Cleaning Up User Roles..
Dorrell_McNeil
Customer IT Monkey ✭
We're looking into cleaning up some of our user roles in SCSM with new administrators coming into the fold and I'm wondering if the Incident Resolver role would conflict with the Advanced Operator role if the same AD security group were mapped to them both. I believe it would...but also not sure how certain analysts haven't run into issues before. Wouldn't the "most restrictive" permissions/group apply here and take precedence?
Best Answer
-
Options
Simon_Zeinhofer
Customer Ninja IT Monkey ✭✭✭✭
@Dorrell_McNeil I don't understand what you mean with mapping.
You mean that your AD Group, let's call it "scsm-analysts" would be a member of these 2 roles:
-SCSM Incident Resolvers
-SCSM Advanced Operators
If that's what you mean the users from these AD Groups should have the permissions of both security roles. So you could see it as a combination of both roles - I can just tell from my experience.
The question is, have you created you rown user roles based on the OOTB ones or have you just used the OOTB roles?
1
Answers
@Dorrell_McNeil I don't understand what you mean with mapping.
You mean that your AD Group, let's call it "scsm-analysts" would be a member of these 2 roles:
-SCSM Incident Resolvers
-SCSM Advanced Operators
If that's what you mean the users from these AD Groups should have the permissions of both security roles. So you could see it as a combination of both roles - I can just tell from my experience.
The question is, have you created you rown user roles based on the OOTB ones or have you just used the OOTB roles?
@Simon_Zeinhofer Yes, we've created our own based on the OOTB roles. Your example is correct. We've had 'scsm-analysts' members of both incident resolvers and Advanced operators. Seems redundant but also wasn't sure if the most restrictive role (Incident Resolvers) would overrule the Advanced Operators role. In our environment, we only need the AO role, so it shouldn't be a problem moving forward. Thanks for the input!
@Dorrell_McNeil Nice to hear :)
We created several User Roles, based on the OOTB ones, so we could e.g. limit the access to service offerings on certain departments - I guess only for our IT we have 10 different Advanced Operator roles.
As SCSM User role management is Pain in the Ass IMO it makes the whole thing a bit more complicated but we are pretty fast in finding security issues, because we know which security role is affected and what needs to be changed.