Manage Roles

Contents
casm173
HID_SwitchRoles
Contents
Roles
are the primary records that control CA SDM security and user interface navigation. Each role defines a focused view of the system by exposing only the functionality necessary for users to perform the tasks typically assigned to the role they perform within their business organization.
A user's default role determines the system view that is presented upon login. Users with multiple role assignments can switch from one role to another to see different views of the system without having to log out and log back in again.
Predefined Roles
You can use the predefined roles in their default configuration, modify them to meet your business requirements, or create new roles.
The following table describes the predefined roles installed with CA SDM. These roles are designed to align with ITIL v3 best practices, and thereby reduce the amount of site-specific modifications required to bring your IT organization into ITIL compliance.
CA SDM only supports ITIL, and the CA SDM documentation is ITIL-oriented. For more information, see ITIL Configuration.
Role Type
Role Name
Description
End Users
Configuration Viewer
Performs basic CI viewing and research tasks from inside your organization.
Customer
Performs basic self-service tasks from outside your organization.
Employee
Performs basic self-service tasks from inside your organization.
Analysts
Configuration Analyst
Performs tasks within the configuration item life cycle process and second-line CMDB support within your organization.
Customer Service Representative
Supports users external to your organization, most often customers.
Knowledge Analyst
Performs tasks within the knowledge management life cycle process.
Level 1 Analyst
Provides first-line support within your organization.
Level 2 Analyst
Provides second-line support within your organization, which requires more advanced subject matter expertise.
Support Automation Analyst
Provides first-line support within your live assistance environment.
Vendor Analyst
Supports a limited segment of your IT environment from outside your organization, such as vendor-specific hardware.
Managers
Change Manager
Manages the change order process, but typically not the analysts who work on change order tickets.
Customer Service Manager
Manages Customer Service Representatives and the external support process.
Incident Manager
Manages the incident process, but typically not the analysts who work on incident tickets.
Knowledge Manager
Supervises Knowledge Analysts, knowledge document reassignments and escalations, and day-to-day knowledge administration.
Problem Manager
Manages the problem process, but typically not the analysts who work on problem tickets.
Service Desk Manager
Handles escalations and supervises Level 1 Analysts. Also may manage overall service desk operations.
Administrators
Administrator
Performs administrative tasks throughout your CA SDM and Knowledge Management implementation. This role typically installs, configures, and integrates the products.
Configuration Administrator
Performs administrative tasks related to your CA CMDB implementation. This role typically administers CMDB and configuration item infrastructure and data structures.
Knowledge Management Administrator
Configures and monitors knowledge management settings.
Service Desk Administrator
Performs administrative tasks on data and processes, such as creating and updating categories, contacts, service types, root causes, and so on.
Support Automation Administrator
Performs administrative tasks related to your Support Automation environment, such as configuring queues and analyst tool permissions.
System Administrator
Performs administrative tasks related to your CA SDM implementation, configuration and adaptation, such as setting options, configuring integrations and modifying web forms.
Tenant Administrator
Performs multi-tenancy administrative tasks specific to a particular tenant or supporting organization.
Create a Role
Roles
are the primary records that control security and user interface navigation. Each role defines a focused view of the system by exposing only the functionality necessary for users to perform the tasks typically assigned to the role they perform within their business organization.
Predefined roles are provided that are designed to align with ITIL v3 Best Practices and thereby reduce the amount of site-specific customization required to bring your IT organization into ITIL compliance. You can use the predefined roles in their default configuration, modify them to meet your business requirements, or create new roles.
Administrators can create roles to meet site-specific business requirements.
If multi-tenancy is installed, select the appropriate tenant from the drop-down list. The public (shared) option creates the object for all tenants.
Follow these steps:
  1. Select Security and Role Management, Role Management, Role List on the Administration tab.
  2. Click Create New.
  3. Complete the following fields:
    • Code
      Specifies the code that identifies the role to the system.
      After you save the record, this field value cannot be changed.
    • Record Status
      Indicates whether the role is Active or Inactive.
    • Default?
      Indicates whether this role is the default role.
    • Customization Form Group
      Specifies a predefined or custom form group.
    • Preferred Document
      Specifies the document used by this role for entering tickets into the system.
    Click Save.
    The role definition is saved and the Role Detail page appears.
  4. Update the information in the role tabs.
Role Tabs
If multi-tenancy is installed, select the appropriate tenant from the drop-down list. The public (shared) option creates the object for all tenants.
The following tabs are available on the Role Detail and Update Role pages:
  • Authorization
    Allows you to define the authorization level assigned to the role. Complete the following fields as appropriate:
    • Grant Level
      Specifies the access permission that users assigned to this role can grant to others. The grant level is used to determine which access types a user can grant to another user. You can assign an access type to the contact record of another user only if the access level of the access type you are attempting to assign is ranked the same as or lower than the grant level for your own access type. These levels are ranked as follows:
      • Admin (highest)
      • Analyst
      • Cust/Emp
      • None (lowest)
    • View Internal Logs?
