Home CMDB Portal

Global Search Scope

Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭
edited July 29 in CMDB Portal

Hello guys,

we have an issue with the Global search - In detail the results which are shown. Global search is only activated for analysts - End users have to use the old one.

In our company we have an IT which is based in our headquarter. Every department of this IT has its own security group (based on Advanced Operator), which also has access to all work items, config items and tasks. We just filter the Service/Request Offerings, which are shown with this groups.

We also have ONE Incident Resolver Security group, whose only member is the Cireson Analyst AD group which we defined in the portal.

In some subsidiaries we have Administrators who also need access to certain work items, Hardware Assets and so on - So they can fullfill their work. I created Security Groups (based on Incident Resolver) for every subsidiary and also catalogue groups for Hardware Assets, which are in their location, as well as queues for Incidents, where users from their locations are the affected user.

As every user in our company needs the permission to approve/reject a Review Activity (not all, only the ones assigned to him/her), we had to add the service request class to the scope of our custom End User class, which includes every user from our domain. I did this with the help of this script: https://docs.microsoft.com/en-us/system-center/scsm/sm-perf?view=sc-sm-2022 . So no queue is needed fro Service Requests and users can approv/reject their RAs as soon as the SR is created. I did the same with the user class, software asset class and some other classes (like Standard, Location and so on) where every user needs the permission to see and select them in a request offering - That works really well and we reduce the time which is needed for the group/queue calculation.


Now the problem with global search is, that analysts, who are not member of any of the headquarter IT Security groups, are not able to see any Results when they are searching for Service Requests, Software Assets, Review Activities and Manual Activities, where we set the permission for the global end user group with this script - They see their scoped incidents, all Users(which we added to the scope of the global user security group with the script as well) and their scoped Hardware Assets though. I thought maybe this is because we have it only activated for analysts and so I have to add the SR class to the scope to the Cireson Analyst security group as well, but unfortunately that did not help (also after a cachebuilder restart/Scope rebuild). When we send them a link to the Service Request they can open it without any problems, so the permissions are set correctly. Same goes for Manual Activities and Review Activities - The base Analyst security group whose only member is the Cireson Analyst group has scope access to all RAs and MAs (not via queues but with the script from Microsoft) - Still the search returns no results here.


Did I miss something here? Or are scopes outside of groups/queues, like we did with the script, not supported in Cireson and Global Search? But why is it working when they search for AD users then? Or are the AD Users visible because the global users instance group is selected in the config item groups?

Answers

  • Simon_ZeinhoferSimon_Zeinhofer Customer Advanced IT Monkey ✭✭✭
    edited July 29

    It does not just affect the global search, also the normal work item search is affected...


    I ran the exec spCheck_UserWorkItemPermissions Stored Procedure and it gives back " - DOES NOT Have Permission to Access Work Item with ID:" when I try it with an analyst user who has this problem and a Service Request ID.

    But that's not right, all Users have access to all SRs - So does the Cachebuilder just brings in permissions from Queues and Groups, and ignores Class Instances which are added to the Scope?

    And it seems like this only affects the search, because when we provide a link he/she can open the work item immediately. Same goes fpr Review Activites, which can be approved/rejected immediately.

Sign In or Register to comment.