Hello, We have multiple requests and multiple Project types. Each of these has security that is configured in a different way, with only some segment of users allowed to create / view the request or project.
When a regular user goes to the "Create Project" screen they see only the Project Type they are allowed to create in the "Project Type:" field. They dont see the list of other project types. This seems to be expected behavior.
But when that same user goes to the Search projects page he sees all of the project types in the "Project Type:" field. Is this expected behavior? Why doesnt the user just see the Project Types that they have access to create/view.
Also, a simlar situation occurs on the request side, where you can't create requests od a certain type but you can search on them, and if you dont have the correct access the results just come up empty.
Is this the way it is supposed to work, or is there some extra security I can implement to stop users from searching on request types and project types that they dont have access to see.
This may happen at several places in the application because probably the search sql is not taking care of the security on the searched object and the logged-in user. But when such user tries to open the searched object, he/she should not be able to view the searched object giving the message something like 'you don't have access to this
Darshan, When the users searchs on a request type that they dont have access to create/view the list is empty. Other people who have create/view access will see results in the search page.
I guess I could make a case for this being an acceptable design, although I dont like it. The one reason it could make sense to have it this way could be when your request/workflow has security on it that uses token based access. If you put in John Smith as the PM on a project request you would want John to be able to search on that request so he would need to see the request type, even though he may not be able to create that type of request.