USER GUIDE: CIRESON PORTAL USER TYPES

merlenette_jonesmerlenette_jones Member Advanced IT Monkey ✭✭✭
edited September 2016 in General Discussion
Cireson Portal User Types: The Cireson Portal contains several user types whose permissions are a combination of rights granted from System Center Service Manager (SCSM) and rights granted inside the Cireson Portal. For a detailed discussion on the security model please see the following article:

ADMINISTRATOR 

  • Definition: The Administrator user type has rights to:
Additionally, the Administrator has full access to all work items and configuration items. 

*An administrator will still only see those views which are either public or which are granted to a group which he/she is a member of. Of course, administrators have access to Navigation Settings and so can therefore grant themselves permission to whatever view they want*

  • SCSM Configuration: The Administrator user accounts must be included in the SCSM Administrator User Role
  • Portal Configuration: The Administrator user accouts should be included in the Analyst, Knowledge Base Managers, and Asset Managers group for access to those specific role rights in the Cireson Portal
ANALYST
  • Definition: The Analyst user type has rights to:
the +New “drawer” menu and is able to create work items from work item templates, and has rights to the following portal views:
  • Team Work
  • Active Work
  • Search
  • Knowledge
  • My Work

Additionally, Analysts have rights to the following Work Item Tasks:

  • Change Status (Complete/Resolve)
  • Link to/Convert to Parent
  • Copy to New
  • Assign to Analyst by Group
  • Assign to Me
  • Acknowledge
  • Send Email
  • SCSM Configuration: Analyst accounts must be imported into SCSM through an Active Directory (AD) Connector. They must also be a member of at least one of the following user roles within SCSM: Incident Resolvers, Service Request Analysts, Change Managers, Problem Analysts, Advanced Operators, or Authors User Roles. Analysts require access to the work item queues, configuration item groups, catalog item groups, and forms templates, that they require.  Finally, the incident and service request support groups enumerations the analysts are associated with should all be mapped within SCSM to the appropriate AD groups within the Portal Group Mappings Setting (Administration  Settings  Portal Group Mappings).
  • Portal Configuration: The Analyst group is chosen during the portal Installation process. The AD group can later be updated through the SettingsItems UI. Analyst access to create specific types of work items or take specific actions such as reviewing review activities or completing manual activities can be further scoped down to specific groups within the Admin Settings page of the portal.  If the group is changed the cache builder service should be restarted.
KB MANAGER
  • Definition: the KB Managers are able to create, edit, and delete KB articles as well as change the KB enumeration settings.
  • SCSM Configuration: The KB Managers group and members must be imported into SCSM through an AD connector. They must also be a member of at least one user role within SCSM.
Portal Configuration: The KB Managers group is named during the portal Installation process. The AD group can later be updated through the SettingsItems UI.  If the group is changed the cache builder service should be restarted.

ASSET MANAGER

  • Definition: The Asset Managers have permission to create/edit/view asset related data in the Cireson Portal.
  • SCSM Configuration: The Asset Managers group and members must be imported into SCSM through anAD connector. They must also be a member of the Advanced Operators user role within SCSM. Further, they need access to Cireson Asset Management within the console and should have had the Cireson permissions tool run against them to grant access to asset management.
  • Portal Configuration: The Asset Managers group is named during the portal Installation process. The AD group can later be updated through the SettingsItems UI. If the group is changed the cache builder service should be restarted.

END USER
Definition: Portal end user have scoped access to the service catalog and are able to use it to create incidents and service requests. They have access to the following portal views:
  • Home
  • My Request
  • Team Request (if configured)
  • Knowlege Base (end user content only)
  • My Work
End uers will also have access to the following Task:
  • Reactivate
  • Cancel

End Users can also be granted rights to approve or reject review activities, or to complete or cancel manual activities.

  • SCSM Configuration: End users must be imported into SCSM through an AD Connector. They must also be included (usually as a member of the Domain Users AD group) within a custom end user SCSM role. Cireson recommends removing all users from the default SCSM End Users role and creating a new End User role specifically for the Cireson Portal. The End User role must have appropriate access to the required queues and service catalog groups for the portal end users. 
  • Portal Configuration: Within Admin Settings, end user rights can be scoped down to specific groups within the Admin Settings page of the portal. After making this change the web site should be restarted.

Comments

  • Dakota_GreenDakota_Green Member Advanced IT Monkey ✭✭✭
    This is amazing stuff Merle. Great job!
  • Adrian_MataiszAdrian_Mataisz Customer Advanced IT Monkey ✭✭✭
    We disabled My Work for end users but I'm testing to give access to some groups to approve/Reject RAs. 

