Restricting access to templates by assignment groups

Dear folks,

I'm trying to come up with a way to limit access to change tempaltes based on the change groups a user belongs to.  I thougth that if I added a new field to the Template file (of array type) I could indicate there which assignment groups will be able to use these templates.

The reason I used an array is because templates may be used by more than one group; problem is, users may belong to different groups as well.  So I need to come up with a way to use the value of $lo.cm.assignments to query the Template table with something like "is any of the groups I belong to able to use template X, which is available to groups A,B and C"?

Appreciate your response.

 

Kind regards,

Ulises

  • One way would be to add a mandanten record (scaccess table) with a query for the security group the operator uses. The query would be like "new.field.name isin $lo.cm.assignments"

  • Verified Answer

    I believe you should check a wizard named "Template.select_1" and its "Usage" tab. There's a query, that filters the templates.

    In my case, we don't use roles so I use that field to hold the assignment groups enabled to use the template. (Edited template form accordingly.)

    tablename=$L.filename and (null(role) or role isin $lo.pm.assignments) and evaluate(parse($L.query,2))

    Modify the OOB query to include also your custom field holding Change management group info, by using isin operator like previous poster mentioned.

  • Kelalek2,

    This seems like a promising approach; I'll try it later today and let you know how it works.

    Regards,

    Ulises

  • If I'd do the same modification now, I'd

    • create a new "assignment" field (type: array) to table "Template"
    • modify form Template, add a new "assignment" label and a similar comfill element than the roles have and refer it to a new field (input: assignment)
    • edit the wizard's query I mentioned before so, that it checks assignment field, not a role field (or you can of course check both)

    IMO, this minimizes the risk if you'd some day start using roles.