5 Replies Latest reply on Jun 13, 2018 10:56 AM by Jason Miller

    SRM 9.1 - Entitlement - Poor Design

    T. D.

      I thought I would share something that I discovered. I am not sure, perhaps most of you are already aware of this.

       

      1.  Setup an SRD and only grant access to one entitlement group and add 10 users to that group (this is just an example).

      2.  Login as a basic user with no access, just a Read ARS license.

      3.  Launch the Request Entry Console.

      4.  Click on Settings > On Behalf Of.

      5.  Search / select a person who belongs to the entitlement group from step 1.

      6.  The basic user now sees the SR that is restricted to the entitlement group and can select that SR and submit a request despite the SR being restricted to only certain users.

       

      I like the On Behalf Of option, but just because the basic user selects the user that belongs to an Entitlement Group that basic user SHOULD NOT see the restricted SR.

       

      I feel this is a poor design.

       

      Thoughts?

        • 1. Re: SRM 9.1 - Entitlement - Poor Design
          Anne Brock

          Interesting. I have the opposite perspective. If someone logs in, and can do "on behalf of" for another person, I feel they should be able to see everything that person sees. Otherwise they might not be able to do what they were trying to do.

          1 of 1 people found this helpful
          • 2. Re: SRM 9.1 - Entitlement - Poor Design
            T. D.

            I see your point, but to me what is the point of setting up entitlement groups? We have one group that only a hand full of individuals should be able to see / access. With On Behalf Of being used it will defeat the purpose of entitlement group restrictions.

            • 3. Re: SRM 9.1 - Entitlement - Poor Design
              T. D.

              I thought about setting up the On Behalf of to restrict those individuals who belong to the entitlement group from anyone being able to act on their behalf. The problem is the On Behalf Of is based off of Support Groups and NOT entitlement groups.

              1 of 1 people found this helpful
              • 4. Re: SRM 9.1 - Entitlement - Poor Design
                Anne Brock

                well, I personally would severely limit who can do "on behalf of" if I used it at all. When I worked on help desks before, that's something I would have only wanted PC Coordinators or admins of departments to do. But of course, it depends on your environment.

                1 of 1 people found this helpful
                • 5. Re: SRM 9.1 - Entitlement - Poor Design
                  Jason Miller

                  I agree and I also saw the situation the same way you did.

                   

                  A use case I can think of is say an executive assistant needs to request something on behalf of their C-level boss; let's say a trip on the corp jet.  The assistant can't request a trip on the jet for them self however they better be able to request it for their boss. Of course requesting on behalf of their boss will notify the executive so it is not like they can book the jet for the executive and use it for them self (unless their boss is cool enough to go with that scheme )