4 Replies Latest reply on Apr 28, 2017 2:31 PM by Garrett Sitter

    Disabling Row Level Security in 9.1

    Garrett Sitter

      We are running into problems with row level security in 9.1 (or at least what I believe is related to row level security).

       

      For example, if I perform a wildcard search in change management, it only returns tickets assigned to my support group, when I should be able to see all changes.

       

      Another example is that problem users can only see PBI/PKE tickets assigned to their group specifically, even when the user has selected Filter By->All (NOT Assigned To My Groups) on the Problem Console.

       

      This is not desired behavior, as outside of a few edge cases we want all users with permissions for the console in question to be able to see all tickets regardless of support group.  We have already made the following configuration change per BMC Support:

       

      Disable-New-RLS-Implementation : T

       

      Despite this, we are still seeing the behavior described above.  Does anyone know what can be done to completely bypass this functionality?  Is there anything else besides RLS that would restrict results based on support group?  We basically do not want to restrict access based on support group at any point.

        • 1. Re: Disabling Row Level Security in 9.1
          Raghavendra Mudagallu

          Try giving Unrestricted Access in People profile.

          • 2. Re: Disabling Row Level Security in 9.1
            Sidhdesh Punaskar

            Search for hierarchical group configuration in 9.1 for company and support group, then it will work.

             

            Sidhdesh

            • 3. Re: Disabling Row Level Security in 9.1
              Carey Walker

              Hi Garrett

               

              The suggestion of trying Unrestricted Access may help. Did you try that? The issue with this setting is that it is absolutely global (i.e. it will apply to all ITSM modules like CMDB etc as well).

               

              The Disable-New-RLS-Implementation is tackling something other than your specific problem I think (trouble is I can't recall exactly what that setting changes - sorry, I read something about it recently but the details escape me now).

               

              9.1 did introduce a deeper set of functionality around hierarchical group concepts, on top of 9.0, but again it seems your requirement is just simple multi-tenancy stuff.

              1 of 1 people found this helpful
              • 4. Re: Disabling Row Level Security in 9.1
                Garrett Sitter

                Correct, we have a very simple multi-tenancy requirement (2 companies), and we did not experience this problem in 8.1.  Since 9.1 and the hierarchical group updates, this has been a problem.

                 

                I'd prefer not to use Unrestricted Access, as we have a small subset of tickets (HR work orders) that we do not want every employee accessing.  We have two logical companies in our support organization:

                 

                -SECU

                -Human Resources

                 

                I have all of our support groups under the first company, except for one.  Essentially, I want anyone who is in the company "SECU" to be able to see all tickets that are also assigned to any support group under the company "SECU", while leaving the HR Company tickets inaccessible.  This is currently working as we'd like it to for work orders and incidents, but not problem and change tickets.  I'd like for RLS to operate off of company, not support group, but I'm not quite sure how to configure this.