      Allows users assigned to this role to view internal log files.
    • Data Partition Name
      The name of the data partition assigned to this role. Data partitions are subsets of the database with restricted access to data records, based on their content. You restrict that access by defining a set of constraints for each data partition.
      Enter the data partition name directly into the field, or click the search icon to search for a data partition name.
    • Override Contact Data Partition?
      Select this option if you want the data partition defined for the access type to override the data partition defined on the contact record. This option can help prevent conflicts from arising between data partitions specified on the contact records and data partitions specified on the role record.
    • Multi-Tenancy Settings
      The following options apply to systems where multi-tenancy is enabled:
      Update Public (Service Provider only)
      Select this option if you want users that are assigned to this role to update data for all tenants and non-tenanted data.
      Tenant Access
      Select the tenant or tenant group that you want users assigned to this role to be able to read. If you select Single Tenant, you can enter the name of the tenant that you want this role to read. You can assign the following associations to roles:
      • Same As Tenant Access (Tenant Write Access Only)
        Sets Tenant Write Access to be the same as the Tenant Access setting. Default for Tenant Write Access and only valid for Tenant Write Access.
      • All Tenants
        Removes tenant restrictions. CA SDM allows a user in a role with this access to view any object in the database (read access) or create and update (write access) any tenanted object in the database. When users with All Tenant access create an object, CA SDM requires that they select the tenant of the new object.
      • Single Tenant
        Sets a role's tenant access to a named tenant. When this option is selected, a second field appears on the web UI that allows selection of a specific tenant. CA SDM restricts a user in a role with this access to view (read access) or create and update (write access) only those objects associated with the named tenant. This selection is valid for either Tenant Access or Tenant Write Access.
      • Tenant Group
        Sets a role's tenant access to a user-defined or system-maintained tenant group. When the Tenant Group option is selected, a second field appears on the web UI that allows selection of a specific tenant group. CA SDM restricts a user with the role to view (read access) or create and update (write access) only those objects associated with one of the tenants in the group. When a user with tenant group access creates an object, CA SDM requires that they select the tenant for the new object. This selection is valid for either Tenant Access or Tenant Write Access.
      • Contact's Tenant
        Sets a role's tenant access to the tenant of the contact using it. CA SDM restricts a user in a role with this access to view (read access) or create and update (write access) only those objects associated with their own tenant. This selection is valid for either Tenant Access or Tenant Write Access.
      • Contact's Tenant Group (Analyst Only)
        Sets an analyst's role access to the tenant group that the analyst works with, as specified on the analyst's contact record. If the user with the role is not an analyst, this selection has the same effect as Contact's Tenant. It is valid for either Tenant Access or Tenant Write Access.
      • Contact's Subtenant Group
        Sets a role's tenant access to the Subtenant group of the contact using it. CA SDM restricts a user in a role with this access to view (read access) or create and update (write access) only those objects associated with their own Subtenant group. This selection is valid for either Tenant Access or Tenant Write Access.
      • Contact's Supertenant Group
        Sets a role's tenant access to the Supertenant group of the contact using it. CA SDM restricts a user in a role with this access to view (read access) or create and update (write access) only those objects associated with their own Supertenant group. This selection is valid for either Tenant Access or Tenant Write Access.
      • Contact's Related Tenant Group
        Sets a role's tenant access to the Related Tenants Group of the contact using it. CA SDM restricts a user in a role with this access to view (read access) or create and update (write access) only those objects associated with their own Related Tenants Group. This selection is valid for either Tenant Access or Tenant Write Access.
      All users can view public data, regardless of their current role's access rights. The Update Public check box controls whether a service provider user in the role has the authorization to create or update public data. Tenant users (users belonging to a tenant other than the service provider) cannot update public data, regardless of their role.
    • Tenant Write Access
      Select the tenant or tenant group that you want users assigned to this role to be able to create and update. If you select Single Tenant, an additional field displays where you can enter the name of the tenant you want this role to access.
      Either the Tenant Access or Tenant Write Access fields can be set to Contact's Tenant Group to reference the Analyst's Tenant Group on the Contact Detail page. If a user that is not an Analyst, or an Analyst with no Analyst's Tenant Group defined, uses a role with this access, their access is Contact's Tenant.
    • Support Automation Access
      Defines the appropriate Support Automation access for this role.
  • Function Access
    Allows you to define the role's access to each functional area.
  • Web Interface
    Allows you to configure the web interface for the role by defining the web pages and online help content the users can access. Complete the following fields as appropriate:
    • Web User Interface Type
      The kind of Web Interface that used to present the product features. Most of the predefined roles use the Analyst interface. The Customer and Employee roles are assigned a restricted interface type because they are not allowed access to analyst, management, and administrative functionality.
    • Web Initial Form
      The initial web form that appears for this role.
      This must be set to menu_frames_role.htmpl in order for role-based functionality to be active. Changing the name of this form to anything else negates the role-based functionality.
    • Help View
      The name of the help set that appears for this role. Enter the name of the help set directly or click the search icon to select the help set from a list.
