Restrict Access by Group
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2019 07:12 AM
Hi Community,
I have a requirement to restrict access to table records based on the users group;
We have 6 groups as follows;
Group 1 - Based offsite - restrict access to only tickets where the user(s) is a member of Group 1 and are present in one or more of the following fields; requester", "behalf of" or contained in the "assigned to" list.
Group 2 - Based in Australia -restrict access to only tickets where the user(s) is a member of Group 2 and are present in one or more of the following fields; requester", "behalf of" or contained in the "assigned to" list. PLUS Group 1 tickets.
Group 3/4/5/6 - Based in London - Restrict access to only tickets where user(s) is a member of either Group 3/4/5/6 and are present in one or more of the following fields; requester", "behalf of" or contained in the "assigned to" list. PLUS Group 1 tickets.
In summary;
Offsite can only access their tickets.
Australia can access their tickets, plus offsite tickets
London can access their tickets, plus offsite tickets
What would be the best approach, using the groups, or user locations? Business Rules or ACL's?
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2019 05:20 AM
Thanks Adrian, but there isn't an assignment group field on this particular table to reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2019 05:45 AM
You may want to create entries in the sys_properties table, one for each group.
E.g.
special.fancy.incident.group1 = <sys_id of the group1>
special.fancy.incident.group2 = <sys_id of the group2>
...
special.fancy.incident.groupN = <sys_id of the groupN>
Modify the scripted ACL:
var group1 = gs.getProperty('special.fancy.incident.group1');
if ( gs.getUser().isMemberOf(group1) && (gs.getUserID() == current.requester || gs.getUserID().u_behalf_of || .... )
answer = true;
else
answer =false;You may want to modify the condition to your preference.
Although, I think this isn't such a nice solution in comparision to the assignment group as reference on the table in scope.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2019 08:50 AM
I have just realised this is not going to work as ALL users are a member of DP Offsite group.
I added the London and Australia users in order for them to see offsite queue.
I need to re-think how i can achieve this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2019 07:29 AM
I am now looking for some assistance with a solution suggestions to this requirement.
I now have 3 groups;
DP Offsite - members of the offsite team only
DP London - members of London team only
DP Australia - members of the Australia team only
1. I need Australia to have visibility to records where the requester (Reference sys_user), on behalf of (Reference, sys_user) and assigned users (list collector, sys_user) contain users who are a member of DP Australia and DP Offsite.
2. I need London to have visibility to records where the requester (Reference sys_user), on behalf of (Reference sys_user) and assigned users (list collector sys_user) contain users who are a member of DP London and DP Offsite.
3. I need offsite to have visibility to records where the requester (Reference), on behalf of (Reference) and assigned users (list collector) contain users who are a member of DP Offsite only.
Additional info - I also have company DP London, DP Australia and DP Offsite associated with the user records.
All suggestions welcome!
