I'm looking into controlling record visibility. I'd like to use one business object (like Incident) and allow its records to visible to some groups, but not others. I'm basically creating multitenancy. Has anyone done this? If so, how did you implement it?
What are your "groups" based on? Security groups, roles, teams?
I'd think it would be simplest to have separate teams.
Phil, do you want certain groups (teams) to not see Incident management at all?
Yes, some teams should not see Incident records at all. My question is more geared towards how to give access to the Incident business object, but not all the records of that object.
For example, if I’m on the Help Desk team, and create ticket #1; Dave is on the HR team, and he creates ticket #2. If I create another ticket, it’ll be #3, etc. I have no visibility in ticket #2, and Dave cannot see tickets 1 and 3.
This is easy to do in security. There are "gotchas" though.
Define a new field on your BO named something like AvailableToTeam. Auto Populate this field for each incident with the Team/Customer you want to see the Incident. I've done this in the past by adding the "Team" field to the incident Category because they wanted separate categorization too. This field does not have to be visible. You may have to update existing tickets with a valid value.
Create a security group for each team (or group of teams) you want to access things differently. Under the filters choose "Limit records based on criteria" and make the team only able to see incidents where "AvailableToTeam"=<Their Team>.
However- the gotchya here is you can see one - or the other - but not both. So for people who want to reports or something you may need to define a separate security group for them.