BMC allows users to create reports using forms that they shouldn't have access to.
By doing the following test, it's possible to note a user who shouldn't see important data from the tool can perform this procedure without any restriction.
- Create a login with read license and no application permission or support group
- Log in with this user and, from the report console, create a new report using HPD:Help Desk as source.
Imagine a company employee has a printer issue and needs to open a ticket to service desk team. He may create the ticket through the Requester Console but he shouldn't be able to create reports from other modules, see cost data and information on other operational areas that also use Remedy.
According BMC, access to transactional data is not restricted by the application permissions of the user. It's only restricted based on company (8.x) (or by company & support group, like in 9.1.xx) membership. There's no data access restrictions (field 112/60900/etc) based on an application *permission* (Incident User, Incident Master, Incident Viewer).
My idea is to have a permission to restrict creation and execution of reports.