But only if they have permissions to it correct? (even though it's hidden).
Lisa -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Boyd, Rebecca E. Sent: Tuesday, June 22, 2010 2:39 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question If they know the form name, they still can get to it by creating an artask as described below or by using the following syntax: http://<server name>:8080/arsys/forms/<server name>/<Form Name> -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Chuck Sent: Tuesday, June 22, 2010 2:11 PM To: arslist@ARSLIST.ORG Subject: Re: 7.5 Mid Tier Object List Question Object list is a Normal Remedy Form, maybe you can go in and customize the form... On Jun 22, 12:55 pm, "Boyd, Rebecca E." <boy...@wfu.edu> wrote: > "Security by Obscurity" is exactly the term my people used. > > For example, one of my support staff users, not an admin, located > SYS:Status Transition Rules and was able to modify it. > > BMC said if I modified these forms in any way I risked breaking > something else. > > I find myself in a bit of a predicament. My people say "fix it" and > BMC says "don't change it." > > > > -----Original Message----- > From: Action Request System discussion list(ARSList) > > [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing > Sent: Tuesday, June 22, 2010 1:10 PM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Rebecca, > This is a security model I have often referred to as 'Security through > Obscurity'....which is obviously not security at all....putting a tarp > over something sitting in an open field doesn't mean someone can't get > to it....just that they can't see it without first pulling the tarp > off....same thing with hiding fields on a form...they can always still > pull a report on the field and get its contents, the only way they > can't get its contents is if they don't have access to it via > permissions....your security people MAY have a right to be upset...if > the data in question shouldn't be made available to the users. > Now....don't confuse access to the form with access to the > row/field...you can have access to a form, but if you have row level > access setup to restrict access to all records except those they > should have access to, then there is no issue.... > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Boyd, Rebecca E. > Sent: Tuesday, June 22, 2010 9:47 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > When some of my users discovered they could see - & in some cases > modify > - lots of forms using the API interface, they raised a concern. My > security people are not happy. This is what BMC sent me from internal > KB > 20021753: > > ================ > > The User form has Public hidden permission. > While using the User tool, a user without Administrator access cannot > open the User form. > When using the Web tool, the user can open the form. > > Is this a bug or do we need to build workflow to prevent users from > accessing User form on the web? > > ================ > > The web behavior is not a bug, is normal. > > Permission and Visibility are two different things (although we tend > to club them together): > > Permission: Whether a User can access an object or not / pull up data > from it or not. > Visibility: Whether a User can see the object in the Object List or not. > > For example if a Form has Public-Hidden permissions details attached > to it. > This means they can pull up data from it / open it but it won't be > visible in the Object List. > If you use the Mid-Tier object list, you will find that it too shows > the same behavior as the User Tool object list. > > Q. But is it possible to open up forms in User Tool like Mid-Tier > which have public hidden permissions? > > A. Well actually you can. Here are the steps > > 1) Open up the Object List in User Tool. > 2) Right click any form name and select "Create Shortcut" > "Search > Form" > 3) Save the task file somewhere. > 4) Open the ARTask file in notepad > 5) Change the Name = <Form Name> to the form name you want to open > example Name = User > 6) Save and Double Click to open the form. > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa > Sent: Tuesday, June 22, 2010 11:26 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Looks like the original post did not come through which I was > referring to. > > Amanda Pierce asked (back in Jan of 2010): > > I have imported the Mid Tier Object List form/workflow, when I log in > as a regular user with restricted permissions I can see ALL forms even > if I don't have permission to view them i.e AR System forms. > > Is there any way to restrict the visibility of these forms the same > way the client does based on Permission Visible/Hidden? > > Lisa > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Kemes, Lisa > Sent: Tuesday, June 22, 2010 11:24 AM > To: arsl...@arslist.org > Subject: Re: 7.5 Mid Tier Object List Question > > Has anyone been able to figure this out? Looks like the only forms > that show up on this list is the ones with Public Permissions. We > want it to act just like the Object List on the client (where the > customer can only see the forms that they have access to). > > Also, is there an easier way for the midtier customer to get to the > object list other than an entry link or adding a button on every > single form that takes them to the MidTier Object List Form? > > We enabled the "Enable Object List" setting on the Midtier > configuration, but it appears that enabling on the MidTier server is > sort of an error trap. > The MidTier will bring up the Object List if a bad URL is entered. > > I can't get this to work even if I try to use a "bad URL" (whatever > that > is!) > > I really hope this is one thing that gets taken care of in MT 8.0! > > Thanks! > > Lisa > > Midtier 7.5 p4 > ARS 7.1 p7 > Oracle 10g > > -- > View this message in > context:http://ars-action-request-system.1093659.n2.nabble.com/7-5-Mid > -Tier-Obje ct-List-Question-tp4469645p5209293.html > Sent from the ARS (Action Request System) mailing list archive at > Nabble.com. > > ______________________________________________________________________ > __ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.orgattend > wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ______________________________________________________________________ > __ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend > wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ______________________________________________________________________ > __ > ____ > ___ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend > wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ______________________________________________________________________ > __ > _______ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend > wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ______________________________________________________________________ > _________ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are"- Hide > quoted text - > > - Show quoted text - _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
