5 Replies Latest reply on Jul 10, 2014 4:10 PM by mmorales

    Read Only Access

    Expert

      I have a department director that wants to be able to see all of the incidents for his department.  We want to give him full access to view everything on the incident which is basically the incident, notes, and assignments.  We are still going to hold back analyst notes.  The user s an end user.  Our initial idea was to make him an analyst so he could see all of his people and then give him a role with read only access.  Of course that's not so good because he needs to be able to create and update his own self service incidents so not a good idea.  With being an analyst he has access to every user in the system, not just his people.  I can create a query that limits a dashboard to just his department but he could easily just start entering incident numbers into the search.  As an end user, he can't see data from his employees.

       

      So how do I lock him down from making changes to an incident yet being able to create/update his own AND be able to see incidents from his department without the ability to open a random incident from someone else?

       

      I had thought that I could copy my incident window and make everything readonly but that still doesn't stop him from opening random incidents if he is an analyst.  We don't use data partitioning but that seems like a potential problem solver although many posts and the manual seem to suggest using alternatives if possible.  Any ideas other than partitioning?  Would partitioning help?  Will it slow us down?

        • 1. Re: Read Only Access
          dmshimself ITSMMVPGroup

          How about putting pre-conditions on each of the process actions which check for the current user being an end user and only come back true if the raise user on the process is the same as the current user.  I think with later versions, calculated pre-conditions may have access to the variables needed to do this.  If so, you could leave them as an end user with queries to show them their departments processes, but if they open someone elses incident, the action would be disabled.

           

          Not tested!

          • 2. Re: Read Only Access
            Mariusz.Maniak Expert

            Hi,

             

            For me viewing "my employes IPC's" works - it is self service query, with condition raise user/linemanager = current user. Manager can see IPC's as an enduser,

            I have also process with preconditions on every action - it works, and only owner of ticket can do actions on incidents and requests. Line manager has rights to do assignments, so in case of absence of owner, manager can assign ticket to other analyst. But this method is really hard to implement - adding preconditions to each actions makes process graph complicated, hard to read, hard to maintain... But it works

            • 3. Re: Read Only Access
              Expert

              I have a huge process, prints out as 9 pages.  The thought of a precondition on everything is more than I could take.

               

              Not sure how but I have tested and end users can only open their own incidents.  I thought this took data partitioning but I can't see that it is enabled.

              • 4. Re: Read Only Access
                dmshimself ITSMMVPGroup

                you probably have a query which restricts the items in the results set to just those where the current user is the raise user.  If you open out the query for this manager so they can see other incidents, then you will hit the issue you raised.  Partitioning might help to restrict the list of processes someone can see or access, but once they can see an incident the privileges they have will be applied, so they would be able to add a note etc to someone elses incident.

                • 5. Re: Read Only Access
                  Expert

                  This is also being asked here.  We are going to be holding off on it until other requests are completed.  However, in a brief discussion of how we want to do this, without going into too much detail, we think we might use cost centers.  We have assigned cost centers for our end users, it is one of the criteria's we use for approval's and routing.  We are going to look at limiting this end-users rights to see only IPC's created by his cost center(s). So, if his employee is part of cost center 12345, we will filter IPC's to cost center 12345.

                   

                  This is just a thought and we haven't moved on it yet.  I would be interested on what you implement or come up with.