Home Self-Service Portal - Community

AD Groups and User Roles


I just inherited the entire SCSM and Portal setup from my predecessor who has left the company. I've set up 2 runbooks so far and am missing a lot of info. So I apologize wholeheartedly if I ask a stupid question:

Currently the setup we use is; per Request Offering, there are:

  • User Role with named accounts in there for access
  • Management Pack per RO
  • SO per RO
  • Catalog Group per RO

It's al pretty confusing honestly, to the point of breaking down. I've tried to make it a little less a one woman show, and to be able to do that I've tried using Active Directory Security Groups to add to the User Roles so people can be added to the User Roles via the AD Groups. However, I'm getting very mixed results. In an RO where I have an empty User Role; I can still see the RO, others can not. If I add 2 AD groups (the actual one and the admin one), only the people in the admin group and named accounts directly added to the user role can see the RO.

How can I trouble shoot this? Am I missing something?

I have to add that I have almost NO documentation, so what little I know is through trial and error. While I've used SCOM and SCCM, this is new to me and does my head in.


  • Options
    Peter_MuttenthalerPeter_Muttenthaler Partner Advanced IT Monkey ✭✭✭
    edited February 2022

    Hi @MoonWitch:

    Maybe that video is helpfull, its for SCSM 2012 but things aren't very different right now :).

    System Center 2012 Service Manager: Service Requests - YouTube

    Permissions are missing, google for SCSM "User Roles" = Permission groups in SCSM and "Catalog groups" which contains your RO's and SO's.

    For Cireson Portal you have to permit the SO via the catalog group in the user role. user role contains the AD Users/Groups you want to permit for forms and other things.

    Cireson also have various learning content Homepage - Cireson Learning if you're costumer ;)

  • Options
    Justin_WorkmanJustin_Workman Cireson Support Super IT Monkey ✭✭✭✭✭
    edited February 2022

    I have this tool which helps identify what users are in what roles:

    Releases · justinkwork/GetUserRoles · GitHub

    This is the structure of Service Catalog access:

    Users are in a User Role which has access to a:

    ---Catalog Group which Contains:

    ------Service Offering which Contains:

    ---------Request Offering

    Bear in mind that if any of the above membership (AD group, Role Membership, Catalog Group, Service Offering) changes, you will likely need to stop and start the cachebuilder service on the portal servers.

    I hope this helps!

  • Options
    MoonWitchMoonWitch Member IT Monkey ✭

    I am trying to figure out why this happens.

    I have a custom User Role; 'CustomRole'. I add users directly to this user role. This works as expected; users IN 'CustomRole' can see the Request Offerings and Service Offering.

    I remove said users from the CustomRole, but add the AD Group (tried Global and Universal). Then I add the users to the AD group. This works - sometimes.

Sign In or Register to comment.