locked
How to give create/edit privileges only for Knowledge Articles, Announcements RRS feed

  • Question

  • Based on instructions at http://blogs.technet.com/b/servicemanager/archive/2010/12/01/faq-how-can-i-enable-non-admins-to-create-edit-delete-announcements.aspx , we were able to make a copy of the Announcements and Knowledge Articles views to a location outside of the Administration superbar. However, we are not able to create a custom role that allows access to those views without access to other privileges.

    For example, if we create a role based on Read Only Operators and allow the task "Create Knowledge Article", it turns out that the user assigned to this custom role cannot create a Knowledge Article. Likewise for a custom role based on Change Managers. On the other hand, if we make a custom role based on Advance Operators or Authors, and allow only the task "Create Knowledge Article", far more privilege is actually given (creating and editing Authority Documents, creating and editing Business Services, etc.)

    Our goal is to allow all the tasks that Change Manager, Problem Analyst, and Incident Analyst can do, and in addition, create/edit/delete Announcement, create/edit/delete Knowledge Articles, and create/edit Users, but no other additional privileges.

    Any tips or hints as to how to proceed would be appreciated.


    Adam Bryer
    Monday, June 6, 2011 1:05 PM

Answers

  • Only advanced operators, authors, and administrators have permission to create/edit configuration items.  Announcements and knoweldge articles are both configuration items.  So - the only way to do this is to create an advanced operator user role and scope it down.  To do this:

    1) Don't grant any queues to the user role (this will ensure that these users don't have permission to edit any work items.

    2) Create a group that has as its definition - Include all objects of the class knowledge article.  Do the same for announcements.

    3) Grant that knowledge articles and announcements groups to the user role and don't grant any other groups.

    4) Don't display any views to this user role execpt for the knowledge article and announcement views.

    5) Don't grant any tasks to the this user role except for create/edit knowledge article/announcement.

    Now - these user's wont be able to do anything but knowledge articles and announcements in the console.  Technically speaking though they do have permissions to create any kind of configuration item or work item, but that would only be possible through the self-service portal (which is already effectively limited to creating incidents and change requests which is presumably OK) or by writing code against the SDK or using PowerShell cmdlets like SMLets.  They cannot edit anything besides knowledge articles and announcements though because no objects besides announcements and knowledge articles were granted to them by the groups in steps 2-3.

    Let me know if that works for you.


    Travis Wright Senior Program Manager Microsoft
    Friday, June 10, 2011 11:00 PM
  • As Anders said, group calc runs on an interval. That is why you see the delay.  Until group calc runs and includes the new object in the group it wont be visible to users that are in a scoped user role with access to that group.

    To resolve the tasks issue make sure you grant the users the 'Create {0}' console task that has a description of 'Generic Create Task' and is found in the 'Service Manager Library Management Pack'.


    Travis Wright Senior Program Manager Microsoft
    • Marked as answer by Adam Bryer Monday, June 13, 2011 5:21 PM
    Monday, June 13, 2011 3:06 PM

All replies

  • You can use queue and\or tasks to limit role.
    http://opsmgr.ru
    Monday, June 6, 2011 1:30 PM
  • We will give this a try. Thank you.
    Adam Bryer
    Monday, June 6, 2011 2:09 PM
  • Only advanced operators, authors, and administrators have permission to create/edit configuration items.  Announcements and knoweldge articles are both configuration items.  So - the only way to do this is to create an advanced operator user role and scope it down.  To do this:

    1) Don't grant any queues to the user role (this will ensure that these users don't have permission to edit any work items.

    2) Create a group that has as its definition - Include all objects of the class knowledge article.  Do the same for announcements.

    3) Grant that knowledge articles and announcements groups to the user role and don't grant any other groups.

    4) Don't display any views to this user role execpt for the knowledge article and announcement views.

    5) Don't grant any tasks to the this user role except for create/edit knowledge article/announcement.

    Now - these user's wont be able to do anything but knowledge articles and announcements in the console.  Technically speaking though they do have permissions to create any kind of configuration item or work item, but that would only be possible through the self-service portal (which is already effectively limited to creating incidents and change requests which is presumably OK) or by writing code against the SDK or using PowerShell cmdlets like SMLets.  They cannot edit anything besides knowledge articles and announcements though because no objects besides announcements and knowledge articles were granted to them by the groups in steps 2-3.

