You can create a saved search for incidents that only show their teams tickets. Make that default for that role. This will allow them to see only their teams incidents when accessing that business object. You should be able to do that within all BO's so they only have access to their incidents, tasks, Service requests etc. You want to ensure that they cannot create or edit the search feature under system permissions. This should accomplish what you are looking to do.
Thanks Nino, but that's not quite what I'm after. I've set it so they can only access records owned by their team in the object permissions for the role, and I've blocked their access to tasks related to specific services, such as security, employee management, and server administration, but there may be cases when they are assigned a task on a ticket owned by another team. If that happens, they'll need to see/edit the parent record. I'm thinking that I should be able to do this with an expression in the object permissions, but I haven't figure one out yet.
Would something like this work for you? I'm assuming you have just one team like this and they would want to still see historical calls that they had had a task for but you could adjust according.
1. Create a new field on Incident 'ExternallyVisible'
2. Add a Before-Save rule on Incident to set ExternallyVisible to true if the Ownerteam on Incident is your external team OR childfold > 0 of tasks assigned to your external team. Add an Incident QA to evaluate this field the same way
4. Add a trigger/workflow on Task to fire the Incident QA via a run-for-child when Task Team changes
5. Change your object permissions for the external role to view if ExternallyVisible=True on Incident
6. Repeat for other Parent objects.
That could work, but we will have three roles where I'll need to apply this filtering. Seems like the simplest method would be an expression that says they can view and edit an object if it contains a child object (task assignment) owned by their team. Unfortunately, expressions don't work the same in all cases (workflow, form, search...) so I'm not sure how to build this for object permissions. Anyone from HEAT out there listening in that might know?
1 of 1 people found this helpful
FWIW, the approach I'm taking is to set the access to these objects by limiting the services they can see. For example, if I don't want a role to see incidents or requests related to the "Employee Administration" service, I add a case to those objects that says they can view and update where the [object's] Service is not equal to "Employee Administration".
If there are several services to exclude, you can add them all in one case using the And feature. If I instead want to specify which services they CAN see, I have to add a case for each service.
If you don't want to limit requests for an entire service, you can specify 'where ServiceReq's Subject is equal to [name of request offering]'.
This doesn't directly address my question of how to exclude a record, but allow a view if they have a task in it, but in our environment I don't think that would normally happen anyway.