Home Service Manager

Security - What Methodology are you using?

Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
Hello all, wanted to start a discussion I  how others in the community are handling/have implemented Service Manager Security.

For me, we are in the midst of a redesign from using all out of the box roles (bad practice I know, cringe) with AD groups as the members (support groups).

Currently, I have planned out to create two roles, 1 for analysts and 1 for end users, with additional roles planned for ROs/SOs. We are a relatively small shop in my opinion, with about 40 analysts over 15 groups, and finally breaking into the end user realm (over 400 users). To facilitate the new roles, I plan to do some nesting with an analyst and End user ad for with groups added to the analyst or end user ad group.

Please provide any feedback on my plan if you have any, but most importantly feel free to share how you are handling Security.


  • Adam_DzyackyAdam_Dzyacky Product Owner Contributor Monkey ✭✭✭✭✭
    So just talking about the End User role...

    • End Users - Everyone
    • End Users - Managers
    • End Users - Directors
    • End Users - C Levels

    This version "stacks" allowing future build out of a Service Catalog that doesn't require constant re-tweaking of said permissions and instead offers a "just publish" mindset and less of a "you have to really understand SCSM dependencies of how individuals receive access." Certainly not saying it's perfect or there isn't some other better way to organize one's service catalog (as it will certainly vary from shop to shop).

    To build out further on the above examples:
    • Everyone can request new hardware (IT request)
    • Managers and above can hire an employee (HR request)
    • Directors and above can request access to direct report's drives, email, etc. (HR request. All IT function is automated via SCO/SMA)
    • C Level get access to things like "Need a favor?" (could easily span multiple departments)
    And if you've have built some automated HR processes around hiring and department transfers, that means people inherit these new roles automatically the next business day (i.e. someone in the org is promoted). I could go on and on about End User roles, but in the interest of saving you from scrolling...

    Analyst Roles (SR, IR, MA, CR, PR, etc.)
    IMHO these are the roles you get several tries at :) - But in all seriousness:
    • All of the IT department has access to all IT Incidents, Problems, Change Requests, Service Requests, and Manual Activities. This is really easily achievable just creating queues based on Support Group. However make no mistake, you'll need to extend the PR/CR/MA classes to create a Support Group enum. Again, another easy task and one that for CR/MA Cireson supports in the console's My Active Work Items and respective Portal views. This same exact logic would apply to any new departments you introduce. However these are a collection of roles applied to IT - Incident Resolvers, Service Requests Analysts, etc. The only thing common here is that these roles strictly deal with Work Items, Queues, and Configuration Items* but not anything in the service catalog - instead, analysts would get those by virtue of the aforementioned End User roles

    *With respect to Configuration Items it certainly depends how heavily you leverage them. Again, if IT is using them left and right, there probably isn't any harm in just giving full access via one of those analyst roles. Not saying it's right or you shouldn't create a dedicated role and then IT gets it as part of the combination of security roles...but also just trying to keep this in mind given how much SCSM admin you are/aren't interested in doing.

    hope this helps!
  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭

    Thank you @Adam_Dzyacky! I was hopeful that I would receive more responses, but thankful for yours as I definitely had not thought enough with regard to the level of detail that you have broken out above. Although our use is solely Analyst Portal (and I sure hope one day for End User access) I see the benefit of adding the granularity with the roles.

    The addition of the Support Group enum to CR/MA was a big win for us. I am also working on Config Item / Queue scoping as to this point there was a lack of focus/want, but with new support timing is looking to lineup for a revamp!

Sign In or Register to comment.