Solved: Hi Brian, For part 1 I also

Brian_Spooner · ‎11-04-2009

Two part question here...both related to cases & security. We're running DA 8.0 SP2.

Part 1 - Organizing cases
We have three separate users in our organization who perform DA searches for different purposes. Let's say User A, B and C. Each user can see ALL cases, whether they are the owner or not. They can't go into the cases to see searches, etc...but they just see the list of all cases. Is this normal behavior? Wouldn't you want users to only see cases they have access to?
We'll end up with a lot of cases...so to keep things organized I recommended to our users that they name their cases with a naming convention like 'UserA-casename', 'UserB-casename', etc, so they can quickly identify which cases are theirs. One of our customers wanted to know if it was possible to make a 'User A' folder under cases so they could put all their cases there. I don't see any options to do something like this -- is it possible? Maybe coming in a future update?

Part 2 - Case security
We noticed that users can change the name of cases they aren't the owner of -- should they be able to? How can I limit them to only modify cases they are the owner of? Even more concerning is that users can change themselves to Owner on any case... Is that really supposed to be that way or is something wrong?

Users A, B and C have the same application role applied. Here's a screenshot of the role setup. I hope I'm just doing something wrong in the role setup and these aren't deficiencies in the way DA handles security.

Any help or guidance here is greatly appreciated.

Thanks,
-Brian

jajensen · ‎11-04-2009

Brian,

The problem here is that you're giving your users Application-Level access to create and configure cases. This is why they can see other users' cases and change their properties.

If you want to keep users out of other users' cases, then you have to remove them from that Application-level role and appoint some other admin as the Application-level person to initially create and configure the cases needed. Once those cases are created, then the users who need the case can be made the owner, and that person can configure their case as they wish without having the ability to go in and mess with other cases that are out there. At that point, they shouldn't even see the other cases that are out there, simply because they won't have any application-level roles applied to them.

As far as the folders go, you can only do such a thing with Research folders. You can put a research folder into a case, but not the other way around. I haven't heard anything about such a feature going in on future releases... that's something you might want to suggest to your Symantec rep if you really feel it should be put in.

Regards,
Jason

View solution in original post

TonySterling · ‎11-04-2009

Hi Brian,

For part 1 I also recommend a naming convention that isn't obvious. normally a alpa-numeric code similiar to what is in case management software etc.. No way to add folders that I can think of but don't forget you can hide a case by closing it.

For part 2, do these users have any application role assignments?

I think sp3 will have some improvments in roles and permissions that will help you out. Watch out for that! :)

jajensen · ‎11-04-2009

Brian,

The problem here is that you're giving your users Application-Level access to create and configure cases. This is why they can see other users' cases and change their properties.

If you want to keep users out of other users' cases, then you have to remove them from that Application-level role and appoint some other admin as the Application-level person to initially create and configure the cases needed. Once those cases are created, then the users who need the case can be made the owner, and that person can configure their case as they wish without having the ability to go in and mess with other cases that are out there. At that point, they shouldn't even see the other cases that are out there, simply because they won't have any application-level roles applied to them.

As far as the folders go, you can only do such a thing with Research folders. You can put a research folder into a case, but not the other way around. I haven't heard anything about such a feature going in on future releases... that's something you might want to suggest to your Symantec rep if you really feel it should be put in.

Regards,
Jason

Liam_Finn1 · ‎11-04-2009

I agree with JaJensen

You need to assign case level access and not application level access to limit who can see what. It will mean that one person will need to be given Application level access so they can create the cases and assign ownership

As for the folders. On the Forums there is an Ideas Section. The dev teams do meet monthly and review the suggestions listed up there. If you look you will see some show as "Implemented" and others show as "In Development" so if you put your Idea up there it will be reviewed and if they believe it is warranted they may push it to Dev to have it created

Brian_Spooner · ‎11-05-2009

Hmm...I was afraid of this. So it sounds like the permission model is designed specifically for a central person to create all cases. We have a requirement for three separate users/groups to create & manage their own cases... I suppose if I wanted to completely isolate them I could create separate customer databases for each. I think some review duties cross the groups though...

This does bring up one other question though...if I leave it the way it is, so Users A, B and C have application level permissions to create & manage cases -- is this easily auditable? If I go change myself to the owner of a case right now where does this get logged and how do I view it?

TonySterling · ‎11-05-2009

Brian,

I set something up for a customer a little while back where we set up permissions for them to use Research Folders, (as jason mentioned earlier). As he mentioned folders can be promoted if necessary to a case.

Have you looked at this option?

Brian_Spooner · ‎11-05-2009

Hm...I haven't looked into that yet. We're just really getting started with DA now and I haven't used the Research Folders yet. Thanks for the suggestion, I'll check it out.

TonySterling · ‎11-05-2009

It will be worth a look. You can give the permission to promote to a case with being able to modify permissions of other cases. (even though they can see them)

jajensen · ‎11-05-2009

Brian,

With regards to your question on auditing, that's the sort of thing you'd get from the DA SQL Reports.

I haven't delved too deeply into those reports, but they will at least tell you who the case owners are at the time, as well as who has what roles within a case. As to the history, however, I'm fairly sure it doesn't report that way.

The only time I've seen history reported in DA is in the Review Markings, Tags, and comments. *edit* - History shows in searches and export/production runs as well, of course.

As for crossing roles between customer DB's, it can be done, of course. It's just more effort putting it together, as well as managing and using it all. Great for job security!

GertjanA · ‎11-05-2009

We have a few fixed departments who can ask for a case to be made. We set up 4 'customers' in DA, effectively seperating the depts. Within the depts it is no problem cases are shared, but not outside of the department. (this was in 7.5 mind you)

Each dept went to it's own site (//daserver/customer1, //daserver/customer2 )etc
We initially also had them on their specific DA server...

How we are going to do this in 8 is not yet decided, but this looks handy

Thanks

Regards. Gertjan

VOX

DA - Organizing cases & case security