I need to implement this scenario:
- certain incidents must only be visible for users with a particular role
- tasks contained in such incidents should be accessible for users with any role
I.e., the contents of the incident itself must stay private; the incident owner can create tasks within this incident and assign them to anyone.
I tried to implement this using object permissions. There is a incident field called Realm that controls access; for the 'private' role I defined object permissions on Incident as 'Realm is equal to <something>', while all 'public' roles have object permissions 'Realm is not equal to <something>' to prevent them from viewing (or modifying) this incident. This works very well, as expected.
However, if a user with a 'public' role tries to save a task contained in a 'private' incident, an exception is raised: You do not have rights to update Incident (3CB585C3FCEB4FC9B818601FE983ECAF).
Running Rule Trace I can see a >Trigger 'Update My Item' object event 'On Update' Incident --> RunForChild: 'Update My Item'< which is defined to run on any update to incident.
My question is: why does an update to a task also performs an update to the related incident? Is there a way to prevent this?
I'm experiencing this on ISM 2017.2.1.
Thanks for your thoughts!