Step 2 - Assign Roles

This article contains the following topics:
casm1401
This article contains the following topics:
Relationship Between Users, Roles, and Login
Users, roles, and login have the following relationship:
  • A user typically belongs to one business unit, but can optionally belong to multiple business units. A user can have only one role in a business unit.
  • A user can optionally have different roles in different business units.
    Example:
    User A can have a catalog user role in the Finance business unit. The same user can have a catalog administrator role in the IT business unit.
  • If the user does not specify a business unit at login, CA Service Catalog logs the user in to the default business unit defined for the user. The user has the role that is assigned to the user in that business unit.
  • If an integrating product created the user, then the user is
    not
    assigned to a role or business unit. Instead, after the user logs in, the user receives the default role for all users. Examples of integrating products include CA Service Desk Manager, CA APM, and CA Business Service Insight.
Roles and Default Access Rights
Users can have one role in each business unit in which they are defined. Users can have different roles in different business units.
  • Service Delivery administrators can change some default access rights for the
    entire
    Catalog system as follows:
    Log in to the root (highest level) business unit, select Administration, Configuration, and change the Access Control configuration settings.
  • Service Delivery administrators and business unit administrators can change several default access rights for
    specific business units
    as follows:
    Log in to the business unit, select Catalog, Configuration, and change the Access Control configuration settings.
  • All users can also delegate the use of their catalogs to other users to create requests on their behalf.
  • The Catalog system creates only one user at installation time. This user, named
    spadmin
    , has the Service Delivery Administrator role.
Request-related functionality is available when CA Service Catalog is installed. Subscription and invoice-related functionality is available when Accounting Component is installed.
  • Catalog User
    Is the user role for requesting services
    without
    subscriptions. These users can manage their own requests, such as approve, reject, fulfill, and other actions to handle requests pending action.
    Most users in the organization use this role
    only
    .
    This role is predefined as the default role for new users. However, administrators can optionally change the default role for new users from the catalog user to another role.
    This role is most suitable when you are
    not
    using subscriptions or billing in your implementation.
  • End User
    Is the end user for all functions available through the catalog. This user includes all the same access rights as the catalog user. The end user can subscribe to services and view invoices. This role can also view and add news messages, documents, and reports.
  • Request Manager
    Is the administrator role for managing requests, such as viewing and handling all requests in the business unit and applicable subbusiness units. Request managers handle both their own requests pending action and the requests pending action of other users. Request managers can search
    all
    requests in the Catalog system. But catalog users can search
    only
    their own requests.
  • Services Manager
    Creates, defines, and manages services (not requests) for a specific tenant or business unit. This user also has administrative access to configure reports, dashboards, documents, and message alerts.
    This role is most suitable when you want a user to create and maintain services. This user cannot request or subscribe to services.
    This user can also handle requests pending actions, for example, by approving and rejecting requests.
  • Administrator
    The Administrator uses Service Catalog to create a request for themselves and for other users.
    This user can subscribe offering but cannot create them.
    This user can also create user roles like Administrator/ Catalog User/ End User.
  • Catalog Administrator
    Creates, defines, and manages services for a specific tenant or business unit.
    This user also has the same access rights as the request manager role.
    This user can request services but cannot subscribe to them.
  • Super Business Unit Administrator
    Is the "root" user in a specific super tenant (super business unit). A super business unit is a business unit that contains one or more child business units. This administrator has
    almost
    complete access to the super business unit and all its sub business units. For example, anywhere in the super business unit, this administrator can create business units, create new users, and assign roles.
  • Service Delivery Administrator
    Is the "root" (highest level) user in the Service Provider (highest level) business unit. This user has complete system access to all business units. For example, this user can specify default settings that apply to all users by logging in to the root business and accessing the Administration, Configuration, User Default tab. This role is available only for the Service Provider business unit, the default business unit that is created during installation.
    Only this administrator has access to data mediation, system configuration, events, rules, and actions.
