Home Analyst Portal

Role based access to work items - Not working as intended

Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭
in Analyst Portal

I am having a little issue here, since I thought I could manage access to work items trough SCSM using Queues.  

I have 2 departments, one is IT and one is facilities. There is a queue for each using support Groups to differentiate the access to Work items. User roles are used to give access to queues.


This however seem to have no effect. In admin settings in Cireson I can see a "ANALYST AD GROUP". The AD Group used has both the IT and the Facilities Analyst AD Groups as a member. My guess is that this in fact is the reason why my Facilities analyst can view IT Work items, even though I thought I had limited this in SCSM.


I knwo I can limit that one Group can view using views, but that does not mean the Work items cannot be accessed trough a search.


Can anyone confirm the above and do you see a way to get around this problem? We had the impression we could easily use the Portal for shared services. 





 

Best Answers

Answers

  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Don't see any notes on your security roles setup. 
    You need a role for each group that only has access to specific queues. 
  • Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭

    Hi Brian

    Thats what I meant with "User roles are used to give access to queues.". There is a specific role for each department giving access to only their queues. The queues are using support group as criteria for each department.



  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Do you have the Cireson Tier Mappings solution installed?
  • Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭
    Yes I do and actually the AD groups are already mapped accordingly to their support groups. But that does not seem to restrict a group member from accessing a work item outside their own AD group.
  • Brian_WiestBrian_Wiest Customer Super IT Monkey ✭✭✭✭✭
    Do you have another Security Role for "End Users" so they can submit work? That group my have all queues checked off. I had to setup a group for End Users to have permissions to CI's so they can submit support requests with related CI's. It may be possible you have another role granting full queues rights. 
  • Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭

    I have checked my custom end user group and it does have access to all queues. So that explains it?

    But I am not sure how to get around that, since they do need access to queues across the two departments.


    What to remove and what to add.

  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Ninja IT Monkey ✭✭✭✭
    Do you have DontUseScopedAccess set to true?

    But even so, if the user is not member of the user role, which grants access to the specified queue, they shouldn't be able to actually open and view the work item, even if they maybe can see it in a e.g. 'Active Work'. I'm sorry to ask, but are you sure your queues are set up correctly?

    If an analysts searches for a WI from the other queue in the console, do they get any results / can they open and view it?
  • Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭

    Dontusescopedaccess is false.

    I opened the console as the facilies analyst and it seems I can see all Work items. It make sense that my custom end user role that has access to all queues is causing this.


    Sounds like I have to remove the Queues for IT and the facilites from he end user Group to see if it changes anything.


  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Ninja IT Monkey ✭✭✭✭
    Hey Suleyman - Do you have any news on the issue?
  • Suleyman_OzdenSuleyman_Ozden Customer Advanced IT Monkey ✭✭✭
    No this is something I will have to do outside business hours. I will get back on this.
Sign In or Register to comment.