Full User able to reopen a request under another Domain / Division

[Adrian Simpkins]

Hi All,

Bit of a strange scenario I wanted to raise here.

We have now introduced Domain configuration on our portal to split our IT services from our HR services. Our Service Desk manager raised a request to the HR department for someone who is leaving, which was subsequently closed due to an incorrect form being used. However, as the manager has a full licence in the system she could go into the portal and reopen this request due to her elevated rights in Service Manager.

So in effect she was able to bypass the other teams decision and reopen the request just due to the privileges she has on her access. Is there anything I am missing which would prevent her (or anyone else with the correct roles in their access) from being able to reopen requests in the portal for another domain/division? Ideally I would expect her to be able to reopen any IT requests in the portal she may have raised, but should not be able to reopen a request under another domain/division

This scenario is probably a rare scenario but I wanted to see if there was anything else I may have missed to prevent this from happening,

Many thanks as always

[James Ainsworth]

Hi @Adrian Simpkins

This will most likely come down to the rights of the user and the services that this user supports.

1. The Domains don't have any security controls for full Service Manager users, and at the moment are only used to separate these areas on the Employee Portal.

2. With Services, it is important that this user does not belong to any team that supports the HR service.  This is defined on the Service form.  As long as they are on a team that supports the HR service, they will have full access to the HR tickets.  Instead, they should be added as a subscriber to the service.

3. If the user has been granted roles such as Admin or Service Desk Admin these would need to be removed as they are designed for users that administer all aspects of Service Manager. 

4. This user should only be able to raise HR requests using the Employee Portal.  With the correct settings, as a full Service Manager user, they shouldn't have the option to raise a HR ticket as a agent.  If they can raise a HR ticket or view a HR ticket from within the Service Desk view, this would imply that they have too many rights.

5. The setting servicemanager.progressiveCapture.servicedetails.enableSupportVisibility can be a useful setting to enable.  This means that agents can only raise tickets against the services that they support.  So, if you are not part of a team that support the HR services you wouldn't be able to raise a ticket against the HR service. You would have to go to the Employee Portal to raise the request as a regular employee.

6. The owner of the HR service may want to make the HR service Private.  This means that other Service Owners wouldn't be able to access the configuration of the HR service, unless they were a member of a team that support the service.

7. Control access to BPM Workflows.  Both the HR Manager and IT Manger may want access to create and manage their BPM workflows, but they may want to control access and prevent the other from viewing or modifying their workflows.  This can be done in each workflow where the access can be granted to individuals.  Users not granted access would not be able to see the BPMs in the list of BPMs.

There may be a few other tweaks that can be done to control access.  Start with the above and let us know how you get on.

 

 

 

[Adrian Simpkins]

Hi James

Thank you for the pointers - some items there I was not aware so very useful !

We didn't have the setting you highlighted above on so I have enabled that now. The teams are already correct in that she is not a member of a team that supports any of the other divisions services but is subscribed as a customer. She has Service Desk Admin which I have removed as this is something I undertake normally so I think this must have been the privilege that allowed her to reopen the closed request in the portal.

I will get her to look again on Monday to make sure the option has been removed

And many thanks for the overall pointers, a couple of these address other potential issues I was unsure how to address now we have expanded to more than one corporate division.

Many thanks