NetResults ProblemTracker
Security Model

Overview

In addition to the security provided by the web server to limit access to web pages, ProblemTracker also incorporates a built-in security model that allows the administrator to control access to both function (Add, Delete, Edit, etc.) and data.

By using these features the administrator can create different classes of users (via user groups) with different available operations and access to data. For example, a user group could be defined that allows users access to query and view only those records created by other users in their group.

Note that this section is meant to serve as an introduction to basic ProblemTracker security concepts. Detailed information on how to perform specific tasks are covered in the various help subjects where the options are actually set.


User Groups and Logins

The ProblemTracker security model is based on the concept of individual users and user groups. Each individual user must log into the system, and each user is a member of one or more user groups. User groups are a convenient way to group similar users together, and define security for those users.

For example, rather than defining specific access privileges for all 50 users at a company, the administrator can split the users in to functional groups (Engineering, QA, Customers, etc.), define security for the functional groups, and then assign the users to those groups.

All users are a member of the system-defined user group "Users", and the Admin user is always a member of the system-defined user group "Admin".

Users and user groups are covered in detailed in these help topics:


Restricting Access To Functions

Each user group can be assign privileges, and each user that is a member of the group inherits that privilege. All of the basic ProblemTracker function like Add, Edit, etc. are defined to be a privilege that can be assigned to a user group.

For example, to allow enable a user Edit and View records, you would create a user group that has both Edit and View privileges, and then assign the user to that group.

One special case is the Admin group, which always has Admin function privilege. Other user groups can also be defined to have this privilege, however it cannot be removed from the Admin group. Privileges are covered in detailed in the following help topic:


Restricting Access To Data

ProblemTracker supports an optional record-level data security model. This means that each data record is defined to be visible to a set of user groups. The record can be seen by any user who is a member of a group in this set, it is invisible to all other users. This feature can be enabled or disabled via the setting under General Preferences.

By default, when a record is created, it is set visible to all groups that the user who is creating the record is a member of. You can assign a user group the ability to modify record security. All users with this privilege are given the ability to explicitly pick the user groups the record is visible to when it is created, and also the ability to later edit the visibility. There are two options that control this behavior (see General Preferences for details...):

If you have a set of users who should be able to access all records, irrespective of which user groups they belong to, you should give those users the Override Record-Level Security privilege. This can be useful for situations where internal users should be able to see all records, but external users should be limited to viewing only records they have added or records which have been explicitly made visible to them. You can configure the system to do this by giving Override Record-Level Security to internal user groups (and excluding it from the Users user group) and by removing Edit Record Visibility privilege from all external user groups (and the Users user group). When this is done in a system where Record-Level Security is enabled, Limit Record Visibility Selection to A Users's Own Groups is set to Yes, and By Default Include Group "Users" for Record Visibility On Add Operations is set to No, external users will only be able to see records they (or others in their group(s)) have added and internal users will be able to see all records. See User Administration - Privileges and General Preferences for details on how to modify these settings.