    By default, at installation time, the Catalog system creates a user ID named
    spadmin
    with this role.
  • Default Role Specification
    Service Delivery administrators can specify a default role for all users.
Tasks that Each Role Can Perform
The roles provide default access rights to various functions. Administrators use configuration settings to add default access rights to a role or remove default access rights from a role.
The following table lists the tasks that each role can perform. The letter
X
indicates that the role
can
perform the task. The dash (
-
) indicates that the user
cannot
perform the task.
Roles
Tasks
Cat Usr
Req Mgr
Cat Adm
End Usr
Adm
Svc Mgr
SBU Adm
SD Adm
Shopping
By default, all users have all shopping functions, except as noted in Roles and Default Access Rights. However, administrators can configure the access rights of each role to create proxy requests, edit requests, and so forth.
All users can also delegate the use of their catalogs to create requests on their behalf.
X
X
X
X
X
-
X
X
Managing Requests
View, edit, delete, and cancel requests
X
X
X
X
X
X
X
X
Act on assigned requests pending action
X
X
X
X
X
X
X
X
Search for requests
X
X
X
X
X
X
X
X
View all items in a request
X
X
X
X
X
X
X
X
View request tracking and audit trail information
-
X
X
-
X
-
X
X
General
View dashboards
X
X
X
X
X
X
X
X
Add personal dashboards
X
X
X
X
X
X
X
X
Create shared dashboards
-
-
X
-
X
-
X
X
Print dashboard reports
-
-
-
-
X
X
X
X
View subscriptions and invoices
-
-
-
X
X
-
X
X
During checkout, change the Requested For user from the current setting to another account or user. That account or user requires a role in the business unit scope of the logged in user.
-
X
X
-
X
-
X
X
View and add News Messages
-
-
-
X
X
X
X
X
View Documents (if enabled) and View Reports
-
-
-
-
-
X
X
X
Managing the Catalog
View and alter catalog services and service option groups
-
-
X
-
-
X
X
X
View and alter CA Service Catalog configuration settings
-
-
X
-
-
-
X
X
Manage catalog entries or configuration
-
-
-
-
-
X
X
X
Manage subscriptions or invoices
-
-
-
-
X
-
X
X
Managing other elements
Manage accounts within your business unit scope
-
-
-
-
X
-
X
X
Manage users with roles in your business unit scope
-
-
-
-
X
-
X
X
Manage the dashboard library for the business unit
-
-
-
-
X
-
X
X
Manage scheduled tasks
-
-
-
-
X
-
X
X
Manage reports
-
-
-
-
X
X
X
X
Manage Change Events and Alerts
-
-
-
-
X
-
X
X
Roles Key
Code
Role
Adm
Administrator
Cat Adm
Catalog Administrator
Cat Usr
Catalog User (none)
End Usr
end user
Req Mgr
request manager
Svc Mgr
service manager
SB Adm
Super Business Unit administrator
SD Adm
Service Delivery administrator
Tasks that Each Role Can Perform for Other Users
The following table displays the roles that can perform authorized tasks for themselves and for other accounts and users.
Roles
Can Perform Tasks for Themselves and
Cat Usr
Req Mgr
Cat Adm
End Usr
Adm
Svc Mgr
SBU Adm
SD Adm
Other accounts and users with roles in their business unit
-
X
X
-
X
X
X
X
Other accounts and users with roles in their business unit
and
any of its child business units.
-
X
X
-
-
X
X
X
Other accounts and users with roles in
all
business units, including
all
child business units
-
-
-
-
-
X
-
X
Default Role for All Users
The default role for all users applies to every user in the entire Catalog system. This default role applies to
all
users in
all
business units, including all child business units.
Only the Service Delivery administrators can set this default role. To set the role, the administrator logs in to the
root
business unit and selects Administration, Configuration, User Default Role.
The Catalog system automatically assigns this default role to every new user. However, administrators can optionally specify a different role for a user when they add or edit the user.