This is an archive of the Maximo Yahoo Community. The content of this pages may be a sometimes obsolete so please check post dates.
Thanks to the community owner Christopher Wanko for providing the content.
Maximo 6.2.0.
Prior sysadmin had restriction on a group defined for site access, so he had group restrictions on:
person.locationsite = 'XX'
laborcraftrate.craft LIKE 'XX%'
labor.worksite = 'XX'
Problem is that users can belong to more than one site, so the next group had no such restrictions, and when assigned to group with site 'YY', users belonging to both groups would only see 'XX' rows for the above three table objects.
Unfortunately, I don't recall any group restriction solutions. I know I can use substitution vars in object queries for each app, and relationships offer some relief, but group restrictions don't appear to allow subselects, relationships, or substitution vars.
I also recall group permissions are additive, but it seems they are additive restrictive and not additive inclusive.
Any suggestions? I think I'm stuck with app-level default filters, which aren't the best.
-C
Hey Chris: I haven't had any problems with substitution variables or nesting in group restrictions - I'd write locationsite one as a qualified data restriction with this condition:
Exists (select 1 from siteauth where userid = :user and siteid = :siteid)
(I think it's siteauth - I'm not in front of it right now.)
I'm going by Maximo 7 behavior though.
Sent from my wonderful BlackBerry Z30 smartphone!
Original Message
From: maximal@wanko.com [MAXIMO]
Sent: Monday, December 14, 2015 6:33 AM
To: MAXIMO@yahoogroups.com
Reply To: MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Stuck on this one, group restrictions.
Maximo 6.2.0.
Prior sysadmin had restriction on a group defined for site access, so he had group restrictions on:
person.locationsite = 'XX'
laborcraftrate.craft LIKE 'XX%'
labor.worksite = 'XX'
Problem is that users can belong to more than one site, so the next group had no such restrictions, and when assigned to group with site 'YY', users belonging to both groups would only see 'XX' rows for the above three table objects.
Unfortunately, I don't recall any group restriction solutions. I know I can use substitution vars in object queries for each app, and relationships offer some relief, but group restrictions don't appear to allow subselects, relationships, or substitution vars.
I also recall group permissions are additive, but it seems they are additive restrictive and not additive inclusive.
Any suggestions? I think I'm stuck with app-level default filters, which aren't the best.
-C
I'll try it. The EXISTS might be only way to reference a foreign table, at least in v6. I tried a subSELECT, no luck. Thanks for reading, I'll let you know!
-C
---In MAXIMO@yahoogroups.com, <incomm@shaw.ca> wrote :
Hey Chris: I haven't had any problems with substitution variables or nesting in group restrictions - I'd write locationsite one as a qualified data restriction with this condition:
Exists (select 1 from siteauth where userid = :user and siteid = :siteid)
(I think it's siteauth - I'm not in front of it right now.)
I'm going by Maximo 7 behavior though.
Sent from my wonderful BlackBerry Z30 smartphone!
Original Message
From: maximal@wanko.com mailto:maximal@wanko.com [MAXIMO]
Sent: Monday, December 14, 2015 6:33 AM
To: MAXIMO@yahoogroups.com mailto:MAXIMO@yahoogroups.com
Reply To: MAXIMO@yahoogroups.com mailto:MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Stuck on this one, group restrictions.
Maximo 6.2.0.
Prior sysadmin had restriction on a group defined for site access, so he had group restrictions on:
person.locationsite = 'XX'
laborcraftrate.craft LIKE 'XX%'
labor.worksite = 'XX'
Problem is that users can belong to more than one site, so the next group had no such restrictions, and when assigned to group with site 'YY', users belonging to both groups would only see 'XX' rows for the above three table objects.
Unfortunately, I don't recall any group restriction solutions. I know I can use substitution vars in object queries for each app, and relationships offer some relief, but group restrictions don't appear to allow subselects, relationships, or substitution vars.
I also recall group permissions are additive, but it seems they are additive restrictive and not additive inclusive.
Any suggestions? I think I'm stuck with app-level default filters, which aren't the best.
-C
Nope, v6.2 won't allow substitution vars in the group object restrictions. I'm stuck.
