Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Absent Member.. c911darkwolf Absent Member..
Absent Member..
2182 views

how does scSecurity group or Security Groups work?

Jump to solution

So i've gotten down Restricting query's with Mandantan's.  I've made a few for Probsummary table restricting people to seeing only a certain type of ticket like assigned to this group or if the problem.type is this or that..

 

I had a person who needs to see 6 safety assignment groups, but nothing else... with the 90 character limit of restricting queries I have a hard time making that happen.

 

So can someone explain how I can use security groups to setup someting like the following?

 

User: Luis

Needs to only see the following assignment groups:
10 Safety

11 Safety

12 Safety

13 Safety

14 Safety

15 Safety

 

 

Is it the same as when i make a query that i just put the name of the query in his operator security group?

 

Thanks!

0 Likes
1 Solution

Accepted Solutions
Absent Member.. John Stagaman Absent Member..
Absent Member..

Re: how does scSecurity group or Security Groups work?

Jump to solution

Security Groups and Restricting Queries work together.

 

Only single field in a table can be identified as the mandant field for the table. Once that is done, you can configure Mandant groups. The groups allow you to create either include or exclude lists (it is redundant to do both).

--if you set the mandant field for probsummary to assignment, you could list the 6 groups in the include array of a mandant group and assign that group to your operator.

 

Mandant Restricting queries allow greater flexibliity. They can referece any field and can allow more precise control. 

--You could use the syntax:

assignment isin {"group1", "group2","group3", "group4"}

--You could define a manually created global list and use that:

assignment isin $G.listOfGroups

--You could add attributes to the assignment table so that the global lists could be generated automatically (e.g. by company, region, etc.)

assignment isin $G.someOtherGlobalListBasedOnAQuery

 

But restricting queries are not limited to the mandant field (in fact, they don't even require that a mandant field be defined).

So you could create rules that allow only members of a particular assignment group to view records assigned to that group, or use mandant groups to limit access by company, but then use restricting queries to further reduce access by location or category.....

You can also just put "not" in front of your query to negate it, so that category="hr" and not category="hr"  are both valid restricting queries (though you wouldn't want to assign them both to the same operator).

 

  • IF you create a mandant group and mandant restricting query with the same name, you only have to list that name in the security groups array and both will be applied.
  • You can list multple mandant security values, so that your queries can combined. Note that the queries will be linked with AND conditions, so every individual query must evaluate to true. 
  • For single field filtering with a limited number of values (e.g. category), sometimes groups provide a good starting point. 
  • For more complex filters against a larger source set of values, the abilty to filter against globallists can make mandant queries exremely flexible and easier to maintain over time.

When implementing mandanten, it is very important to map everything out clearly before making changes. For even more fun and complexity, security folders (folder entitlement) also can work in tandem with mandanten.

 

The document attached is ancient (look, it's the ServiceCenter 3 interface!) but the concepts are the same.

 

----------------------------------------------------
Kudos - what, where, how, and why
Want Good Answers? Ask Good Questions...
5 Replies
Absent Member.. John Stagaman Absent Member..
Absent Member..

Re: how does scSecurity group or Security Groups work?

Jump to solution

Security Groups and Restricting Queries work together.

 

Only single field in a table can be identified as the mandant field for the table. Once that is done, you can configure Mandant groups. The groups allow you to create either include or exclude lists (it is redundant to do both).

--if you set the mandant field for probsummary to assignment, you could list the 6 groups in the include array of a mandant group and assign that group to your operator.

 

Mandant Restricting queries allow greater flexibliity. They can referece any field and can allow more precise control. 

--You could use the syntax:

assignment isin {"group1", "group2","group3", "group4"}

--You could define a manually created global list and use that:

assignment isin $G.listOfGroups

--You could add attributes to the assignment table so that the global lists could be generated automatically (e.g. by company, region, etc.)

assignment isin $G.someOtherGlobalListBasedOnAQuery

 

But restricting queries are not limited to the mandant field (in fact, they don't even require that a mandant field be defined).

So you could create rules that allow only members of a particular assignment group to view records assigned to that group, or use mandant groups to limit access by company, but then use restricting queries to further reduce access by location or category.....

You can also just put "not" in front of your query to negate it, so that category="hr" and not category="hr"  are both valid restricting queries (though you wouldn't want to assign them both to the same operator).

 

  • IF you create a mandant group and mandant restricting query with the same name, you only have to list that name in the security groups array and both will be applied.
  • You can list multple mandant security values, so that your queries can combined. Note that the queries will be linked with AND conditions, so every individual query must evaluate to true. 
  • For single field filtering with a limited number of values (e.g. category), sometimes groups provide a good starting point. 
  • For more complex filters against a larger source set of values, the abilty to filter against globallists can make mandant queries exremely flexible and easier to maintain over time.

When implementing mandanten, it is very important to map everything out clearly before making changes. For even more fun and complexity, security folders (folder entitlement) also can work in tandem with mandanten.

 

The document attached is ancient (look, it's the ServiceCenter 3 interface!) but the concepts are the same.

 

----------------------------------------------------
Kudos - what, where, how, and why
Want Good Answers? Ask Good Questions...
Absent Member.. c911darkwolf Absent Member..
Absent Member..

Re: how does scSecurity group or Security Groups work?

Jump to solution
I swear i clicked the Kudos Button 2 dozen times, but it still shows 1.

Awesome response thanks a ton! I've been managing 600+ people and 278 assignment groups only using Restricting Quiries and it's been a nitemare. Now i've got my first couple of group setup and they are working. My issue was in scmandant i did not have probsummary defined so my groups were not working!

Thanks!
0 Likes
Highlighted
Absent Member.. John Stagaman Absent Member..
Absent Member..

Re: how does scSecurity group or Security Groups work?

Jump to solution

If your objective is to limit which groups to which a user can assign records, the assignment groups array in the IM profile is intended to serve that purpose. 

 

But if it's to restrict access to so that they can only see tickets assigned to those groups, then mandanten is the right approach.

 

Also, there's nothing that prevents you from changing the length of the scmandant query to allow more than 90 characters.

 

ONE MORE THING:

When defining mandanten for Interactions, you may need to make sure that a user who can't see a bunch of records when logged into the full client, may still need to be able to see some of those tickets in the ESS portal. 

--IF so, then you can use Restricting queries and use a query like: 

not $G.ess and category<>"HR" | $G.ess

this would:

--Allow the user to see no HR records when logged into the full client.

--Allow the user to see all records in ESS subject to the normal ESS limitations (user must be contact or service recipient) including HR records.

----------------------------------------------------
Kudos - what, where, how, and why
Want Good Answers? Ask Good Questions...
Dennis Handly Acclaimed Contributor.
Acclaimed Contributor.

Re: how does scSecurity group or Security Groups work?

Jump to solution

>I swear I clicked the Kudos Button 2 dozen times, but it still shows 1.

 

You can only give one Kudos per post.

http://h30499.www3.hp.com/t5/help/faqpage/faq-category-id/kudos#kudos

 

Note: There is no "Kudos weight" in the EBC forum.

Absent Member.. c911darkwolf Absent Member..
Absent Member..

Re: how does scSecurity group or Security Groups work?

Jump to solution
We fixed the problem and everything seems fine now!

@ Dennis Handly - yeah i know you can only do 1 I was just excited about fixing a problem that has plagued me a while : )
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.