5
Currently the live location of engineers is shown on the Schedule Board map with the latitude/longitude data of an engineer being retrieved from resco_mobileaudit records.
The link between the Bookable Resource (User) shown on the map and the resco_mobileaudit record that is read to get their latitude/longitude is provided by the 'Owner' column of the resco_mobileaudit record which contains the User record for the Bookable Resource. When the schedule board map is being loaded, it executes msdyn_FpsAction '213' to retrieve resco_mobileaudit records and place the engineer pins on the map, this action is performed in the context of the SYSTEM user.
Because the Owner field is used to make the link, and the msdyn_FpsAction executes as an elevated user this means that security cannot be applied to these records correctly to control the visibility of engineer locations on the schedule board map.
For instance, in a scenario where an engineer is entering a radius or geofence around a secure customer site (e.g. a restricted government facility) we might want to hide their location from certain users but show it for others as they enter and exit that radius. Currently this is not possible because changing the ownership of the resco_mobileaudit records breaks the link between an engineer and their location data, and even if the link was made through a different attribute the msdyn_FpsAction executes as an elevated user that gets to see all records, rather than respecting the access of the user who opened the schedule board.
The link between the Bookable Resource (User) shown on the map and the resco_mobileaudit record that is read to get their latitude/longitude is provided by the 'Owner' column of the resco_mobileaudit record which contains the User record for the Bookable Resource. When the schedule board map is being loaded, it executes msdyn_FpsAction '213' to retrieve resco_mobileaudit records and place the engineer pins on the map, this action is performed in the context of the SYSTEM user.
Because the Owner field is used to make the link, and the msdyn_FpsAction executes as an elevated user this means that security cannot be applied to these records correctly to control the visibility of engineer locations on the schedule board map.
For instance, in a scenario where an engineer is entering a radius or geofence around a secure customer site (e.g. a restricted government facility) we might want to hide their location from certain users but show it for others as they enter and exit that radius. Currently this is not possible because changing the ownership of the resco_mobileaudit records breaks the link between an engineer and their location data, and even if the link was made through a different attribute the msdyn_FpsAction executes as an elevated user that gets to see all records, rather than respecting the access of the user who opened the schedule board.
STATUS DETAILS
Needs Votes