Restrict Access to Subset of Incidents RRS feed

  • Question

  • Hi,

    I have a request to restrict visibility to a subset of Security related Incidents. The subset is Incidents where the category is one of 3 Vulnerability categories are the ones we want to hide.

    I have created a queue for Incidents that meet that criteria. I have other queues for our SLAs that are based on Support Group and Priority. I have updated my existing queues to exclude the Vulnerability categories.

    For my roles, I have a Default Role based on the Incident Resolver role where I define the queues and then individual roles for each support group that provides access to views, etc and I select "Provide access to only the selected queues" and select none. All users are in the Default Role and are then in roles based on which support group they fall into.

    When I create an Incident that falls only into my Security queue, I am still able to see it with user accounts not in the Security Role which has access to the queue. I have looked at the History tab in the Incident and see that the only Queue it has been added to is the Security Queue.  I have gone through each role and ensured none of them except Security have the queue added, but I am still able to see the Incidents in various views and by searching.

    Any ideas?

    Friday, November 7, 2014 4:59 PM

All replies

  • Security roles are additive. if all users are in the default roles, which are not queue scoped, they will have that access PLUS what ever other access you define. In this case, they will have Incident Resolver to all work items PLUS incident resolver to all work items in the queues you select. 

    you'll need to work backwards on this. Create a queue for all incidents that DON'T match your security filter. (i.e. an "everything else" queue) and put this into a new role. remove all users from all roles and only add them to the new Everything Else Incident Resolvers. 

    Essentially, public access work items would be in a public access queue, and "secured" work items would only be visible to people in the default roles, or people who were specifically given access to that secured queue. 

    Of course, you're still going to run into the the problem that new work items don't exist in ANY queue until the Group Calc process runs and stamps them. the default time for this is 30 seconds, so if an analyst creates a work item, they won't be able to see their own creation until up to 30 seconds after the first save. 

    Friday, November 7, 2014 7:21 PM
  • We don't have any users or groups in any of the default roles except Administrators. We created our own "Default" role that is a custom role based on Incident Resolver. All roles are scoped down to no queues except for the "Default" queue which currently has all queues except the new Security queue.

    Friday, November 7, 2014 8:09 PM