of customer companies.
* I’m assuming your support staff has unrestricted access and not your customers. If everything goes to on operating company and your support staff are set to unrestricted, I would suggest only giving your support staff access to the operating company. They would still have access to everything because they are the only ones getting assigned tickets in the system. * Your customers shouldn’t be assigned any companies unless you want them to see data beside their own tickets. If that’s the case I would only assign them to the company they belong to. * I would then setup another operating company that you want to have the restricted access to the assests and assign the support staff to that company too. This should give you what your looking for and keep everything simple and easy to manage. Brian From: ARSList <[email protected]> On Behalf Of Dave Barber Sent: Monday, July 22, 2019 8:39 AM To: ARSList <[email protected]> Subject: Re: Atrium and field 112 Hi Brian, I didn't sufficiently explain;we have thousands of customer companies and only one operating company (we are company A, and we manage assets for thousands of other companies). If the CIs were to be locked down for one company (for security/contractual reasons), in order to restrict some users from having visibility of one customer company, you would have to explicitly give them access to thousands of companies in orde to exclude access to that one specific customer company. This is where the multi tenancy model completely fails - it just doesn't work that well in such circumstances. Hence me wanting to amend the "Unrestricted Access" value in CMDBRowLevelSecurity to be a new permissions group so that we can allow only certain users access to these CIs. Regards Dave On Mon, 22 Jul 2019 at 13:13, Brian Pancia <[email protected]<mailto:[email protected]>> wrote: Without a better understanding of the company structure and the rhyme and reason behind it, it is difficult to give a recommendation. Why would you setup 100’s of companies, assign a bunch of users unrestricted, and then not want to have multi tenancy setup? These all contradict each other. The fact you have multiple companies means the system is setup for multi tenancy. Giving everyone Unrestricted Access essentially negates the multi tenancy you setup. This is a common setup I have seen but a very bad one. If you want to give everyone unrestricted access, just have one company. Unrestricted Access is set at field 1 level and not at field 112. I would recommend setting up your permission groups/companies properly and removing unrestricted access from everyone. Why put unnecessary customizations in place because the system is not setup properly? Unrestricted access should be reserved for special users like admins and system owners. V/R, Brian From: ARSList <[email protected]<mailto:[email protected]>> On Behalf Of Dave Barber Sent: Monday, July 22, 2019 4:58 AM To: ARSList <[email protected]<mailto:[email protected]>> Subject: Atrium and field 112 All, This is on ARS 9.1.02. We have a range of users making use of both Atrium and Change Management. We have a range of CIs uploaded against a large number of compaies, and users have always been given unrestricted access. A recent requirement has involved us wanting to restrict visibility of some CIs to specific users. Multi tenancy would not be viable (as there are hundreds of companies within our system), so I had thought that replacing the value for "Unrestricted Access" in field 112 in Base Element for the relevant CIs with another permissions group, and adding that permissions group to the required users would have the desired effect. It does not work - profiles without the new permissions group can still see the "locked down" CIs. Has anyone else implemented anything along these lines? Regards Dave Barber DISCLAIMER: The information contained in this e-mail and its attachments contain confidential information belonging to the sender, which is legally privileged. The information is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are notified that any disclosure, copying, distribution or action in reliance upon the contents of the information transmitted is strictly prohibited. If you have received this information in error, please delete it immediately. -- ARSList mailing list [email protected]<mailto:[email protected]> https://mailman.rrr.se/cgi/listinfo/arslist DISCLAIMER: The information contained in this e-mail and its attachments contain confidential information belonging to the sender, which is legally privileged. The information is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are notified that any disclosure, copying, distribution or action in reliance upon the contents of the information transmitted is strictly prohibited. If you have received this information in error, please delete it immediately.
-- ARSList mailing list [email protected] https://mailman.rrr.se/cgi/listinfo/arslist
