SM7.00 I.E.

215

When implementing Service Manager, you must define a users profile for each Service Manager application based on the users functions and responsibilities in your organization. A users role determines what type of user profiles are assigned. By assigning a user role in an operator record, you can determine the user's access and privileges within different Service Manager applications. User roles range from a basic user with limited access, to a system administrator with full access.

SM7.00 I.E.

216

Levels of Security Security in Service Manager can be set on multiple layers. The three main levels consist of: System Access The System Information Definition record, also called the System Information record, identifies system wide settings and defaults in the operator record. The operator record identifies the logon name and password required to access Service Manager.

Application Access
The operator record identifies the initial menu and capability words for the user to access specific applications and utilities in Service Manager. Functional Access The profile identifies the functionality available to the user within an application.
Security in Service Manager can be compared to a gated community of a neighborhood. 1st level, Gated Community (Service Manager) The 2nd level, Getting into the house (system access) The 3rd level, What room can I see? (module access) The 4th level, Getting the beer out of the fridge (functional access)

SM7.00 I.E.

217

SM7.00 I.E.

218

When implementing Service Manager, one record defines the overall characteristics and settings of the system. The System Information Definition record sets default values that are used by all users. Some options may be redefined in an individuals operator record. Within the System Information Definition record, defaults include setting password requirements and composition, default time zone, active integrations, and others.

SM7.00 I.E.

219

The System Information record enables system administrators to: Set the menu title. Set user lockout and account expiration conditions. Set password reset, format, and lifetime restrictions. Enable password history. Set the time zone and date and month format the system uses Set the default language and currency the system uses.

Set the maximum size for a file attachment, and the maximum memory all file attachments can use.
Enable/disable case sensitivity. Set the maximum time allowed for queries.

The System Information record settings are those that apply across all applications on the server. Some settings can be overridden by profile settings, but the system wide defaults are defined in the SID.

SM7.00 I.E.

220

The Login Info tab defines general login information, user lockouts, and account expirations of Service Manager. You can use this tab to set the synchronization between the contacts records and the operator records and
the default operator template for LDAP users.

Note: To switch the case mode, go to the Options menu, and select Set Case Insensitive (or Set Case Sensitive, if you are already running in Case Insensitive mode).

SM7.00 I.E.

221

The Password Standards tab enables the password reset function. Options include resetting passwords by user name, prompting for a value or using a specific value. This temporary password allows the user into the system only to be prompted to change the temporary password to a user defined password. The ability to store a history of passwords (and optionally prevent re-use) is also contained within the tab. The Password Composition tab enables you to set the minimum and maximum password lengths and defines which characters are permitted in a password, as well as allowing you to require certain types of characters in a password (strong password standards). Selecting Always Require a Password will enforce passwords for every user in the system, while leaving it unselected will allow the ability for users to have blank passwords. The Password Lifetime tab defines the expiration period of passwords, whether it be a time period, or a certain number of logins. You can choose to notify users by e-mail whenever their passwords are changed.

SM7.00 I.E.

222

The General tab defines multiple functions of Service Manager. You can use this tab to run the multi-company mode, view the case mode (Case Sensitive or Case Insensitive), initiate adaptive learning for the Service Manager Knowledge Base, and more. Note: To switch the case mode, go to the Options menu, and select Set Case Insensitive (or Set Case Sensitive, if you are already running in Case Insensitive mode).

SM7.00 I.E.

223

SM7.00 I.E.

224

User Quick Add Utility enable system administrators to add users from one central place.

SM7.00 I.E.

225

A Power User can access Service Manager either through a Windows or Web client. A Power User is usually someone who needs perform administrative duties, such as a System Administrator or Helpdesk person. A Power User consumes a license upon logging into the system unless accessing the system through the Employee Self Service (ESS) portal. For example, a Self Service Power User has two ways to access the Service Desk. The access method depends on the task to complete: They have a Service Desk profile that enables them to log on to Service Desk (or other Service Manager applications) using the Windows client connection dialog or any valid Web client URL to view, add, update, or delete records. For example, Bob Helpdesk has a Service Desk profile that enables him to take service requests and provide services to a user community. They have a self service profile that enables them to initiate service requests through a self service URL. For example, Bob can use this feature to request services for himself. A Self Service User has a regular Service Desk profile that enables them to log on to Service Desk only through a self service Web client URL. A self service user never consumes a Service Desk license when logged on because access is limited to only the user's requests for service.

