Role Management
- Michael Luecke (Unlicensed)
- Michael Luecke
- Servicely AI Smart, Simple, Better Service Desk (Unlicensed)
- Chris Jones
Summary
Within Servicely the way to restrict certain information is largely done through referencing a user's set of roles or lack there of. Roles provide the ability to allow, restrict and logically separate visibility and access of records to users. This is tied heavily with the security of records within the system and should be used as an additive approach. In other words, if you want to provide access to a record, you would provide them with a role as opposed to checking if they don't have the role. You can determine what roles a user has via server and client scripting, however certain functionality within the platform already accommodate a user's role composition, such as; permissions, menu items, application properties, Table record restrictions, workflow transitions and more.
Provided Roles
| Name | Application | Description |
|---|---|---|
| cmdb_administrator | cmdb | This is the highest privileged role for the CMDB application and associated tables and provides the ability to edit properties and delete records. |
| cmdb_manager | cmdb | This role provides an expanded set of privileges for the CMDB application and associated tables. |
| cmdb_viewer | cmdb | This is the base role for the CMDB table. This only provides the ability to read the CMDB and a base level amount of information. |
| hr_administrator | hr | This is the highest privileged role for the HR application and associated tables and provides the ability to edit properties and delete records. |
| hr_manager | hr | This role provides an expanded set of privileges for the HR application and associated tables. |
| hr_agent | hr | This is the base role provided to any agents in the system for the HR application. Any specific functionality to any specific HR tables should be created separately. |
| itsm_administrator | itsm | This is the highest privileged role for the ITSM application and associated tables and provides the ability to edit properties and delete records. |
| itsm_manager | itsm | This role provides an expanded set of privileges for the ITSM application and associated tables. |
| itsm_agent | itsm | This is the base role provided to any agents in the system for the ITSM application. Any specific functionality to any specific ITSM tables should be created separately. |
| sofi_administrator | sofi | This is the role given to users who can update the various elements of Sofi. It does not however give access to the script library or ui events, unless they have the other associated roles. |
| platform_selfservice | platform | This is the base role provided to any internal self service user in the system. This role was introduced to allow commonly used table by self service to be tied to one role, as opposed to many. |
| platform_agent | platform | This is the base role provided to any agents in the system. This role was introduced to allow commonly used table by agents to be tied to one role, as opposed to many. |
| platform_data_administrator | platform | This is the highest privileged role in terms of managing the base data within the system. |
| configuration_administrator | platform | This is the highest privileged role for configuration, minus the ability to script. |
| application_administrator | platform | The role required in conjunction with the application specific role to provide them administrative like privileges to platform tables for their tables (for example, classification) |
| knowledge_administrator | knowledge | This is the highest privileged role for the Knowledge application and provides the ability to edit properties. |
| knowledge_manager | knowledge | This role provides an expanded set of privileges for the Knowledge application. These users can skip workflow states and create/modify knowledge bases. |
| knowledge_editor | knowledge | This is the base role for the Knowledge application. This essentially provides users the ability to create and update knowledge articles. |
| administrator | platform | Role for administrators. Only users who have this role in the base system will have access to scripting capabilities. |
Recommended Practice
When developing a new application, it is recommended that you introduce a few different levels of permissions. In doing so, it means that it's not a case of providing all or nothing access, but instead a more segmented approach to ensure that work can be done by more than just administrators. The common recommended 3 level approach is as follows (note that is just recommended and your role structure can be as basic or as complex as you need).:
- Agent level: Provides basic process usage of the application. Such as a service desk user who needs to complete incidents, cases or otherwise. They have no capabilities to delete records and may not have advanced functionality that may only occur through an escalation or otherwise.
- Manager level: Provides more advance functionality that needs to used sparingly or requires a certain level of responsibility associated to it. This may include the ability to make an incident a major incident or shortcut approval processes.
- Administrator level: Provides administrative capability for that record that allows users who can delete the records or configure functionality connected to it. This may include the ability to create classifications or change if a certain record requires approval or not.
In situations where as you are creating an application for users outside of your organisation, such as vendors, who should not have common self service visibility (such as being able to see other users in the system), it is recommended you do not alter the platform_selfservice role to accommodate this, but instead make a different role for this purpose. This way you can easily control and only add visibility to records that they should be able to read. The platform_selfservice role is meant to be the role provided to the majority of users to allow them to raise or read their own tickets (and the information they require to enter as such), but in records that may be for users outside of your organisation, you would often need to restrict the visibility of records even more.
Application Admin
Application administration is an optional extra that can be enabled for a table to provide a more segmented approach to administer certain functionality for an application, within needing to get a system administrator involved.
Role inheritance
When you are editing a role, it is possible to have a role contain other roles. What this will do is that every time a user or group is provided the role that contains that role (and any roles that those contain), they will inherit any roles that are included there. It is common practice that when you create an administrator role for an application, that the role that was created will contain any other role that was created for that application.
Servicely Documentation