Hi All,
In my last post on securing object access through definition groups in prod boxes, i presented a major limitation.
This post, i'll describe an approach to achieve the same in production instances by going one level up and securing definition type from users.
Definition type access is controlled by permission lists given to users through roles.Open any permission list, navigate to Peopletools and see if Application designer box is checked. If yes, then a link gets enabled named definition permissions. From here we can restrict access on a particular type of object from users.
Approach :
1) We will update the access as readonly to a particular type of object for all permission list.After doing this, no user will have access on that particular type of object.
For example, to restrict access on all fields, run this query
UPDATE PSAUTHITEM SET AUTHORIZEDACTIONS=2 WHERE MENUNAME='APPLICATION_DESIGNER' AND BARNAME='DBFIELD';
2) Create a new permission list now, and give full access on the same type of object.
3) Create a new role and add that permission list to this role.
4) Add this role to user profiles of admins.
This way, all users lose their modify access to all def types and have readonly access.But the admins will have full access.
Unlike, definition groups, we need not take any addition care of new objects created after this security is employed.
Write me for any queries or confusions.!!!
In my last post on securing object access through definition groups in prod boxes, i presented a major limitation.
This post, i'll describe an approach to achieve the same in production instances by going one level up and securing definition type from users.
Definition type access is controlled by permission lists given to users through roles.Open any permission list, navigate to Peopletools and see if Application designer box is checked. If yes, then a link gets enabled named definition permissions. From here we can restrict access on a particular type of object from users.
Approach :
1) We will update the access as readonly to a particular type of object for all permission list.After doing this, no user will have access on that particular type of object.
For example, to restrict access on all fields, run this query
UPDATE PSAUTHITEM SET AUTHORIZEDACTIONS=2 WHERE MENUNAME='APPLICATION_DESIGNER' AND BARNAME='DBFIELD';
2) Create a new permission list now, and give full access on the same type of object.
3) Create a new role and add that permission list to this role.
4) Add this role to user profiles of admins.
This way, all users lose their modify access to all def types and have readonly access.But the admins will have full access.
Unlike, definition groups, we need not take any addition care of new objects created after this security is employed.
Write me for any queries or confusions.!!!
No comments:
Post a Comment