Define Business Object Rights (Access to Data)
Use the Business Objects tab in the Security Group Manager to define access to CSM data for a Security Group. Business Object security rights control access to:
- General data: Security Group can access (view, add, edit, delete) data in a Business Object. Business Object rights can be set at the Business Object or Field level.
- File Attachments: Security Group can access (view, add, edit, and delete) Business Object record Attachments.
Different record ownership rights (both User and Customer) can be set to extend/deny access to managers, departments, Teams/Workgroups, and Team/Workgroup managers.
To define Business Object security rights:
- Open the Security Group Manager.
- In the Group drop-down, select the Security Group for which you want to define rights (ex: Admin).
- Click the Business Objects tab.
- In the Business Object drop-down, select the
Business Object for which you want to set
rights. You can also select individual Fields within the Business Object.
Tip: To set default rights for all Business Objects/Fields in a Security Group, use the New Business Objects and New Field Rights options. These defaults are also used for any new Business Object/Field created in a Blueprint. Please note that the defaults only affect untouched Business Objects/Fields; if you have already set specific rights for a Business Object/Field, those rights override the defaults. To override the defaults at any time, manually set rights for a Business Object/Field. To restore a Business Object so that it uses default rights, use the Reset Rights options on the Options menu.
The available Business Object rights show as check boxes to the right of Business Object/Fields.
- Define general rights:
- Select the check boxes to allow the Security Group permission to
perform the operation. Clear the check box to deny permission. Rights include a
combination of the following:
- View: Data/record can be viewed.
- Add: Data/record can be added.
- Edit: Data/record can be modified.
- Delete: Data/record can be deleted.
- Limit records based on criteria: Data is limited based on a
defined criteria. Even though you can define complex Queries, it is recommended
that you limit the Queries to ones using only Fields from the Business Object
being limited, or Fields in 1-1 Related Objects.
Example: Members of the network Security Group might be limited to seeing Incidents with the category of Networking. If a criteria is applied, then only records that meet that criteria will be seen by the User. Not only will searches be limited, but Dashboard Widgets will show only included records, as will Reports, and all other features of the system.
- Can edit the final state: Data/record can be edited when it
is in its defined final state.
This option is only available if the Business Object has a final state, such as Closed. Typically, this Right is limited to managers and system administrators.
- Can change the final state to the recall state: Data/record
can be changed from its final defined state to a different lifecycle state.
This option is only available if the Business Object has a final state (such as Closed) and a recall state (such as Reopened). The main reason to force Users to change from a final state to a specific recall state is to ensure that changes are logged, and to trigger any special Automation Processes that need to be run when a record is recalled. Field rights are limited to View and Edit; Business Object rights vary depending on lifecycle support.Tip: It is a very common mistake to set view/edit rights for a Business Object but forget to set view/edit rights for Fields, so the User still cannot edit any Fields. The most straightforward way is to edit the New Field option for a Business Object, because that applies to any Fields to which rights have not been set.
- Select the check boxes to allow the Security Group permission to
perform the operation. Clear the check box to deny permission. Rights include a
combination of the following:
- Define Encrypted Fields rights:
- View: Encrypted Fields can be viewed (can run the decrypt command on encrypted Fields).
- Edit: Data can be entered into encrypted Fields in new records.
- Define File Attachment rights:
- Select the check boxes to allow the Security Group permission to
perform the operation. Clear the check box to deny permission. Rights include a
combination of the following:
- View: Attachments can be viewed.
- Add: Attachments can be added.
- Edit: Attachments can be modified.
- Delete: Attachments can be deleted.
- Select the check boxes to allow the Security Group permission to
perform the operation. Clear the check box to deny permission. Rights include a
combination of the following:
- (Optional) Different rights based on ownership: Select this check box
to set different rights based on ownership.
Record ownership is an important concept in CSM because it affects security and licensing, and it differs depending on whether the owner is a User or a Customer. Be sure to understand the complexities of ownership.
- Click
Save
.