Maureen,
Guillaume's suggestion is a good one. However there still may be
things that these users could do that you do not want them to do. (You may
not have considered all of the functions of the Admin tool and a
"read-only" ARS server.)
For example,
) You may have passwords in some of your worklfow. (Like command line
processes that take parameters from filters.) These users would be able to
access this information. [Depends on the workflow that you have.]
) The users could likely do an Object export of all ARS objects. The admin
account on the second "read-only" server would also give them "read only"
admin access to all of the data in all of the forms too. So they could
export all of the ARS data too. (They could take your application and data
then build their own ARS server.)
) The OS user that this server is run as should be different than the
"normal" ARS server. (Run processes triggered by workflow from the
"Read-Only" server could call the "real processes" as the real OS user and
actually do work/alter data.) [This could be done with several "Admin only"
API calls via the "Read-Only" ARS server.]
I would suggest a more limited approach. Something like
MasterDocumenter, ARSDocs, or a new tool that I am working on that does
similar functions. (Sush.. don't tell anyone. :) However as Guillaume
points out these other solutions do require you to keep them "up to date"
because of the cache/processing involved. They also give you the security
of only exposing the specific items that you want to expose, and no risk of
OS/data intrusion. (As they are all "external" to ARS.)
HTH.
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
Never ascribe to malice, that which can be explained by incompetence.
"Guillaume.Rheault"
TARGET.COM> cc:
Sent by: "Action Subject: Re: "Read-only" administrator access?
Request System
discussion
list(ARSList)"
G>
08/19/2003 05:13 PM
Please respond to
arslist
Hello Maureen,
You cannot do that. Even sub administrators can modify the workflow of
the forms they are sub administrators...
However, if you are willing to put a little effort, you can do this:
1 - Ask the DBA to create an account that only has the "select"
privilege on all tables that are owned by aradmin
2 - Install another copy of the Remedy server.
3 - This new copy of Remedy server, instead of using the default aradmin
database account, will use the account created in step 1. To perform
this configuration change, add the Db-user parameter in ar.conf
(ar.cfg), and restart the Remedy server
4 - Instruct your admin to log in to the new Remedy server
You cannot prevent an admin to modify code at the Remedy level, but you
certainly can at the DB level. The beauty of this is that both Remedy
servers connect to the same DB, so you don't need to sync jack. BTW, I
would strongly suggest you submit an enhancement request to Remedy.
Guillaume Rheault
-----Original Message-----
From: Maureen Miller [mailto:maureen66@HOTMAIL.COM]
Sent: Tuesday, August 19, 2003 02:37 PM
To: ARSLIST@ARSLIST.ORG
Subject: "Read-only" administrator access?
Greetings Listers!
Is it possible to give someone access to the admin tool, to be able to
inspect all active-links, filters, etc., without being able to modify
them? (I tried creating an "Administrator" "read-only" account as a
test, and... failed miserably) ;)
Thanks in advance,
Maureen
Get MSN 8 and help protect your children with advanced parental
controls. http://join.msn.com/?page=features/parental
UNSUBSCRIBE or access ARSList Archives at http://www.ARSLIST.org
(Support: mailto:support@arslist.org ) ARSList is hosted by QMX SUPPORT
SERVICES at www.QMXS.com
UNSUBSCRIBE or access ARSList Archives at http://www.ARSLIST.org (Support:
mailto:support@arslist.org ) ARSList is hosted by QMX SUPPORT SERVICES at
www.QMXS.com
Previous Topic
Index