Security - What Methodology are you using?
For me, we are in the midst of a redesign from using all out of the box roles (bad practice I know, cringe) with AD groups as the members (support groups).
Currently, I have planned out to create two roles, 1 for analysts and 1 for end users, with additional roles planned for ROs/SOs. We are a relatively small shop in my opinion, with about 40 analysts over 15 groups, and finally breaking into the end user realm (over 400 users). To facilitate the new roles, I plan to do some nesting with an analyst and End user ad for with groups added to the analyst or end user ad group.
Please provide any feedback on my plan if you have any, but most importantly feel free to share how you are handling Security.
Comments
This version "stacks" allowing future build out of a Service Catalog that doesn't require constant re-tweaking of said permissions and instead offers a "just publish" mindset and less of a "you have to really understand SCSM dependencies of how individuals receive access." Certainly not saying it's perfect or there isn't some other better way to organize one's service catalog (as it will certainly vary from shop to shop).
To build out further on the above examples:
- Everyone can request new hardware (IT request)
- Managers and above can hire an employee (HR request)
- Directors and above can request access to direct report's drives, email, etc. (HR request. All IT function is automated via SCO/SMA)
- C Level get access to things like "Need a favor?" (could easily span multiple departments)
And if you've have built some automated HR processes around hiring and department transfers, that means people inherit these new roles automatically the next business day (i.e. someone in the org is promoted). I could go on and on about End User roles, but in the interest of saving you from scrolling...Analyst Roles (SR, IR, MA, CR, PR, etc.)
IMHO these are the roles you get several tries at - But in all seriousness:
*With respect to Configuration Items it certainly depends how heavily you leverage them. Again, if IT is using them left and right, there probably isn't any harm in just giving full access via one of those analyst roles. Not saying it's right or you shouldn't create a dedicated role and then IT gets it as part of the combination of security roles...but also just trying to keep this in mind given how much SCSM admin you are/aren't interested in doing.
hope this helps!
Thank you @Adam_Dzyacky! I was hopeful that I would receive more responses, but thankful for yours as I definitely had not thought enough with regard to the level of detail that you have broken out above. Although our use is solely Analyst Portal (and I sure hope one day for End User access) I see the benefit of adding the granularity with the roles.
The addition of the Support Group enum to CR/MA was a big win for us. I am also working on Config Item / Queue scoping as to this point there was a lack of focus/want, but with new support timing is looking to lineup for a revamp!