locked
Issues with user role security RRS feed

  • Question

  • Hello,

    I've been following the directions found in this post: http://scug.be/scsm/2010/03/21/service-manager-role-based-security-scoping/ 

    I'm having some issues with user role scoping.  After getting the Queue, Views and Custom Incident Resolver role configured I logged onto a test account, on a separate machine, and installed the Service Manager console.  My expectation was to only see work items listed under the Incident Management heading.  What I have observed is that all of the Work Item subheading are still visible and all of the work items are accessible.  It is as if all of the queues and view and user role scoping has had no affect on this user.  

    I am attempting to configure this system to allow a subset of end users to have the ability to resolve one specific type of incident related to one 3rd party product we are rolling out.  I am hoping that this is possible.  

    Please let me know if there is any other necessary information needed to start sorting this mess out.

    current configuration:

    OOB End User Role - Users Contains Authenticated Users

    Custom Incident Resolvers - Users contains only my Test User, This group has access to only two queues; One contains all of the specific incidents, the other contains the specific incidents that are unassigned.

    Config Items, catalog Item Group, Tasks, Form Templates - I've allowed access to all of these

    Views - i've allowed access to: incidents with SL Warnings and Breaches, all Incidents, the view that contains the specific incidents, My Incidents, 

    thanks in advance for any assistance.



    Tuesday, December 5, 2017 8:23 PM

Answers

  • Hi

    Your impression is correct. And usually security role changes work straight away. This would seem to be a client console issue - not getting the security updates. 

    The console is connecting to a management server and then it connects to the SQL database and this is the source of all data and security. So the client console should give the same result as the server. If you have two servers you can choose which one the console connects - Open the console, Tools Menu, Connect and choose the server.

    Maybe clear the cache on the local machine - delete the folder %AppData%\Local\Microsoft\System Center Service Manager 2010 

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    • Marked as answer by jarrett faulk Thursday, December 7, 2017 1:08 PM
    Wednesday, December 6, 2017 9:36 PM
  • Hi Jarrett,

    It sounds like the desktop computer is having issues. Normally, there is nothing you have to do, it is automatic. 

    Deleting the cache folder each time is not good. I would look in the client computer logs to see if there is anything that might give a clue. I would try reinstalling - which raises a point, is the client on the same Update Release as the server? And I would try on a different client computer.

    If it continues, post another question to the forums here. This is a different issue to the security roles and others might be able to provide more advice.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    • Marked as answer by jarrett faulk Monday, December 11, 2017 1:56 PM
    Friday, December 8, 2017 8:03 PM

All replies

  • Hi

    Working out security in Service Manager can be very difficult. Personally I have not had a good experience with Queues - they cause more trouble than they are worth. For more see my blog post: Service Manager Queues - Good or Bad?

    But queues do have there place and will keep data in the operational database seperate.

    I would be careful with the OOB box user roles - these usually allow you to "see" to much. It is better to make a custom role. Have a look at two more of my blog posts:

    The first provides a good background on Roles and Profiles. The Appendix A documentation gives the best description of what each does.

    Download the Security script in the 2nd post from Technet Gallery. I wrote it to work out exactly what a user has access to and so you can figure out why they see stuff they should not.

    In you specific case I think you might be able to get away without using queues and just using custom views to focus the analysts to the jobs relating to the 3rd party app. They would still have access to other jobs, but would need to go searching to find them. 

    You would create the view or views to show active 3rd party app jobs, inactive 3rd party jobs etc. Then create another custom incidents user role that does not give All Views, but instead only gives the new custom views.

    This way when the analyst opens the console they just see the Incidents relating to their 3rd party app.

    And just to finish, Custom views will require some edits to work as expected, so have a look at this blog post - SCSM Console Views.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Wednesday, December 6, 2017 10:00 AM
  • Glen,

    Thank you for all of the insight into this issue i'm working on.  I've read over all of the documentation you sent and I've started to implement this into my test system.  I've backed out the queues and created views I need but when i log onto the service manager console on the test users machine it appears that the limitations to those views are not applying to my test user.  I launched the console as the test user on the server and all of the limitations were in place.

    I was under the impression that I would be able to install the console on other machines and manage permissions/security roles from the server.  Is this the case or do i need to create a shortcut to the server instance of the console on the end users machines.

    Please let me know when you can and thanks again for the info.

    Wednesday, December 6, 2017 7:53 PM
  • Hi

    Your impression is correct. And usually security role changes work straight away. This would seem to be a client console issue - not getting the security updates. 

    The console is connecting to a management server and then it connects to the SQL database and this is the source of all data and security. So the client console should give the same result as the server. If you have two servers you can choose which one the console connects - Open the console, Tools Menu, Connect and choose the server.

    Maybe clear the cache on the local machine - delete the folder %AppData%\Local\Microsoft\System Center Service Manager 2010 

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    • Marked as answer by jarrett faulk Thursday, December 7, 2017 1:08 PM
    Wednesday, December 6, 2017 9:36 PM
  • Glen,

    Is there some trick to getting these permission to update without having to delete the folder you mentioned.  I've been working out what exactly i need to have these different roles view and what tasks they need and every time i have to delete this folder.

    Please let me know when you can.

    Thank you

    Friday, December 8, 2017 2:21 PM
  • Hi Jarrett,

    It sounds like the desktop computer is having issues. Normally, there is nothing you have to do, it is automatic. 

    Deleting the cache folder each time is not good. I would look in the client computer logs to see if there is anything that might give a clue. I would try reinstalling - which raises a point, is the client on the same Update Release as the server? And I would try on a different client computer.

    If it continues, post another question to the forums here. This is a different issue to the security roles and others might be able to provide more advice.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    • Marked as answer by jarrett faulk Monday, December 11, 2017 1:56 PM
    Friday, December 8, 2017 8:03 PM