Company Name Security
There is a setting in the administration System Controls tab under Company Information Settings entitled COMPANY_NAME. ExtraView recognizes this as the main company name. Given that this is the case, a new user added with a company name that is different from the value in the field associated with COMPANY_NAME will not be able to see PRIVATE issues submitted by users in your company. This is especially beneficial if you have customers using the system, and you only want them to have limited privileges to view their own issues.
If you have enabled users or customers to self-register their selves within ExtraView, they will able to sign on to ExtraView, and they will automatically be assigned to the user role entered as the LIMITED_USER_ROLE. The LIMITED_USER_ROLE is set in the Workflow Settings administration menu. This group normally has minimal user privileges. By being added to this role, the user will only be able to view PUBLIC records until a System Administrator re-assigns them to one or more User Roles.
Add a New User screen
Note: When you use the company name as security, and a user moves from one company to another, and you update their record with the new company name, then all the users at that new company will have visibility of the issues that were entered by that person at their original company. You can avoid this by giving the new user a new User ID at the new company, or being diligent to make sure that all their original issues are updated to no longer refer to that person.
Note: If you are signed on with the user ID of admin, the company name security is bypassed. The admin user will see all records.
Note: There is a behavior setting named ENABLE_PRIVACY_GRP_OVERRIDE. If the value is set to YES, then internal users can see all issues regardless of the value of the PRIVACY field. Internal users are defined by the user's personal Company Name being identical to the company name defined by the behavior setting named COMPANY_NAME. If the value is set to NO, users may only see issues when they are a member of the privacy group to which the issue is assigned.
The Company Name and the Privacy of Issues
There is a behavior setting on the administration menu, System Controls tab under Company Information Settings that controls the interaction between the privacy of issues and the different users within different companies that enter these issues. This is entitled ENABLE_COMPANY_NAME_ACCESS. When this setting is YES, different users who have the same company name will be able to view all issues entered by any member of that company. This overrides the Privacy setting of PRIVATE. When the value of ENABLE_COMPANY_NAME_ACCESS is NO, the Privacy setting overrides the behavior, and all issues will be held as being strictly PRIVATE as described in the section on Privacy.
The most typical use of this setting is to allow you to give your customers access to ExtraView, and to allow any member of an individual customer to see all the issues entered by his / her colleagues.
Note: A user will always be able to view an issue that they originated, irrespective of their company name.
There is a behavior setting named COMPANY_OVERRIDE_FIELDS that contains a comma separated list of field names with a display type of User. These fields must exist in the data dictionary. These fields contain the users that the company name security feature works with. By default, company name security works with only the ORIGINATOR field. This setting extends the feature to these other fields.
The use case for this is as follows:
The COMPANY_NAME is set to Host Company. They are the host of the ExtraView site. An issue is submitted by a user in Company A. The Company A user can see the issue as they are the Originator of the issue.
The issue is visible to all Host Company users, because the default company name security allows them to see all issues. A Host Company user is set as the Owner of the issue. They want to assign the issue to a user who is neither a Host Company user, nor are they a Company A user.
They want, for example, to assign the issue to a user who is a member of a company named Company B.
The goal is to extend company name security in such a way that the Company B user is able to view the issue, originally created by the Company A user, because they are assigned to the issue. The Company B user will not see any other Company A originated issues, nor will they be able to see any other Host Company issues, because they are not the ASSIGNED_TO person on other issues.
The Company Name and Privacy Groups
Company name security with ENABLE_COMPANY_NAME_ACCESS and privacy group security are independent features of ExtraView, yet they combine together. The following example summarizes the behavior and interaction of company name security and privacy groups.
Privacy Group Example
Privacy of issues
- The COMPANY_NAME behavior setting is My Company
- ENABLE_COMPANY_NAME_ACCESS is set to YES
- ENABLE_PRIVACY_GROUPS is enabled
- Privacy groups have been created, named Cust XX and Mgr
- Employee of My Company (Company Name on their user screen is set to My Company)
- Member of privacy group Cust XX
- Member of privacy group Mgr
- User B is an employee of My Company
- Member of privacy group Mgr
- User C is an employee of My Company
- Not a member of privacy group Mgr
- User D is an employee of Customer XX, and has been granted access to My Company's ExtraView installation
- Member of the Cust XX privacy group
- User E is an employee of Customer XX, and has been granted access to My Company's ExtraView installation
- They are not a member of any privacy group
Who sees which issues? This table shows issues created in different privacy groups and indicates which users will be able to see the issues. The ‘Y’ indicates that the user will be able to see the issue. Remember that security permission settings and a default setting can be used to control who can see and who can update the privacy field.
|My Company||Customer XX|
|Privacy Group User||User A||User B||User C||User D||User E|
To complete the explanation, note that if it is User D or User E that originates the issue, and the issue remains PRIVATE, then all users in the above scenario will be able to access the issue (but not the users from any other companies). This is because ENABLE_COMPANY_NAME_ACCESS is set to YES.