    Let me know if that works for you.


    Travis Wright Senior Program Manager Microsoft
    Friday, June 10, 2011 11:00 PM
  • Travis,

    I tried your procedure in our test environment, once for Announcements, and once for Knowledge Articles.

    I obtained positive results for Announcements. There is one issue: a new announcement takes 3+ minutes to appear in the console for the user. (Do you think this is connected to the role definition?)

     

    I obtained similar, positive results with the Knowledge Articles, with 2 issues:

    (1) The Create Knowledge Article task does not appear in the Knowledge Articles view in the Configuration Items superbar. (I followed your blog http://blogs.technet.com/b/servicemanager/archive/2010/12/01/faq-how-can-i-enable-non-admins-to-create-edit-delete-announcements.aspx?wa=wsignin1.0 to create a view for KA's in the Configuration Items superbar.) "Create" appears in the original Knowledge Articles view in the Library superbar (where you are able to create a new KA, but it's a bit inconvenient to have to switch views to do so).

    (2) The user has to wait close 3+ minutes for the new KA to appear in the console.

     

    Thank you for your help.

    Adam


    Adam Bryer
    Monday, June 13, 2011 5:10 AM
  • Dynamic Group and Queue membership is "calculated" on a set interval. You can lower this interval but that might decrease the performance of Service Manager. (I had issues with decreased performance tied to this in SCSM RC, and we had to increase the interval).

    Regards
    //Anders


    Anders Asp | Lumagate | www.lumagate.com | Sweden | My blog: www.scsm.se
    Monday, June 13, 2011 5:55 AM
  • As Anders said, group calc runs on an interval. That is why you see the delay.  Until group calc runs and includes the new object in the group it wont be visible to users that are in a scoped user role with access to that group.

    To resolve the tasks issue make sure you grant the users the 'Create {0}' console task that has a description of 'Generic Create Task' and is found in the 'Service Manager Library Management Pack'.


    Travis Wright Senior Program Manager Microsoft
    • Marked as answer by Adam Bryer Monday, June 13, 2011 5:21 PM
    Monday, June 13, 2011 3:06 PM
  • Travis, this works.

    Both your replies, on 6/10 and 6/13, are Answers to my question.  


    Adam Bryer
    Monday, June 13, 2011 5:23 PM
  • We would now like to add the End Users role and Change Managers role . But we notice now that the user has the ability to create all types of CI's. (The user cannot edit or delete any CI except Knowledge Articles and Announcements, which is desired.) We would like to restrict the creation of CI's to Knowledge Articles and Announcements, too.

    Based on the description of Change Managers and End Users, it does not seem to allow creating CI's. We would like all types of CI's to be read-only. Must we forego the out-of-box Change Manager role and create a bunch of roles for each type of CI, with corresponding groups?


    Adam Bryer
    Wednesday, June 15, 2011 4:29 PM
  • In addition to getting guidance on the new questions from 6/15 above, we would like to confirm that the definitions of the out-of-box roles are not affected by Cumulative Updates. In other words, if there is a difference in CU level from one environment to another, will the roles provide different privileges depending on the CU level of the environment?


    Adam Bryer
    Monday, June 20, 2011 1:07 PM
  • Most out of the box user roles aren't what the customers want. So we must modify.

    Use "advanced operator" role as your new "EndUser" role and scope it down....grant only KA and Announcement static groups (criteria area will be blank). Dont grant tasks or queues. For Views, grant only 'published' knowledge articles and 'active' announcements.

    Now, Change Managers...same goes....not what we wanted either....so we must modify. CM's can only create/modify CR's, MA's and RA's that are in their QUEUE scope. But, CM's only have read-only access to IR's and PR's in their queue scope and to CI's in their group scope.

    Hope this helps.

    Matt


    Matt B. Service Desk Tech.
    Saturday, August 6, 2011 8:51 PM
  • hit submit too soon...lol

    You can work around this problem by, again, using the "advanced operator" role....grant only CR, MA and RA static groups. the groups for each CI's will be dynamic...meaning defined by whatever criteria you select. All you do now is add the queues, tasks and templates and you're done.


