I have a department director that wants to be able to see all of the incidents for his department. We want to give him full access to view everything on the incident which is basically the incident, notes, and assignments. We are still going to hold back analyst notes. The user s an end user. Our initial idea was to make him an analyst so he could see all of his people and then give him a role with read only access. Of course that's not so good because he needs to be able to create and update his own self service incidents so not a good idea. With being an analyst he has access to every user in the system, not just his people. I can create a query that limits a dashboard to just his department but he could easily just start entering incident numbers into the search. As an end user, he can't see data from his employees.
So how do I lock him down from making changes to an incident yet being able to create/update his own AND be able to see incidents from his department without the ability to open a random incident from someone else?
I had thought that I could copy my incident window and make everything readonly but that still doesn't stop him from opening random incidents if he is an analyst. We don't use data partitioning but that seems like a potential problem solver although many posts and the manual seem to suggest using alternatives if possible. Any ideas other than partitioning? Would partitioning help? Will it slow us down?