Project and Portfolio Management Practitioners Forum
cancel

Request Search and Project Search validations

SOLVED
Go to solution
Highlighted
kev marks
Super Contributor.

Request Search and Project Search validations

Hello,
We have multiple requests and multiple Project types. Each of these has security that is configured in a different way, with only some segment of users allowed to create / view the request or project.

When a regular user goes to the "Create Project" screen they see only the Project Type they are allowed to create in the "Project Type:" field. They dont see the list of other project types.
This seems to be expected behavior.

But when that same user goes to the Search projects page he sees all of the project types in the "Project Type:" field. Is this expected behavior? Why doesnt the user just see the Project Types that they have access to create/view.

Also, a simlar situation occurs on the request side, where you can't create requests od a certain type but you can search on them, and if you dont have the correct access the results just come up empty.

Is this the way it is supposed to work, or is there some extra security I can implement to stop users from searching on request types and project types that they dont have access to see.

Thanks
Kevin


PPM 7.1 SP4
2 REPLIES
Darshan Bavisi
Outstanding Contributor.
Solution

Re: Request Search and Project Search validations

Hi Kevin,

This may happen at several places in the application because probably the search sql is not taking care of the security on the searched object and the logged-in user. But when such user tries to open the searched object, he/she should not be able to view the searched object giving the message something like 'you don't have access to this '. Is this what is happening in your case also? Or are the logged-in user able to view (or even modify) the searched object which otherwise they are not supposed to have access to? If they can, then this may be a configuration issue that should be possible to fix. If they cannot view the searched object but only see the list of such objects then I think this is possible in some cases. Let know if this all is happening in your case. This is kind of a defect in the application, which may be in some cases too difficult to even fix.
kev marks
Super Contributor.

Re: Request Search and Project Search validations

Darshan,
When the users searchs on a request type that they dont have access to create/view the list is empty.
Other people who have create/view access will see results in the search page.

I guess I could make a case for this being an acceptable design, although I dont like it.
The one reason it could make sense to have it this way could be when your request/workflow has security on it that uses token based access. If you put in John Smith as the PM on a project request you would want John to be able to search on that request so he would need to see the request type, even though he may not be able to create that type of request.

Thanks
Kevin