locked
Need to create read only role RRS feed

  • Question

  • I created a read only security role for the Auditors. I have been able to remove the tasks from the right pane, and they can view the list of activities, incidents, change requests and service requests. But the auditors are not able to open any of these to view the whole ticket.
    Thursday, July 17, 2014 4:38 PM

All replies

  • I would think the role still need the "edit" task in order to open (and view) a work item.

    http://codebeaver.blogspot.dk/

    Thursday, July 17, 2014 5:33 PM
  • While that lets them view the ticket, it also lets them edit. The Auditors can not have the ability to edit or alter a ticket at all.
    Thursday, July 17, 2014 6:18 PM
  • While that lets them view the ticket, it also lets them edit. The Auditors can not have the ability to edit or alter a ticket at all.
    Well, it doesn't. You must have set it up wrong. If a user which is (only) a member of a read only operator role then they will get an "insufficient permision" if trying to commit changes to a given work/config item.

    http://codebeaver.blogspot.dk/

    Thursday, July 17, 2014 6:33 PM
  • If you create a role based off of the read-only operator role and give them access to all Queues, Configuration Items, Catalog item Groups, Tasks, Views, and Form Templates, your users will see everything including all tasks on the right hand side.  If they open a work item and attempt to make changes, they will get an insufficient privileges error when they attempt to apply and save.

     If you want to limit the tasks they can see, just give that role access to the Edit (Edit Generic Tasks for Work Items) task.  This will allow them to double click on a Workitem to open it, and show the edit task on the right hand side.  They will not be able to edit anything though.  

    If your test user is able to edit, they are getting permissions from another role.  Use the Get-UserPermissions script http://blogs.technet.com/b/servicemanager/archive/2011/12/01/userroles-powershell-report-using-smlets.aspx to identifiy what role they are getting the additional permissions from.


    • Edited by Misha Rudiy Thursday, July 17, 2014 8:21 PM
    • Proposed as answer by Misha Rudiy Thursday, April 16, 2015 8:13 PM
    Thursday, July 17, 2014 8:20 PM
  • as Misha points out, the default "Read Only Operators" role should provide full acess to the console, but any changes should be rejected by the database.

    perhaps more to the point, if you grant them access to the SSRS web Reports page, they would be able to get auditing information in a format that is more meaningful for them, and they can help you develop reports to fulfill their needs.

    Friday, July 18, 2014 2:09 PM
  • I have used the read-only operator role as a template for the auditors. But they still are able to make changes to a ticket.

    I am having the domain admin look at their accounts to see if they are getting some permissions from AD that over ride the permissions I granted them.

    Thanks for all the input.

    Tuesday, July 29, 2014 10:35 PM
  • The Get-UserPermissions I mentioned above should allow you to do just that.  If you run that "Get-UserPermissions.ps1 username" it will show you what roles the user is a member of.
    Tuesday, July 29, 2014 10:42 PM