3 Replies Latest reply on Jan 4, 2016 12:23 AM by vikkyg86

    Account limitation best practises

    jof300

      Hello everybody,

       

      I would like to know if there is (are) any best practise to implement account limitation / view ?

       

      For example, my company is composed of 4 "sub-companies" .

       

      I created a department account limitation and assigned it to each one but I would like some department to view nodes of other department.

       

      Any advice , trick ?

       

      Regards

        • Re: Account limitation best practises
          zackm

          That's a very 'it depends' kind of question...

           

          Your best bet would be to map out a schema on the whiteboard and envision who needs to see what. Once you get that down, I would try and identify something about the nodes that makes them stand out. You will want to make a custom property on this.

           

          For instance, I have seen before something like this:

           

          Departments: A, B, C ,D

          Users: 1, 2, 3

           

          User 1 needs to see only A

          User 2 needs to see A and C

          User 3 needs to see A,B,C,D (everything)

           

          So, you create groups/accounts for each user set.

          Then you assign a custom property field to all nodes named 'Department'

          Then, you populate the nodes with what departments use them (ie, shared switches will get more than one value)

           

          Now, you create account limitations on the groups to allow them only to see certain nodes like this:

           

          User 1 Limitation:

               Department = A

          User 2 Limitation:

               Department IN ('A','C')

          User 3 Limitation:

               Department IS NOT NULL

           

           

          As you can imagine, there are hundreds of possibilities here. (and definitely more than one way to get the same results) You can limit on multiple fields as well, even down to the interface level. This should get you in the right direction though.

           

          As far as 'best-practice'; I would always stick with "least-privileged access"