Restricting access to work items RRS feed

  • Question

  • I have a requirement to restrict analysts access to incidents and service requests that are assigned to a support group that they are a part of.  I have created multiple queues that restrict work items by support group and assigned those queues to appropriate user roles and that seems to work well.  Analysts can open the console and are only able to see appropriate work items.

    My problem comes when trying to also configure end user access to the portal.  I have created my own end user role and added all staff to that role.  This works fine as users can browse the portal, raise requests and incidents, and view their open requests.  

    The problem is that analysts may also wish to use the portal to raise work items for support groups that are not their own, so I add them to the end user role as well, but when combined with their analyst access that grants access to all work items in the system.  I can restrict views in the console to limit them to appropriate work items, but they can still use the search to access work items that I don't want them to see.

    I think the solution is that I need to create a more restrictive queue for the end user role, as that is currently unscoped.  Ideally this queue's criteria would be that the current user must be the affected user for the work item in order to access it, but I don't think this is possible?  I see there is the incident (typical) class that has an affected user property, but that seems to require a fixed value in the criteria, rather than take a 'current user' variable.

    Is it possible to achieve what I have been asked to do?  Any and all advice would be very welcome.

    Tuesday, April 14, 2015 2:32 PM


  • Queues doesn't support the [me] or [mygroup] token. So this way it's not possible to restrict a queue based on the current user as far as I know.

    Andreas Baumgarten | H&D International Group

    Tuesday, April 14, 2015 4:15 PM