Service Manager provides the application security platform under which the Service Manager console and its users run. Service Manager does not have an API to allow Provance to add or edit security roles. However, during installation Provance does add permissions to the Advanced Operator and Author roles which allow access to Provance non-configuration items. These roles would normally not have any access to such entities without being granted permission. Any additional user role definition or maintenance rests with your system administrator. Provance recommends that your system administrator use the Advanced Operator and Author roles as the basis to set up non-administrator asset and contract managers. The information in this article is provided for information purposes only. Please consult the Service Manager Administration Guide as the definitive source for information on user role definition. Roles with read access to Service Manager and Provance objects:
• Activity Implementers
• Change Initiators
• End Users
• Read-Only Operators
• Problem Analysts
• Incident Resolvers
• Change Managers
• Report Users
• Release Managers
• Service Request Analysts
Roles with read and write access to Service Manager and Provance objects:
• Advanced Operators
The Author role is the only role, aside from Administrator, that can create custom views.
What to Consider
There are a number of challenges associated with security roles and the implementation of a specific role, such as a Hardware Asset Manager, a Software Asset Manager, and an Agreement Manager. Firstly, when creating a role consider these broad object categories in the system:
• Base Role: the model role from which the profile is created
• Role Name: Display Name of the role
• Management Packs: a filter that determines what is presented in the next steps of the role wizard
• Classes: consider the internal system classes, custom classes like Provance, and your own self developed classes
• CI-Groups: not Supported by Provance
• Catalog-Groups: request offerings for the SSP
• Tasks: the tasks on the right-hand-side that do something with objects in SCSM and Provance, such as Move, Install, and Swap
• Views: any views in SCSM, including default and custom
• Templates: form templates, although Provance does not have any
One of the basic building blocks for objects in the Service Manager CMDB is the Configuration Item (CI). Security Role definitions are then based upon functionality against the CIs, as in the case of an Edit task. This means that those who can edit CIs can edit all CIs. Because Provance Hardware Assets and Software Titles are both CIs, it is not possible to effectively block changes to one or the other.
The way to artificially limit access to data is to limit the views (search is not limited), and in some cases create custom views. The challenge here is that users need access to the forms and views that make sense to their role, but they still need the Edit function to allow forms to open (see below on Form Behavior).
In order to view the details of a form (class), a user must have Edit Configuration Item permission. A user may be granted the ability to Edit Configuration Items and belong to the Read Only group of accounts. However, in this situation the form opens, permits fields to be edited, but generates an error message stating the user has insufficient write privileges. Therefore, it looks and operates like you can modify the data, but the save fails.
Data Management Pack, SCSM csv and PowerShell imports are not bound by the general rules related to read and write since they do not leverage views, forms or tasks. This means that those rules can be circumvented during an import.
The Edit User Role function is only available as a wizard. Since there is no API through which to edit user roles, it precludes you from loading data; hence, Provance cannot provide a sample or model user role. It also means users cannot save a definition on one system and then import into another; changes must be synchronized manually across systems. Additionally there are hundreds of tasks, views and forms that must be identified and set correctly, all of which requires maintenance over time.
Blocking Configuration Item Groups in particular can create issues. Blocking Catalog Item Groups may affect Service Manager and Service Request functionality.
Views and Folders
Removing all the Views from a folder does not remove the folder. Additionally, Author-based users can create custom views and therefore bypass any segmentation or artificial restriction you create.
Resolution: Segmenting Data Through Views
Because Provance cannot limit the type of Provance object to which access can be granted, you should preconfigure views to do so and give the relevant roles access to these views.
|Who||Read or Write||To what?|
|Network and Platform users||Read/Write||Hardware Catalog Items|
Given the examples in the preceding table, the following views would be useful:
• All Network objects installed
• All Hardware assets on stock
• All mobile phones
Please note that read and write access to objects means that someone with the role can read and write to any object of that type. So custom views are only a “filter” that helps users manage their assets easier, but they do not necessarily restrict access.
The next steps are as follows:
1. Categorize assets and other Provance objects for different needs into views (think of the criteria to use).
2. For users with read access, simply use one of the read access roles (e.g., EndUsers) as a basis for the new role. Remember that users need an Edit Configuration Item permission to view the form (see Form Behavior above).
3. For people with write access, use Advanced Operator or Author role. Remember that Authors can create custom views and circumvent your views.
4. Give the role access to the views required.
Microsoft System Center Service Manager 2012
Microsoft System Center Service Manager 2012 SP1
Microsoft System Center Service Manager 2012 R2
Provance IT Asset Management Pack 2.0 and later
For additional information on this topic please contact the Provance Support Team.
International: +1 819 568 8787 Extension 3
Toll-Free (North America): +1 877 776 8262