10 Replies Latest reply on Jan 10, 2018 5:50 AM by DTurner

    Request Offerings: User Permissions

    DTurner Specialist

      So I have added another filtering property to the ServiceReqTemplateEntityAccess object called 'COE'. This was an OOTB object I have used to group job titles into logical groups: Standard User, Line Manager, Senior Manager and Directors.

       

      Initially I had an issue (duplicate key) when adding multiple access items such as:

      I believe this was because I had this setup as a 1:1 relationship, I have since changed this to 1:N, similar to how the Organisational Unit relationship is setup.

       

      I now appear to have an issue with the permissions themselves. For example, I have setup a request offering like so:

      When logging in as a 'Line Manager' user, I was able to edit the request anyway, regardless of how I setup access (the 2nd item uses another OU so shouldn't affect permissions). I tried to find the form itself for the 'My Items' object but this actually appears to use a 'Custom Form' so I am not even sure if I can check what action, hidden logic etc. the buttons use. Removing 'Submit' Request Permissions does appear to hide the offering completely from the portal.

       

      Does anyone have any experience with custom access properties and able to provide any insight?

       

      Many Thanks

        • 1. Re: Request Offerings: User Permissions
          AlasdairRobertson ITSMMVPGroup

          When logging in as the line manager user were you sending the request from the self service portal or the analyst interface?

          • 2. Re: Request Offerings: User Permissions
            dcogny Expert

            Hi,

             

            Not sure if it is this, but you actually have "Edit" permissions for "Any", and that includes "Line Manager", I would try to remove the "Any - Any" line and see what happens (Make sure to give the "Offering Permission" to someone else!!!).

             

            Hope this helps.

             

            Daniel.

            • 3. Re: Request Offerings: User Permissions
              DTurner Specialist

              AlasdairRobertson This was using the Self Service User role. I am also able to edit this using the Service Desk Analyst role.

               

              dcogny There is actually another access property to the left of Location: Org Unit. The 'Any - Any' item uses a different OU.

               

              Appreciate your input

              • 4. Re: Request Offerings: User Permissions
                dcogny Expert

                D'oh! Re-reading your message, you actually said it , sorry!

                 

                Said that, I have nothing else useful to say.. more sorry!

                • 5. Re: Request Offerings: User Permissions
                  DTurner Specialist

                  Possibly delving into more complex concepts here - I was looking at the ServiceReqTemplateEntityAccess relationships and started looking into 'Contract Memberships' a bit further.

                  I found this thread which is helpful in describing the concepts.

                  The Access object is connected to OrganizationalUnit via Frs_CompositeContract_EntityAssocServiceReqTemplateEntityAccess (0...N:0...1), it is also connected directly to the OrganizationalUnit BO but looking at the database, this doesn't appear to be used.

                  Now, I attempted to setup the COE on the Self Service Access in a similar fashion to OrgUnit however I think my understanding of this feature is off. In the initial screen shot, the Any/Any uses OrgUnit B, the other 3 use OrgUnit A. So 3 records use the same Org Unit, if I try to add another access item with one of the above COE Groups, I get the following message:

                  Presumably, it expects the COELink_RecId field to be unique, but why does this not display for duplicate EntityLink_RecId (OrgUnit) entries?

                  Would I have to setup another Entity type if I want this behaviour for COE?

                   

                  I mentioned I think my understanding of the access items is off - consider the below:

                  For this scenario, I want it to check for a matching access item based on the Employee details. So Finance Standard Users can Submit & Edit; IT Standard Users have Full Access; any other OrgUnits do not have access. I'm not convinced this is how it is setup. It seems to be that I would end up filtering on Org Unit OR COE Group, but not both.

                   

                  Apologies in advance, my ramblings might not make much sense to most!

                  Any advice would be much appreciated.

                   

                  Thanks

                  Declan

                  • 6. Re: Request Offerings: User Permissions
                    DTurner Specialist

                    The error message indicates an issue with the index on the Access Object. If I take a look at the indexes on ServiceReqTemplateEntityAccess, there is a COELink index which is forced i.e. I cannot delete this as it automatically creates a new one, presumably this is due to the relationship but there is not an index for Organizational Unit (Frs_CompositeContract_Entity).

                     

                    I imagine this is indexing the values on the Access table which is why I am receiving an error message; although COELink_RecId is a unique value, it will not be in the context of the access table due to the N:1 cardinality.

                     

                    Clearly I am missing something; why is an index forced for COE but not Entity?

                    • 7. Re: Request Offerings: User Permissions
                      AlasdairRobertson ITSMMVPGroup

                      When I set mine up for department I based mine on the Location configuration so the relationship uses the FusionLink table and zero to many

                       

                       

                      I have tested the permissions and appears to work correctly with this relationship configuration:

                       

                      When Edit is ticked my user can edit, when unticked the edit button is removed.

                      • 8. Re: Request Offerings: User Permissions
                        DTurner Specialist

                        Funny you mention that, AlasdairRobertson - I noticed yesterday that I never tried a similar setup to Location.
                        Thanks for your time on this, will give it a try and let you know how I get on

                        • 9. Re: Request Offerings: User Permissions
                          DTurner Specialist

                          Apologies there was a rather large delay on this :S

                           

                          It looks like the filter properties do not 'AND' if that makes sense. So for an offering like below:

                          My employee record:

                          Yet, I can edit the request:

                          If I change the COE group, it works fine - even if the OUs do not match.

                          So it seems to be filtering based on the COE property only, any ideas why this is the case? Would I need to create another field to filter on both OU and COE and set it depending on those values?

                           

                          Thanks

                          Declan

                          • 10. Re: Request Offerings: User Permissions
                            DTurner Specialist

                            Looks like it does combine access, just not in the way I thought it did:

                             

                            Setting up my Employee record as follows:

                            With the below access:

                             

                            Results in me being able to edit and cancel the request.

                             

                            Removing edit from the IT/Any/Any access removes edit as an option, as expected (ruling out that it is using the top director access). Switching the Edit and Cancel permissions (2nd & 3rd entries) results in me still being able to edit and cancel, so it would appear that this does combine the permissions.

                             

                            Thanks

                            Declan