locked
User Roles question RRS feed

  • Question

    • I have a user role that has the advanced operator role.  Let's call it "UserRole1"
    • UserRole1 has rights to a certain view.  Let's call it "View1".
    • Under Users for that user role, I've added the appropriate AD security group that will provide access to the appropriate users. Let's call the AD Security Group "SG-View1".
    • In the "SG-View1" security group I've added a user, let's call them "User1".
    • SG-View1 is a member of another group, SyncGroup. 
    • We use an AD Connector to sync SyncGroup and all it's members to SCSM.
    • SyncGroup, SG-View1 and User1 are all Configuration Items in SCSM.

    My questions are,

    • if I move User1 in and out of SG-View1 in Active Directory, without syncing that membership change via an AD-Connector, should User1 see it's permissions change in the SCSM console? 
    • Is that permission handling done inside of SCSM via a relationship created by being a member or not a member of the AD group? 
    • Or is it strictly done outside of SCSM via AD group membership? 
    • Should my process be to add User1 to SG-View1 and then run the AD Connector sync, close the console and open it and User1 would see View1?  
    • Or should my process only have to be to add User1 to SG-View1, close the console and open it and User1 would see View1? 

    • Edited by jfergus Wednesday, February 28, 2018 5:49 PM
    Wednesday, February 28, 2018 5:48 PM

Answers

  • Hi

    My experience has been the following:

    • if I move User1 in and out of SG-View1 in Active Directory, without syncing that membership change via an AD-Connector, should User1 see it's permissions change in the SCSM console? 

    Yes they should. It will require the user to log off windows and back on for their group membership token to refresh.

    I have sometimes had to delete the Service Manager folder under Appdata local for the settings to update - this gives a fresh download of the client files for Service Manger. But also, this is usually in a Lab environment when I want the changes to happen within seconds of changing them. In a real world situation there is quite often hours between the permission changing and the user restarting the console and there is no issue.

    • Is that permission handling done inside of SCSM via a relationship created by being a member or not a member of the AD group? 

    Not sure what you are asking here. I think that security in Service Manager uses the AD group membership token that a user gets when they logon and any security role that uses this token is applied. It is not done inside Service Manager with relationships.

    • Or is it strictly done outside of SCSM via AD group membership? 

    Yes, I think it is this one.

    • Should my process be to add User1 to SG-View1 and then run the AD Connector sync, close the console and open it and User1 would see View1?  
    • Or should my process only have to be to add User1 to SG-View1, close the console and open it and User1 would see View1? 

    The second option should work, so long as User1 logs off windows and back on.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Wednesday, February 28, 2018 7:55 PM
  • In addition to Glen:
    SCSM does not sync the groupmembership of AD groups or AD users!

    So SCSM itself does not know if Config Item "User1" is a member of Config Item "SG-View1".

    SCSM is using the token that is build by the OS  every time a user logged in at a Windows computer.


    Andreas Baumgarten

    Thursday, March 1, 2018 12:45 PM

All replies

  • Hi

    My experience has been the following:

    • if I move User1 in and out of SG-View1 in Active Directory, without syncing that membership change via an AD-Connector, should User1 see it's permissions change in the SCSM console? 

    Yes they should. It will require the user to log off windows and back on for their group membership token to refresh.

    I have sometimes had to delete the Service Manager folder under Appdata local for the settings to update - this gives a fresh download of the client files for Service Manger. But also, this is usually in a Lab environment when I want the changes to happen within seconds of changing them. In a real world situation there is quite often hours between the permission changing and the user restarting the console and there is no issue.

    • Is that permission handling done inside of SCSM via a relationship created by being a member or not a member of the AD group? 

    Not sure what you are asking here. I think that security in Service Manager uses the AD group membership token that a user gets when they logon and any security role that uses this token is applied. It is not done inside Service Manager with relationships.

    • Or is it strictly done outside of SCSM via AD group membership? 

    Yes, I think it is this one.

    • Should my process be to add User1 to SG-View1 and then run the AD Connector sync, close the console and open it and User1 would see View1?  
    • Or should my process only have to be to add User1 to SG-View1, close the console and open it and User1 would see View1? 

    The second option should work, so long as User1 logs off windows and back on.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Wednesday, February 28, 2018 7:55 PM
  • In addition to Glen:
    SCSM does not sync the groupmembership of AD groups or AD users!

    So SCSM itself does not know if Config Item "User1" is a member of Config Item "SG-View1".

    SCSM is using the token that is build by the OS  every time a user logged in at a Windows computer.


    Andreas Baumgarten

    Thursday, March 1, 2018 12:45 PM