9 Replies Latest reply on Oct 3, 2019 2:32 PM by Ranjit Jadhav

    Innovation Suite-How to set Record Grid to be visible only for people from the same team?

    Zi Sang
      Share This:

      Hello Everyone,

       

      1. In our innovation suite app, we have a Record Grid, and the first requirement is already done:

      Only the Creator of a Record can see his own Record, other can't. A filter to Record Grid is used, and the expression is set as "Current User = Created By"

      It works already

      Current User is Created By.png

       

      2. Now we have the second requirement:

       

      Only the people from the same team can see the records, which are created by its own team-members.

      (The Team Info is stored in the "Person" Record.)

       

      And how can we realize it?

       

      Laurent Matheo Ranjit Jadhav Dear Laurent, dear Ranjit, do you have any idea?

      Thank you very much!

       

      Best regards,

      Zi

        • 1. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
          Ranjit Jadhav

          Zi,

           

          You can use row level security by adding security label on record definition and setting the permission using rule/process as below...

          you can create application role that represents the team and associate that role with Functional role. This functional role you can assign to person.

          Now, when record is created using Rule or Process you can use "set security label" action to set the dynamic permission and pass the application role that represents team. When user pen the Record Grid, server will return records which are accessible to given "roles" from which user belong and no additional UI filter will be needed. your existing filter of Created By can be added on top of that to filter the result at UI level.

           

          regards

          Ranjit

          • 2. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
            Laurent Matheo

            We had this discussion some months ago and like I said at the time, I would go using Security Labels

            Re: Innovation Suite - How to let user only see the by themself created data records in Record Grid?

            1 of 1 people found this helpful
            • 3. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
              Zi Sang

              Dear Laurent,

               

              thank you, that is right, you told me to try security label, but I did not try security label at that time..

               

              The following things I can still not understand regarding Security Label:

               

              (1) For example, we have Team AAA, Team BBB, Team CCC, ...Team ZZZ. Should for each team should we set a Security Label? As the Team Name is set in Person, and may be updated. So once Team name changes, we need to change it in Security Label as well?

               

              (2) In Process, "On Create" and then "Set Security Label" How should I check at first, the Creator is from Team XXX? And then give the Security Label also for Team XXX

               

              Thank you so much!

               

              Best regards,

              Zi

              • 4. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                Zi Sang

                Dear Ranjit,

                 

                Thank you!!!

                 

                Regarding security label, i still have 2 questions, would you please take a look at my comment above?

                 

                Best regards,

                Zi

                • 5. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                  Ranjit Jadhav

                  Zi,

                   

                  How are representing "Team" ? is it Organization? is it Application Role or Group that represents the team?
                  Set security label accepts group names, role names and Organization IDs. Based on what your "Team" is mapped to you can create process as follows

                  1. Use "Get Records By Query" On "com.bmc.arsys.rx.foundation:Person" record with condition 'Login ID' = Current User. In this 'Login ID' is field from Person and "Current User" appears in "General" drop down in Expression editor that resolves to $USER$. Select first matching record for "Get Records By Query".

                  2. this will give Person record and now you can get the name of Team. You can assign this Team name in any local variable.

                  3. Now if your "Team" name is same as Application Role name then you can use the team name directly in Set Security Label action in "Role Names" field.

                  4. If your "Team" name is same as Group Name then you can use the team name directly in Set Security Label action in "Group Names" field.
                  5. If it is Organization name then you have to add another "Get Records By Query" to query record "com.bmc.arsys.rx.foundation:Organization" and get the Organization that matches same name as Team name and use it's ID in Set Security Label action in "Organization Ids" field.

                   

                  Basically relate your Team either to Role, Group or Organization, then get the related object using "Get Records By Query" and use its value in Set Security Label.

                   

                  There is another short approach which you can use. In Set Security Label action you can use "General->Current Groups" for "Group Names" field, this will actually use all groups from current users permission. But this does not allow to control one specific group level access, it will give access to all groups to which user belongs.

                   

                  Hope this helps.

                  regards
                  Ranjit

                  • 6. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                    Zi Sang

                    Dear Ranjit,

                     

                    My use-case is, all the people from a same "Support Group" of Organization can see the Records, which are created by a person from this Support Group.

                    I did the following according to your suggestion:

                     

                    1. In Record "Firewall Request", i created a Security Label called "Firewall Single Team Visibility"

                    111.png

                    2. In each Field of the Record "Firewall Request", I added permission to the Security Label "Firewall Single Team Visibility"

                    222.png

                    3. I created a Process "Set Creators Support Group as Security Label"

                    333.png

                    The following 4 activities are used:

                     

                    3.1 "Get Record-Firewall Request"

                    Input Variable is the Record ID of Record "Firewall Request", so i use this to get the Record "Firewall Request"

                    444.png

                     

                    3.2 "Get Records By Query-Person", to get the Person Record, who has created the "Firewall Request" Record.