Ironically, I developed this kind of solution for AT&T on version 3 back in the day. It never ends.
-C
I don't remember 6.2, but have you looked into using a function within your expression?
From: "maximal@wanko.com [MAXIMO]" <MAXIMO@yahoogroups.com>
To: MAXIMO@yahoogroups.com
Sent: Wednesday, December 16, 2015 11:41 AM
Subject: Re: [MAXIMO List] Stuck on this one, group restrictions.
Nope, v6.2 won't allow substitution vars in the group object restrictions. I'm stuck.
Ironically, I developed this kind of solution for AT&T on version 3 back in the day. It never ends.
-C
#yiv5183140873 #yiv5183140873 -- #yiv5183140873ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv5183140873 #yiv5183140873ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv5183140873 #yiv5183140873ygrp-mkp #yiv5183140873hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv5183140873 #yiv5183140873ygrp-mkp #yiv5183140873ads {margin-bottom:10px;}#yiv5183140873 #yiv5183140873ygrp-mkp .yiv5183140873ad {padding:0 0;}#yiv5183140873 #yiv5183140873ygrp-mkp .yiv5183140873ad p {margin:0;}#yiv5183140873 #yiv5183140873ygrp-mkp .yiv5183140873ad a {color:#0000ff;text-decoration:none;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ygrp-lc {font-family:Arial;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ygrp-lc #yiv5183140873hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ygrp-lc .yiv5183140873ad {margin-bottom:10px;padding:0 0;}#yiv5183140873 #yiv5183140873actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv5183140873 #yiv5183140873activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv5183140873 #yiv5183140873activity span {font-weight:700;}#yiv5183140873 #yiv5183140873activity span:first-child {text-transform:uppercase;}#yiv5183140873 #yiv5183140873activity span a {color:#5085b6;text-decoration:none;}#yiv5183140873 #yiv5183140873activity span span {color:#ff7900;}#yiv5183140873 #yiv5183140873activity span .yiv5183140873underline {text-decoration:underline;}#yiv5183140873 .yiv5183140873attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv5183140873 .yiv5183140873attach div a {text-decoration:none;}#yiv5183140873 .yiv5183140873attach img {border:none;padding-right:5px;}#yiv5183140873 .yiv5183140873attach label {display:block;margin-bottom:5px;}#yiv5183140873 .yiv5183140873attach label a {text-decoration:none;}#yiv5183140873 blockquote {margin:0 0 0 4px;}#yiv5183140873 .yiv5183140873bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv5183140873 .yiv5183140873bold a {text-decoration:none;}#yiv5183140873 dd.yiv5183140873last p a {font-family:Verdana;font-weight:700;}#yiv5183140873 dd.yiv5183140873last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv5183140873 dd.yiv5183140873last p span.yiv5183140873yshortcuts {margin-right:0;}#yiv5183140873 div.yiv5183140873attach-table div div a {text-decoration:none;}#yiv5183140873 div.yiv5183140873attach-table {width:400px;}#yiv5183140873 div.yiv5183140873file-title a, #yiv5183140873 div.yiv5183140873file-title a:active, #yiv5183140873 div.yiv5183140873file-title a:hover, #yiv5183140873 div.yiv5183140873file-title a:visited {text-decoration:none;}#yiv5183140873 div.yiv5183140873photo-title a, #yiv5183140873 div.yiv5183140873photo-title a:active, #yiv5183140873 div.yiv5183140873photo-title a:hover, #yiv5183140873 div.yiv5183140873photo-title a:visited {text-decoration:none;}#yiv5183140873 div#yiv5183140873ygrp-mlmsg #yiv5183140873ygrp-msg p a span.yiv5183140873yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv5183140873 .yiv5183140873green {color:#628c2a;}#yiv5183140873 .yiv5183140873MsoNormal {margin:0 0 0 0;}#yiv5183140873 o {font-size:0;}#yiv5183140873 #yiv5183140873photos div {float:left;width:72px;}#yiv5183140873 #yiv5183140873photos div div {border:1px solid #666666;height:62px;overflow:hidden;width:62px;}#yiv5183140873 #yiv5183140873photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv5183140873 #yiv5183140873reco-category {font-size:77%;}#yiv5183140873 #yiv5183140873reco-desc {font-size:77%;}#yiv5183140873 .yiv5183140873replbq {margin:4px;}#yiv5183140873 #yiv5183140873ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv5183140873 #yiv5183140873ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv5183140873 #yiv5183140873ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv5183140873 #yiv5183140873ygrp-mlmsg select, #yiv5183140873 input, #yiv5183140873 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv5183140873 #yiv5183140873ygrp-mlmsg pre, #yiv5183140873 code {font:115% monospace;}#yiv5183140873 #yiv5183140873ygrp-mlmsg * {line-height:1.22em;}#yiv5183140873 #yiv5183140873ygrp-mlmsg #yiv5183140873logo {padding-bottom:10px;}#yiv5183140873 #yiv5183140873ygrp-msg p a {font-family:Verdana;}#yiv5183140873 #yiv5183140873ygrp-msg p#yiv5183140873attach-count span {color:#1E66AE;font-weight:700;}#yiv5183140873 #yiv5183140873ygrp-reco #yiv5183140873reco-head {color:#ff7900;font-weight:700;}#yiv5183140873 #yiv5183140873ygrp-reco {margin-bottom:20px;padding:0px;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ov li a {font-size:130%;text-decoration:none;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv5183140873 #yiv5183140873ygrp-sponsor #yiv5183140873ov ul {margin:0;padding:0 0 0 8px;}#yiv5183140873 #yiv5183140873ygrp-text {font-family:Georgia;}#yiv5183140873 #yiv5183140873ygrp-text p {margin:0 0 1em 0;}#yiv5183140873 #yiv5183140873ygrp-text tt {font-size:120%;}#yiv5183140873 #yiv5183140873ygrp-vital ul li:last-child {border-right:none !important;}#yiv5183140873
>>I don't remember 6.2, but have you looked into using a function within your expression?
Wes! Long time no see.
I can use either an object attribute, or a custom class. I really don't want to write Java to get what a subselect would deliver. I've got a three-four month window before 7.6 comes in house, so I'm looking to make daily life better but not get full-blown custom dev installed. I'm sure in 7.6 I can actually accomplish this.
All right, looks like I'm stuck for now.
-C
I have been able to use a database function in these before, even in 4.1.1, as I recall.
That was with an Oracle database, but no reason why it shouldn't work on others, I would think.
Sent from my wonderful BlackBerry Z30 smartphone!
Original Message
From: maximal@wanko.com [MAXIMO]
Sent: Thursday, December 17, 2015 9:15 AM
To: MAXIMO@yahoogroups.com
Reply To: MAXIMO@yahoogroups.com
Subject: Re: [MAXIMO List] Stuck on this one, group restrictions.
>>I don't remember 6.2, but have you looked into using a function within your expression?
Wes! Long time no see.
I can use either an object attribute, or a custom class. I really don't want to write Java to get what a subselect would deliver. I've got a three-four month window before 7.6 comes in house, so I'm looking to make daily life better but not get full-blown custom dev installed. I'm sure in 7.6 I can actually accomplish this.
All right, looks like I'm stuck for now.
-C
Wait, wait, Shannon and Wes, I was able to validate this: locationsite IN (SELECT 'WY' FROM dual)
So a db function would work. That sucks because now it's a change control, but at least I can filter if I need it. Thanks you two!
-C
Well, a db function would work, but I still can't identify the logged-in user based on this group restriction. Dang.
-C
I came at this all wrong.
The real issue is restriction on person lookups in certain apps. So, a table domain with some SQL jitsu ought to solve this for any real cases that need it. I'm fairly sure I can query the current user and pull together a list of that user's authorized sites.
I *STILL* think the security group object restrictions should allow for more options, but I'm on 6.2 for another three or four months and then it's 7.6 for us.
-C
Check this out.
SELECT siteid FROM siteauth
WHERE groupname IN (SELECT groupname FROM groupuser WHERE userid = :theUser)
UNION
SELECT siteid FROM site
WHERE (SELECT SUM(authallsites) FROM maxgroup -- if gt 0 then no restriction
WHERE groupname IN
(SELECT groupname FROM groupuser WHERE userid = :theUser)) > 0
;
Rocket sauce.
-C