    Matt B. Service Desk Tech.
    Saturday, August 6, 2011 8:53 PM
  • Re: "Dynamic Group and Queue membership is "calculated" on a set interval."

    What is this interval?  It would be nice to know so I can make sure and wait the interval before I test changes.

    Thanks!


    ~DannyRamirez

    Thursday, June 21, 2012 7:46 PM
  • Adam/Travis, I'm implementing this I was mostly successful, except for the ability to edit existing KB articles. I wanted to give rights to the user to edit them, but I don't want them to be able to edit other config items.
    Travis, you mention "5) Don't grant any tasks to the this user role except for create/edit knowledge article/announcement.", but there doesn't seem to be a specific Task for "Edit Knowledge article". There is the general Edit for Config items, but that allows them to edit any config item. Any workarounds there? By the way, running SCSM 2012 SP1.

    Thank you,

    Jose Fehse


    MCITP, MCSE, MCTS

    Tuesday, August 20, 2013 2:23 PM
  • How were you able to get the Knowledge Articles out like the Announcements Travis's blog? Is there a MP or MPB for that well? Thanks!
    Thursday, February 23, 2017 5:53 PM
  • Hi

    Steve Beaumont wrote a powershell script to export Knowledge articles from SCSM 2010. I have not tested it, but it might still work with SCSM 2012. And it is a very good starting point.

    http://www.systemcenter.ninja/2013/05/migrate-knowledge-base-articles-from.html

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Thursday, February 23, 2017 8:08 PM
  • I was actually looking for a way to create a view to display KA in the Configuration Items wunderbar option like this link (https://blogs.technet.microsoft.com/servicemanager/2010/12/01/faq-how-can-i-enable-non-admins-to-createeditdelete-announcements/) does for Annoucements so I can give non-admin users with console access within IT the ability to create/edit/delete Knowledge Articles. 
    Thursday, February 23, 2017 8:22 PM
  • Hi

    You can create a view that uses the knowledge article class to display knowledge articles with the out of the box view editor. Depending where you want to create it you may need to create a folder first. 

    I would save it in a new custom management pack as you will probably need to edit the xml for the ID column to sort correctly (or used Advanced View Editor from the Technet Gallery)

    Then you have to use this post to configure the permissions for the analysts to edit, create etc knowledge articles.

    Regards

    Glen 


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Thursday, February 23, 2017 8:36 PM
  • I will give that a try. Thanks!
    Thursday, February 23, 2017 9:20 PM
  • That worked great, thanks! I have the KA section in the Configuration Items now and the non-admin users can view them but they are not able to create new or edit existing KA.  I created a Group like step 2 above. In my group, I have the following settings:

    Included Members: IT Team users

    Dynamic Members: Knowledge Article (From System Knowledge Library MP) with no Criteria specified

    Subgroups: nothing

    Excluded Members: nothing

     

    For User Role, I created an Advanced Operation User Role with following settings:

    Queues: Provide only to selected: (none selected)

    Configuration Item Groups: KA Access Group

    Catalog Item Groups: Provide only to selected: (none selected)

    Tasks: Provide only to selected: Create Knowledge Article, Edit, Refresh

    Views: Provide only to selected: All Knowledge Articles, Archived Knowledge Articles, Draft Knowledge Articles, Published Knowledge Articles

    Form Templates: All forms can be accessed

    Users: (none)

     

    But it still isn't working. Do you see if I am missing something?

    Thursday, February 23, 2017 10:34 PM
  • Hi

    It seems fine except for the Users (none). You need to add the IT staff to the role for them to be able to use it.

    Regards

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Friday, February 24, 2017 7:59 AM
  • Adding the IT Team does make it work but is also gives them the Library option in the Wunderbar section. They don't have access to do much within the Library section other than KA, but that defeats the steps of moving the KA out to the Configuration Items section. Maybe it is just a system limitation to do it the way I am trying to do it. Thanks for all your help!
    Friday, February 24, 2017 2:14 PM
  • Hi

    Yes, unfortunately Advanced Operators as the base for the User Role gives a lot of extra permissions. 

    Refer to Appendix A - List of User Role Profiles in System Center 2012 - Service Manager for more information about the roles.

    Glen


    Web: www.xapity.com  |   Twitter: @xapityapps  |   Facebook: xapityapps

    Friday, February 24, 2017 9:34 PM