Thank you both for the responses. It is good to know that I am not completely crazy. Robert, you may be on to something with the Mid-Tier user, especially if there isn't any SQL that limit the results to a real user's group list. I didn't get a chance today to work on it but post my results once I do. I have a coworker with a custom 6.3 p21 system and he mentioned that he has a flashboard that appears to be respecting the row level access but we are going to verify.
Here is some more detail regarding the scenario: We will have multiple contractors who are responsible for different sites using our system. They should not be able to see each other's areas of responsibility (they should not be able to use the data in the system to their bidding advantage against competitors, volume of tickets, time to resolve, etc). To support this there are two dynamic groups "AC_WriteAccess" <60001> and "AC_ReadAccess" <60002> and corresponding fields on the HPD:HelpDesk and SHR:ConsolidatedList forms. These groups have permissions to field '1' on both HPD:HelpDesk and SHR:ConsolidatedList (as well as Assignee, Submitter and some supervisory groups who see all tickets (yes I checked that my test user does not meet any of that criteria)). We are only actively using AC_WriteAccess but AC_ReadAccess is there (a similar setup as CMDB/AM. I have a filter on the Help Desk that sets 'AC_WriteAccess' = $Assigned To Group+$ when the value of 'Assigned To Group+' <240000006> changes. I added to AC_WriteAccess to the 2 filters that push to SHR:ConsolidatedList (one on Submit and one on Modify). This all works well in the 'Support Requests' <260000000> table on the "Remedy Support" form without any modifications. My expectation would be that the flashboards on the Remedy Support form would also only reflect the requests that the user has permissions to without any modifications. I realize that I could update the FB's to query the user's group list but my current mission is to see if I am seeing the as designed behavior or is this a bug. This may be a good gotcha to know about when designing flashboards. Thanks again, Jason From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Robert Molenda Sent: Monday, September 10, 2007 2:41 PM To: [email protected] Subject: Re: Row level access with flashboards ** Interesting question!! I'm on 7.0.1 Patch 1, and did some testing with the HPD:Incident Management Console (and the management view within), and taking API+SQL Traces, the queries executed as defined by FB Variables, without any "extra" sql attached, (Field 1, 3, 112, 60000. restrictions).. It also executes as the user context 'Mid-tier', which is the internal account, so it might be thought of as an "Administrator" level account. I was hoping to find an "Impersonate User" entry in the API Log, but alas, none was found. (hum, that IS logged right??) I DID see where Mid-Tier was getting the user's group list, etc but nothing was in the SQL Query. I will (as Joe is going to do as well), perform some additional testing, because that is an interesting conundrum of data-access. Thanks-n-advance; HDT Platform Incident / Problem Manager & Architect Robert Molenda IT OS PA Tel: +1 408 503 2701 Fax: +1 408 503 2912 Mobile: +1 408 472 8097 [EMAIL PROTECTED] Quality begins with your actions. _____ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe D'Souza Sent: Monday, September 10, 2007 12:07 PM To: [email protected] Subject: Re: Row level access with flashboards Hello Jason, I don't really have an answer to what you are facing but in case you do hear something about what you have observed, please do let us know. Its a nice to know sort of thing.. I may have time over this week to simulate what you are seeing so if you can give me a test case scenario of what you are seeing I'll check to see if I can replicate that on my free time. I am however on a slightly different patch level - ARS 7.0.1 P3.. Soon I intend to upgrade to 7.1 as its a dev/test system, so could check on both these versions. Cheers Joe -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] Behalf Of Jason Miller Sent: Friday, September 07, 2007 6:50 PM To: [email protected] Subject: Row level access with flashboards ** Hi all, I noticed a strange behavior with flashboards and row level access. I am working with the OOTB Remedy Support console in ITSM 6. I have added row level access on the various forms (Help Desk, Change, Task) and those permissions are pushed to the SHR:ConsolidatedList record. The problem is if I login as a user who can only see a limited set of records I still see all of the groups and their record counts in the By Group flashboard ('Flashboard2'). This user should not have any knowledge of who the other groups are in the system and their ticket volumes. I know the row level permissions are working on the SHR:ConsolidatedList form (also where the FB data is coming from) because the user only see the correct records in the table field. Do flashboards recognize row level access? Is this a bug? As designed? Thanks, Jason ARS 7.00.01 p2 ITMS 6 CMDB 1.1 p3 MS SQL App/DB/MT on Win 2003 IIS 6 __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
