7 Replies Latest reply on Nov 16, 2016 6:42 AM by AM06160

    Data Partitioning

    AM06160 Apprentice

      Hello,

       

      I just wondered if there would be an issue with me setting up data partitioning for a enquiries logged to a particular support group.  I have a support group coming on board who deal with very sensitive information and they want to log calls but do not want other groups to be able to see them.  I don't know whether default partitioning is enough for this as some of our groups need access to other support group calls so we really just want to hide this particular groups data from everyone else. 

       

      I have had a go at creating a new partitioning object but when I try to set the partitioning attribute from the Administration panel its not available (I am following the steps on page 27 of the LDSD Administrator Guide.  The object has a boolean data type so that we can add a field to the request form to say 'Yes' this is that particular type of enquiry logged to that support group.  Is there an issue with using this kind of value for partitioning data?

       

      AM

        • 1. Re: Data Partitioning
          ITSMMVPGroup

          I think partitioning attributes need to be lists of some type, like category, a reference list or the default support group.

           

          Partitioning was designed by LD originally for hiding HR type process from everyone outside of the HR group.  It does that well providing the team asking for this stick to their group and trust the administrator not to add the wrong people in.  One gotcha you should consider is whether you want end users to log these sensitive issues and see the updates.  That will be quite tough as partitioning typically stops them from seeing issues they have just logged because thy are in the wrong group or don't have the right value for the chosen partitioning attribute.

           

          What you could also look at is creating a new module - this allows you to have extra sets of privileges specifically for that module and grant access to those just like you would any other process, but because they are related to your new secure module, nn-one else  without privileges will be able to see them

          • 2. Re: Data Partitioning
            Julian Wigman ITSMMVPGroup

            You should be able to setup "Analyst" partitioning only, and leave "Customer" partitioning unset; thus end users can continue to see the tickets they have raised and the normal end-user B.A.U system logic stops one user from searching another users data by default unless you want them to see it via some sort of shared queries (with or without "prevent drilldown" etc) on some sort of team/site/department dashboards. You can layer-on other concepts like private note fields etc to lock down further then?

             

            For "Analyst " partitioning it will be "by support group" and if you put the "Enforce Partitioning" attribute on the "Support Group" window then you can check for just those that you want partitioning set for and leave unset for those who need the "Umbrella View".

             

            As Dave says you can use a separate module for "sensitive" Lifecycles and use standard privileging to restrict access and visibility too as an alternative though you'll have lots of design to setup; windows, queries, dashboards etc for that new module.  

             

            If you have both "Sensitive" and "Non-Sensitive" lifecycles in the same functional area (HR for example) then I've seen where the you have a process for each and can switch between them (via "Reinitialise" action) once triaged and then base your dashboard queries around the lifecycle used so that they ONLY become "(loosely) partitioned" via the process they are in at time and they can switch back and forth if needed (ie upgrade or downgrade sensitivity).  Also in v2016.2 or later you have the new "Triage" functionality that can do away with "Reinitialise" action at the point of creation as well (though still needed if you want to switch mid lifecycle).

             

            Some other options maybe to consider then I hope.

            • 3. Re: Data Partitioning
              AM06160 Apprentice

              Thanks both for the advice!

               

              I was reading through the LDSD Administrator handbook again and noticed this:

               

              "

              NOTE: You can also enable data partitioning for individual customers or support groups. To do this, add the

              Enforce Partitioning attribute as a check box to the relevant window using the Window Manager component.

              Then in the Administration component, select the check box for the required groups and save the changes.

              "

               

              If this works in practice it would be exactly what we are looking for.  We really only want to partition this one support groups data from everyone else.  I tried adding this checkbox to the support group window and enabling it for the required support group but I was still able to search for the call number using the search field on LANDesk web.  I was also still able to find this group using a shortcut group query 'Other group workload list'.  No success so far. 

               

              If this doesn't work we would like to add a partitioning attribute of some sort to the Support Group window or having it based on Category might be a suitable option although as I am aware the data partitioning attribute should be set up as a reference list so I am not too sure how selecting categories would work for this.

               

              Thanks, A.

              • 4. Re: Data Partitioning
                ITSMMVPGroup

                You'll need to set the attribute you want to use for partitioning and from memory it is described in that same section of the manual.  I'd certainly give partitioning a try and it does work, but sometimes the detailed implementation shows up features you were not expecting, like end users not begin able to see their own tickets easily.

                • 5. Re: Data Partitioning
                  AM06160 Apprentice

                  Thanks for your advice.  I had a play around with the readily available "Enforce Partitioning" - this feature does not work at all.  I could get default partitioning to work as expected by using the "Current Group" object so I have saw this in action but we need all other groups to be able to see each others calls as they did before.  I created a new attribute and set this as the partitioning attribute then added it to the Support group form to state the level of partitioning any group should see i.e. none or by department.  This didn't work.  On testing no groups can see their workload list.  Back to the drawing board...

                  • 6. Re: Data Partitioning
                    ITSMMVPGroup

                    I really would consider creating a new module or using the existing HR module as that gives you the ability to stop people seeing processes created in the other place unless you give them the rights to read those.  The HR module should already be there with windows and sample processes, so you could give it a try without too much extra effort

                    • 7. Re: Data Partitioning
                      AM06160 Apprentice

                      Hello,

                       

                      Thanks for all the advice.  We were dissuaded from data partitioning by many people and have almost complete testing on creating a field on our Windows that will only be visible to a particular role.  This will allow that Support Group (who we assign the new role) to input any of the sensitive data which will only be visible to them.

                       

                      Thanks, Angela