Re: Yet another tenancy question...SOLVED
Okay - so this actually works if you do this: Put all people in COmpany A. This includes all of your support staff. Create a company B and C. In the Support Company Access Configuration, set company B and C as a Support company for Company A. Create support groups under company B and C. In the people records for a support group for company B, LEAVE their company on the General tab as company A. But update their access restriction on the permissions tab to only allow access to company B. Repeat for people under company C. Now the people in B and C will be able to create incidents for people in Company A, but Company B and C will NOT be able to see each other's incidents at all. Supervisors/Managers, etc can of course have their access restriction set to include any/all of the companies so they can see everything. This also requires you set some things to Global (Service+) if you want to share those across the board. There are some interesting workflow things you may or may not want to deal with. I'm still working those out. For example, when you create or update a people record it automatically changes the access restriction company to the company on the General tab. We may disable this. William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson Sent: Friday, February 27, 2015 10:11 AM To: arslist@ARSLIST.ORG Subject: Re: Yet another tenancy question... ** Hi, This is working as expected. As you mentioned, Multi-tenancy is based on either of those fields on an Incident so as long as you have membership to one of the Group ID's you will see the Incident. So if Support Group 1 has access to the Customer common Company, then they would see all requests, same for Support Group 2, etc as tenancy is done at the Company level. To separate out this there is the concept of Supporting Companies introduced I think around version 7.6 where you can have a Support Company work a request (Assignment) without the need to give them full Company access and they only see those requests - however I believe this uses the Vendor fields to control access so can be somewhat tricky to setup. You could not have the common Company for the People though as the above still applies. Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: 27 February 2015 15:42 To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Yet another tenancy question... ** Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company MyCompany 2.) Support users are in a company for their business unit, e.g. Group 1, Group 2, etc. To be very clear, these are defined as separate companies - they are NOT under MyCompany. 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting
Re: Yet another tenancy question...
Well, I did find this right after I submitted that: https://docs.bmc.com/docs/display/public/brid81/Update+to+the+multi-tenancy+model which says this: The update to the multi-tenancy model addresses issues related to row-level security on the Company ID field (Field ID 112) and Vendor Assignee field (Field ID 60900), which were inaccurately set on the following forms: * Main application transactional forms; for example, Help Desk, Problem, and Change * Multi-tenant aware child forms of the main application transactional forms; for example, Assignment Log and Impacted Areas * Join forms related to the forms mentioned in the preceding two bullets; for example, HPD:HelpDeskAssignmentLogJoin and CHG:CostAssociationJoin William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Carl Wilson Sent: Friday, February 27, 2015 10:11 AM To: arslist@ARSLIST.ORG Subject: Re: Yet another tenancy question... ** Hi, This is working as expected. As you mentioned, Multi-tenancy is based on either of those fields on an Incident so as long as you have membership to one of the Group ID's you will see the Incident. So if Support Group 1 has access to the Customer common Company, then they would see all requests, same for Support Group 2, etc as tenancy is done at the Company level. To separate out this there is the concept of Supporting Companies introduced I think around version 7.6 where you can have a Support Company work a request (Assignment) without the need to give them full Company access and they only see those requests - however I believe this uses the Vendor fields to control access so can be somewhat tricky to setup. You could not have the common Company for the People though as the above still applies. Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: 27 February 2015 15:42 To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Yet another tenancy question... ** Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company MyCompany 2.) Support users are in a company for their business unit, e.g. Group 1, Group 2, etc. To be very clear, these are defined as separate companies - they are NOT under MyCompany. 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting this to work? Is it supposed to work how we want it, or is that a customization? All of the docs I read make me think it should work this way. I'm not even 100% sure anything is broken. I opened an issue with support too and I'm waiting to hear what they think. William Rentfrow wrentf...@stratacominc.commailto:wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 _ARSlist: Where the Answers Are and have been for 20 years_
Yet another tenancy question...
Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company MyCompany 2.) Support users are in a company for their business unit, e.g. Group 1, Group 2, etc. To be very clear, these are defined as separate companies - they are NOT under MyCompany. 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting this to work? Is it supposed to work how we want it, or is that a customization? All of the docs I read make me think it should work this way. I'm not even 100% sure anything is broken. I opened an issue with support too and I'm waiting to hear what they think. William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Yet another tenancy question...
Hi, This is working as expected. As you mentioned, Multi-tenancy is based on either of those fields on an Incident so as long as you have membership to one of the Group ID's you will see the Incident. So if Support Group 1 has access to the Customer common Company, then they would see all requests, same for Support Group 2, etc as tenancy is done at the Company level. To separate out this there is the concept of Supporting Companies introduced I think around version 7.6 where you can have a Support Company work a request (Assignment) without the need to give them full Company access and they only see those requests - however I believe this uses the Vendor fields to control access so can be somewhat tricky to setup. You could not have the common Company for the People though as the above still applies. _ Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of William Rentfrow Sent: 27 February 2015 15:42 To: arslist@ARSLIST.ORG Subject: Yet another tenancy question... ** Hi all- ARS 8.1.02, ITSM 8.1, etc - totally Remedy workflow question - architecture doesn't matter. We are doing a test configuration on our dev server trying to configure multi-tenancy as follows: 1.) All People records belong to a company MyCompany 2.) Support users are in a company for their business unit, e.g. Group 1, Group 2, etc. To be very clear, these are defined as separate companies - they are NOT under MyCompany. 3.) We do not have unrestricted access turned on for anyone. - so if an incident is assigned to Group 1 we do not want Group 2 to be able to see it at all. The entire point of doing the above setup is to have one copy of each people record shared among everyone - otherwise the only real option is to load a separate copy of the people record for every defined company - and we're talking about millions of records in that instance. All of those would have to get updated weekly in order to keep things up to date, so that's kind of a non-starter. Or we could customize multi-tenancy, which seems like path fraught with peril... The tenancy documentation I read says that tenancy and row level security is based off of three things in 8.1: Customer Company for field 112, Support Company on field 60900, and Vendor Assignee groups. I was under the impression that permissions were additive - so, if there was a value in any of those three fields your People profile had to match all of them for you to be able to see the incident. I checked the permissions on Entry ID (Field 1) in HPD:Help Desk and they match this as advertised (Unrestricted access membership is also one of the permission groups for field one but no one is defined as unrestricted in my test setup). The problem is I don't think it's working right. The value that gets set for field 112 is the value of the customer's company, NOT the assigned group's company. Having the incident assigned to a group under a separate company has no real effect on anything. I checked the data and the field 60900 is filled in with the correct value of the Group entry that matches the assigned support company. Consequently, anyone can see all of the incidents, regardless of what company they are in. How do we go about getting this to work? Is it supposed to work how we want it, or is that a customization? All of the docs I read make me think it should work this way. I'm not even 100% sure anything is broken. I opened an issue with support too and I'm waiting to hear what they think. William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years