      The list of available help sets is based on the web user interface type selected in the role. Only active help sets belonging to that interface type are available for selection. If you do not select the web user interface type before selecting the help view, no help sets are available for selection.
  • Knowledge Management
    Allows you to specify the Knowledge Management privileges for the role. Fill in the following fields as appropriate:
    • Open Issue/Request
      Allows the role to open an issue and request.
    • Open Issue/Request based on Document
      Allows the role to open an issue and request based on a Knowledge Document.
    • Bypass Approval Process
      Allows the role to bypass the knowledge approval process.
    • Change Approval Process Template
      Allows the role to change the approval process template.
    • Add, Edit, Copy and Paste Categories
      Allows the role to manage Knowledge Categories.
    • Delete Multiple Categories and Documents
      Allows the role to delete parents and child categories and documents.
    • Delete Category
      Allows the role to delete a Knowledge Category.
    • Create Document
      Allows the role to Create a Knowledge Document.
    • Create Document with Attachments
      Allows the role to create a document with attachments.
      If this option is disabled, the Attach File and Attach File from Library buttons do not appear for that role.
    • Delete Knowledge
      Allows the role to delete knowledge documents, forums and files.
    • View Forum
      Allows the role to view forums.
    • Create Forum
      Allows the role to create a forum.
    • Reply Forum
      Allows the role to reply to a forum.
    • Edit Forum
      Allows the role to edit a forum.
    • View File
      Allows the role to view files.
    • Edit File
      Allows the role to edit files.
    • View External Repository
      Allows the role to view the external repository.
    • View Related Tickets
      Allows the role to view related support tickets.
    • Add Bookmark
      Allows the role to add bookmark to My Bookmarks.
    • Use Preferences
      Allows the role to use preferences.
    • Allow Export
      Allows the role to export knowledge packages.
    • Allow Import
      Allows the role to import knowledge packages.
  • KT Document Visibility
    Allows you to specify which document statuses the role is allowed to view (for example, draft, retired, and published).
  • Tabs
    Allows you to define the tabs that appear when a user assigned to this role is logged in.
    Include
    only
    tabs that contain forms that are in the form group assigned to the role you are creating or editing. For example, assigning the Customer tab or Employee tab to the Administrator role causes an error when users attempt to access that tab. Including more tabs than your browser window can display causes some tabs to be inaccessible to the user.
    The role's form group is specified in the Customization Form Group field on the Role Detail page, and is also displayed in the Form Group column on the Role List page.
  • Report Web Forms
    Allows you to define the report web forms that are available to this role.
  • Go Resources
    Users can search for items in by a number, name, or ID. In the upper right-hand corner of the main window, there is a drop down list containing the searchable record types. These searchable record types are referred to as "go" resources. Allows you to specify which record types appear in the Go drop-down list for the role.
How to Implement a Custom Role
For many sites, the predefined roles are sufficient. There may be situations, however, when you want to create a custom role and tailor it to meet site-specific business needs within your organization.
The following process outlines the tasks required in implementing a new role. The example shown here describes how you might implement a role for a small group of analysts tasked with reviewing and authorizing change order tickets.
Follow these steps:
  1. Create a new role record using the following field values:
    • Role Name
      Change Analyst
    • Code
      chg_anal
    • Customization Form Group
      Analyst
    • Preferred Document
      Incident
  2. Select Service Desk Analyst in the Data Partition field on the Authorization tab.
  3. Select the Modify in the Change Orders field on the Function Access tab.
  4. Enter the following values on the Web Interface tab:
    • Web User Interface Type
      Analyst
    • Help View
      Change Analyst
  5. Select the following tabs:
    • Reports tab - Change Analyst
    • Service Desk tab - Change Analyst
    • Change Calendar tab
  6. Select the following reports on the Report Web Forms tab:
    • Active Change Orders Aging by Priority for Status
    • Active Change Orders at Weeks End
    • Change Orders by Failed Service Type for Change Categories
  7. Add the Change Order resource on the Go Resources tab.
  8. Create a custom help set named Change Analyst that includes all content appropriate for the new role.
    For more information, see Create and Publish a Help Set.
  9. Create the following custom tabs using features appropriate for the new role:
    • Reports tab - Change Analyst
    • Service Desk tab - Change Analyst
  10. Create a custom menu tree that includes all nodes appropriate for the new role.
    For more information see How to Implement a Custom Menu Tree.
Switch Roles
Roles
define the system functionality each user can access. Depending on your assigned role, a specific set of menus, tabs, and toolbar controls are presented when you log in in the Web Interface client. For example, administrative roles have access to the Administration tab, while analyst and manager roles typically do not.
Some users are allowed to access multiple roles, enabling them to switch from one view of the system to another. If you are assigned multiple roles, you can switch between them at any time without having to log out and back in again.
Follow these steps:
  1. Select the desired role from the Role drop down list in the upper right corner of the main page of the Web Interface.
  2. Click Set Role.
    The Web Interface and available functionality change to match the new role setting.
For more information, see the following: