Lacking permissions to add roles

[EvanD]

Hello,

I am trying to add some roles to my account using my technician account, but I keep getting the error "No rights on application com.hornbill.<role>" (see image for example).

I refereed to the wiki article (https://wiki.hornbill.com/index.php/What_Service_Manager_Roles_exist%3F) for the necessary roles for a "Service Desk Administrator", and I already have all of them (see image). Do I need the Super User Role to add roles to user accounts?

Thanks,

Evan

[EvanD]

Oh, I found the answer is yes. Source https://wiki.hornbill.com/index.php/Roles

"Hornbill is designed to only allow the association of roles if the User who is performing the assignment of a particular role already possess the same system/application rights among the roles that they themselves possess. The "Admin" user account (which possesses the Super User Role) is exempt from this rule and has the ability to assign any role to any other user, therefore it is advised that you use this account (or another Super User Account) to allocate roles to the rest of the Users."

I would like to submit a feature request that the "Admin Role" (or a new role) also be granted access to add roles that the user performing the assignment does not already possess. 

Thank you,

Evan

[James Ainsworth]

Hi @EvanD

Thanks for your post.

I would have some concern over our security model with this type of change.  It would suggest that people with this new role would not only be able to assign roles that they don't have to others, but also assign these roles to themselves.  This ability to elevate ones own rights within Hornbill I think is where others might be concerned.

I hope I've understood your post correctly.  Hopefully others will contribute to this and we can see if there is concern or not.

Regards,

James

[Hornbill Staff DR]

Hi Evan,
thanks for your post.

 I'm pleased to see that you have found our roles wiki page useful.

With the broader Hornbill community in mind, I think this is a great opportunity to re-visit what "Hornbill" is (as a product).  If I may use your initial post as a starting point, the error shown is indicating that the user doesn't have rights to the application called "Hornbill Document Manager". As I'm sure you're now aware, your image of the assigned Security roles shows that this user primarily has a range of Hornbill Service Manager related roles and currently there are no Document manager roles associated to this user account.

When we talk about "Hornbill" we are not talking about a single stand-alone application. "Hornbill" is a powerful powerful platform capable of running an array of business collaboration applications that help teams create content, share ideas and feedback, and optimize operations to deliver better customer experiences. Hornbill Service Manager is one such application you can install on the Hornbill Platform.

This means that you could have a Hornbill instance purely serving your organisations Collaboration and Document Management needs and as such each application, once installed, presents its own set of security roles that must then be associated to those users who need access to that application to carry out their day-to-day duties.

More information can be found here: https://wiki.hornbill.com/index.php/Getting_Started

Dan

[EvanD]

Hello James and Dan, 

Thank you both for your responses. I am addressing this from the broader perspective of an administrator of my companies Hornbill instance. I work for a multinational corporation with large offices in APAC, EMEA, and the Americas - requiring 24/hr full administrative coverage; and as such, we need at least three full administrators managing our whole Hornbill instance. Currently, the only methods to provide this is are by assigning the Super User Role to the administrators (we've been instructed against doing this, and it would grant additional unwanted privileges as our technician role), or sharing the credentials of the Admin account leading to other security concerns. Creating a new role just for this function would greatly increase security for us, and organizations would initially have to use the Admin account to manually grant the role anyways. The idea is that the new role would minimize the constant need for administrators, who should have full control access, to log in as the Admin account when investigating Roles and Features. 

Thank you,

Evan