                    Query Expression is: "Login ID" of "Person"  = "Created By" of "Firewall Request"

                    555.png

                     

                    3.3 "Get Records By Query-Support Groups" - > To Find out, all the Support Groups, that this Person belong to

                     

                    Have i done something wrong in the query expression?

                    Query Expression:

                    "Group ID" of "Support Group" = "Get Record By Query-Person" > Output > Associations > the FOURTH Secondary Organization > Group ID

                     

                    666.png

                     

                    777.png

                    8888.png

                    999.png

                     

                    3.4 Sub-Process with ""Set Security Label" -> To set all the Support Groups of this Person to Security Label

                     

                    Loop Type is Sequential, Loop Date Input is the Output of "Get Records By Query-Support Groups", and Input Data Item is a Local Variable with Record Type (Support Group) named "support group instance"

                     

                    1000.png

                    In "Set Security Label-Request":

                     

                    11.png

                    The Field "Organization IDs" is set as "ID" of the local variable "support group instance"

                    13.png

                     

                    4. Rule

                     

                    Trigger of the Process, is "After Create" of the Record "Firewall Request"

                     

                    Result:

                     

                    I created a Firewall Request, and as follows is the process detail:

                     

                    In "Get Records By Query-Person", i get myself successfully.

                    But in "Get Records By Query-Support Groups", the output is empty.

                    14.png

                     

                    Ranjit Jadhav Laurent Matheo Ranjit, Laurent, can you please take a look, what i did wrong? Thank you!

                     

                    Best regards,

                    Zi

                    • 7. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                      Zi Sang

                      Hi Everyone,

                       

                      as we don't know, how to find the "Support Group" from the Output of a "Person", we did the following workaround:

                       

                      By creating the Record, user must also choose "Support Group" from a Name List.

                       

                      Then, in Process, we used "Set Security Label", in the field of "Organization", we filled out the ID of Support Group.

                       

                      Best regards,

                      Zi

                      • 8. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                        Zi Sang

                        Ranjit,

                         

                        and the end, in my process, the security label does NOT work, all test-user from different support groups can still see all the data records.

                         

                        Maybe we are wrong at one thing:

                         

                        • Maybe we should not:

                        "Set Security Label" -> Maybe not set "Organization IDs" as the ID of "Support Group"

                         

                        • Maybe we should:

                        Loop through every Person of a certain "Support Group", and set the "User Names" as the "LoginID" of each Person

                        -> In Detail:

                          By creating a Record "Request", user must choose Support Group, so that we get the ID of "Support Group", then by using Multiple Instance Loop, we give each Person in this Support Group a Security Label. In the future, if anyone from this support group want to see the data, as everyone has a security label, they can see the data.

                         

                        What is the problem now:

                        1. Even the most simple Set Security Label does not work at all, I don't know that is wrong. I made a test, just give a security label to one test user, but still, all test users can see this record. Please also see:

                        Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works

                         

                        2. I have problem to get the following in process for multiple instance loop "Get Record - Support Group" > Output > Associations > ??? HERE ARE MANY "Person", which one should i choose, i tested all 4 "Person" there, none of them can work. Please also see:

                        Innovation Suite- With ID of "Support Group", how to get each "Person" in this Support Group

                         

                        Thank you very much!

                         

                        Best regards,

                        Zi  

                        • 9. Re: Innovation Suite-How to set Record Grid to be visible only for people from the same team?
                          Ranjit Jadhav

                          Zi,

                           

                          I replied to your queries about "Simple Security Label use case" and "which Person association to select" in thread Innovation Suite- With ID of "Support Group", how to get each "Person" in this Support Group and  https://communities.bmc.com/thread/200168 respectively.

                           

                          Coming back to the process flow that you mentioned in this post, please try making following changes

                          1. As mentioned in other thread, ensure that you set "Display Id" field permissions to "Security Label" group and remove other permissions if any.

                          2. In your process, you don't need additional query on support group performed by --> "Get Records By Query-Support Groups". The Person record already have list of associated Support groups, we can use that directly in multi instance loop. So remove action "Get Records By Query-Support Groups".

                          3. Modify process as

                              3.1 create local variable for Person Record and map output of "Get Records By Query - Person" to it, so that we know which association to use.

                              3.2 Create local variable for Support Group Record. This will be "Input Data Item" for multi instance loop.

                              3.3 As there is only one action inside Sub-Process, you actually don't need Sub-Process. You can add Multi-Instance loop directly on Set Security Label action. It should work even with Sub-Process, just adds little overhead. Usually we go for sub-process when more than one action need to be grouped.

                              3.4 Now use Person Record variable->Associations->Support Members as "Loop Data Input". (if you want to use different association check association definitions of Person and use respective Record Role Name). As mentioned in other post, you need local variable so that Expression editor expands the Associations by Role Name.

                           

                              3.5 Set the Support Group record local variable as "Input Data Item"

                              3.6 Use the ID of Support Group record local variable into Organization ID of Set Security Label action input map with Append Existing Value as True

                           

                           

                           

                          regards

                          Ranjit

                          1 of 1 people found this helpful