How about putting pre-conditions on each of the process actions which check for the current user being an end user and only come back true if the raise user on the process is the same as the current user. I think with later versions, calculated pre-conditions may have access to the variables needed to do this. If so, you could leave them as an end user with queries to show them their departments processes, but if they open someone elses incident, the action would be disabled.
For me viewing "my employes IPC's" works - it is self service query, with condition raise user/linemanager = current user. Manager can see IPC's as an enduser,
I have also process with preconditions on every action - it works, and only owner of ticket can do actions on incidents and requests. Line manager has rights to do assignments, so in case of absence of owner, manager can assign ticket to other analyst. But this method is really hard to implement - adding preconditions to each actions makes process graph complicated, hard to read, hard to maintain... But it works
I have a huge process, prints out as 9 pages. The thought of a precondition on everything is more than I could take.
Not sure how but I have tested and end users can only open their own incidents. I thought this took data partitioning but I can't see that it is enabled.
you probably have a query which restricts the items in the results set to just those where the current user is the raise user. If you open out the query for this manager so they can see other incidents, then you will hit the issue you raised. Partitioning might help to restrict the list of processes someone can see or access, but once they can see an incident the privileges they have will be applied, so they would be able to add a note etc to someone elses incident.
This is also being asked here. We are going to be holding off on it until other requests are completed. However, in a brief discussion of how we want to do this, without going into too much detail, we think we might use cost centers. We have assigned cost centers for our end users, it is one of the criteria's we use for approval's and routing. We are going to look at limiting this end-users rights to see only IPC's created by his cost center(s). So, if his employee is part of cost center 12345, we will filter IPC's to cost center 12345.
This is just a thought and we haven't moved on it yet. I would be interested on what you implement or come up with.