    I have it  Visible but not Public and the right group added but users in the group don''t see the queue. 
  • merlenette_jonesmerlenette_jones Member Advanced IT Monkey ✭✭✭
    We disabled My Work for end users but I'm testing to give access to some groups to approve/Reject RAs. 

    I have it  Visible but not Public and the right group added but users in the group don''t see the queue. 
    Hello Adrian,

    You must also give your users access to the Parent work item as well not just the activity itself. 

    Merle
  • Adrian_MataiszAdrian_Mataisz Customer Advanced IT Monkey ✭✭✭
    They do have access in SCSM to all work items. The tab for the My work page doesn't show up. Requires IIS restart if you add a group under Navigation Settings?
  • merlenette_jonesmerlenette_jones Member Advanced IT Monkey ✭✭✭
    I would recycle the app pool, the website, and the cahcebuilder service
  • Adrian_MataiszAdrian_Mataisz Customer Advanced IT Monkey ✭✭✭
    @merlenette_jones Thank You.This did it for me. 

    How "Assign forms to active directory groups" can be used?  Can someone provide a real  life example?  Thanks
  • Joe_BurrowsJoe_Burrows Cireson Devops Super IT Monkey ✭✭✭✭✭
    @merlenette_jones Thank You.This did it for me. 

    How "Assign forms to active directory groups" can be used?  Can someone provide a real  life example?  Thanks
    One example would be you have multiple departments doing Service Request Fulfillment. 

    For example: HR department & Service Desk both action SRs assigned to their support groups. However HR need a different look and feel when they open the service request form showing different tab names and properties where the Service Desk need the out of box look with some extended properties for runbook automation input checking.

    I would create a custom form section called HR on my ServiceRequest.js with these different tab names etc and assign this form to an AD group that represents my HR analysts in the admin settings.

    I would also create a custom form called ServiceDesk on my my ServiceRequest.js form exposing the addtional properties and assign this to my ServiceDesk AD group.

    Hope that helps.
    Cheers
    Joe
  • Tom_HendricksTom_Hendricks Customer Super IT Monkey ✭✭✭✭✭
    @merlenette_jones Thank You.This did it for me. 

    How "Assign forms to active directory groups" can be used?  Can someone provide a real  life example?  Thanks
    To add an example to what @Joe_Burrows mentioned, you might want certain fields to be read only (set by template) on a CR form for most users, but you want your change managers to be able to override them.   In one form ("Default"), the field is disabled.  In the other, which is assigned to an AD group your change managers belong to, it is able to be changed.
  • Adrian_MataiszAdrian_Mataisz Customer Advanced IT Monkey ✭✭✭
    Thank You Joe and Tom. Got it know. 
  • Marek_LefekMarek_Lefek Customer Advanced IT Monkey ✭✭✭
    edited July 2017
    Hi I try to review and simplify user groups in portal. Now in SCSM I have all default groups that have reletad  group in Active Directory - 1:1. Could you check is this correct and adviced some modifications? 

    1. All IT employees are  devided in groups IT-dev, IT-ops, IT-adm that are into group "DW" - mean whole IT.
    "DW" group is added into Advanced Operators and as a Portal Analyst group - AnalystsADGroup setting. 
        I would like that IT could see Assets as ReadOnly. 

    2. AD goup  "All-domain-users" is  related into both SCSM "End Users" and "Service Request Analyst" group. And this is little problem. Because without being in Service Request Analyst group they can't choose configuration items like printers, sotware assets in SR'S. The printer list is empty. Itry mixed with Read-Only oeraor but it wont work.
         I would like that users could make SR, IR and choose Assets as ReadOnly.

    3. There is "Asset_Coordinator" Group that should edit asset attributes, but even can't see it. The have aslo admin priviliges.
    .
    I base on KB#1123 and this article but there ale left some others groups. Mayby i think not in proper way.

    4. I would like that some Services and Request in Service Catalog could be visible  only for analytics eg. "Serwer update".
    How it look in you, Which roles you use, do you have to make own roles?

  • gtsaglisgtsaglis Member IT Monkey ✭

    hello,

    is it possible to tell me where exactly i have to grand the permissions ?

    ·        Portal Configuration: Within Admin Settings, end user rights can be scoped down to specific groups within the Admin Settings page of the portal. After making this change the web site should be restarted.

    it is not clear where on the admin settings page.

  • Justin_WorkmanJustin_Workman Cireson Support Super IT Monkey ✭✭✭✭✭

    @gtsaglis - I think the original post was talking about Admin Settings/Activity Settings. If you provide a group for any of the settings on that page, only members of that group will able to perform the action.

Sign In or Register to comment.