Role based access to work items - Not working as intended

Suleyman_Ozden

I am having a little issue here, since I thought I could manage access to work items trough SCSM using Queues.  

I have 2 departments, one is IT and one is facilities. There is a queue for each using support Groups to differentiate the access to Work items. User roles are used to give access to queues.

This however seem to have no effect. In admin settings in Cireson I can see a "ANALYST AD GROUP". The AD Group used has both the IT and the Facilities Analyst AD Groups as a member. My guess is that this in fact is the reason why my Facilities analyst can view IT Work items, even though I thought I had limited this in SCSM.

I knwo I can limit that one Group can view using views, but that does not mean the Work items cannot be accessed trough a search.

Can anyone confirm the above and do you see a way to get around this problem? We had the impression we could easily use the Portal for shared services. 

 

Brian_Wiest

Disclaimer I have yet to tackle this as I am hold on one queue setup until SCSM 2016

I do not believe that end users need access to all queues. They should still be able to see anything that they are the affected user of. 

Konstantin_Slavin-Bo

Suleyman_Ozden said:

I opened the console as the facilies analyst and it seems I can see all Work items. 

And you didn't open it as a SCSM admin, right? Then something seems to be off.

Suleyman_Ozden said:

t make sense that my custom end user role that has access to all queues is causing this.

Sounds like I have to remove the Queues for IT and the facilites from he end user Group to see if it changes anything.

Yeah, that would be a good place to start. I'm not sure, but I don't believe end users need access to all queues, as their access should be granted by the implied relationships. 

Brian_Wiest

Don't see any notes on your security roles setup. 
You need a role for each group that only has access to specific queues. 

Suleyman_Ozden

Hi Brian

Thats what I meant with "User roles are used to give access to queues.". There is a specific role for each department giving access to only their queues. The queues are using support group as criteria for each department.

Brian_Wiest

Do you have the Cireson Tier Mappings solution installed?

Suleyman_Ozden

Yes I do and actually the AD groups are already mapped accordingly to their support groups. But that does not seem to restrict a group member from accessing a work item outside their own AD group.

Brian_Wiest

Do you have another Security Role for "End Users" so they can submit work? That group my have all queues checked off. I had to setup a group for End Users to have permissions to CI's so they can submit support requests with related CI's. It may be possible you have another role granting full queues rights. 

Suleyman_Ozden

I have checked my custom end user group and it does have access to all queues. So that explains it?

But I am not sure how to get around that, since they do need access to queues across the two departments.

What to remove and what to add.

Konstantin_Slavin-Bo

Do you have DontUseScopedAccess set to true?

But even so, if the user is not member of the user role, which grants access to the specified queue, they shouldn't be able to actually open and view the work item, even if they maybe can see it in a e.g. 'Active Work'. I'm sorry to ask, but are you sure your queues are set up correctly?

If an analysts searches for a WI from the other queue in the console, do they get any results / can they open and view it?

Brian_Wiest

Disclaimer I have yet to tackle this as I am hold on one queue setup until SCSM 2016

I do not believe that end users need access to all queues. They should still be able to see anything that they are the affected user of. 

Suleyman_Ozden

Dontusescopedaccess is false.

I opened the console as the facilies analyst and it seems I can see all Work items. It make sense that my custom end user role that has access to all queues is causing this.

Sounds like I have to remove the Queues for IT and the facilites from he end user Group to see if it changes anything.

Konstantin_Slavin-Bo

Suleyman_Ozden said:

I opened the console as the facilies analyst and it seems I can see all Work items. 

And you didn't open it as a SCSM admin, right? Then something seems to be off.

Suleyman_Ozden said:

t make sense that my custom end user role that has access to all queues is causing this.

Sounds like I have to remove the Queues for IT and the facilites from he end user Group to see if it changes anything.

Yeah, that would be a good place to start. I'm not sure, but I don't believe end users need access to all queues, as their access should be granted by the implied relationships. 

Konstantin_Slavin-Bo

Hey Suleyman - Do you have any news on the issue?

Suleyman_Ozden

No this is something I will have to do outside business hours. I will get back on this.