SM7.00 I.E.

226

SM7.00 I.E.

227

The User Quick Add Utility enables administrators to add an operator record and specify the access rights to applications within Service Manager. This utility creates a new operator record by guiding you through a series of prompts that request information. Within this utility, you can also create a new contact record for the operator. In addition, all application tabs provide access to profiles, groups, and environment configuration forms.

SM7.00 I.E.

228

SM7.00 I.E.

229

The operator record identifies the logon name, password, and specific settings for each person using Service Manager. The operator record determines what menu appears when a specific user connects to the Service Manager system. Menu selections can be restricted through the use of capability words on the menu setup screen, or custom menus can be created for specific users.

SM7.00 I.E.

230

Administration and creation of operator records can be done within the User Quick Add Utility. Service Manager includes several predefined operator records that you can use as templates to create your own operators.

SM7.00 I.E.

231

SM7.00 I.E.

232

The General tab enables you to specify the logon name, language, profiles, and other general information. In addition, you can change the role and profiles of an operator for individual Service Manager applications. Each operator must be associated with a contact record. This association is tracked through the Contact ID field on the operator record. Login Name The name used to log in to Service Manager. This will be referenced in the Connections from a client. Contact ID the contact record associated with the operator. Date Information Sets the time zone of the user, and the date format used for the user. Application Profiles Sets the user role and/or any application profiles.

SM7.00 I.E.

233

The Options menu allows system administrators to reset passwords and reinstate locked-out users.

SM7.00 I.E.

234

The Security tab enables you to view information regarding a users session and set parameters including password, locking, and LDAP.

SM7.00 I.E.

235

The Startup tab defines the initial RAD application and the capability words to access to Service Manager applications and utilities. RAD Name the name of the RAD application to be run when the user initially logs on. Typically, this is menu.manager, in order to display an initial menu to the user. Activate Command Line on Startup If checked, the Embedded Command Line will be available to the user (Best Practice: Limit command line access to System Administrators only). If unchecked, the command line will not be available.

Parameter Names/Parameter Values The name(s) and the corresponding value(s) of parameter(s) to be passed to the RAD application referenced in the RAD Name field.
Execute Capabilities The list of capability words associated with the user.

SM7.00 I.E.

236

Capability words provide a security mechanism to control access to Service Manager applications by enabling or disabling parts of the interface. You can add capability words to a user role or individual operator to control access to Service Manager. In some cases, capability words are redundant to the privileges and views that are provided by application profiles. In cases where capability words and application profiles overlap, Service Manager uses the most restrictive set of permissions. Service Manager stores capability words in the capability table. You can access the capability table from User Quick Add Utility or from an operator record (using Find).

SM7.00 I.E.

237

SM7.00 I.E.

238

To have access to SD functionality, users must have at least one of the above capability words in their operator record.

SM7.00 I.E.

239

To have access to IM functionality, users must have at least one of the above capability words in their operator record.

SM7.00 I.E.

240

To add a new capability word: 1. Type the word in the Capability field. 2. Enter a significant description. 3. Click Add to complete the record. Service Manager 6.1 and later releases organize capability words into a permission hierarchy. To limit access, choose a subordinate capability word; to grant a broad range of permissions, choose a parent capability word, such as SQLAdmin or SysAdmin. If you assign a parent capability word to a user or user profile, Service Manager automatically assigns the subordinate capability words. In the above example, the incident management capability word has IncidentAdmin as its parent capability word. IncidentAdmin, in turn, has SysAdmin as its parent capability word. So, if a user has SysAdmin capability, they automatically have IncidentAdmin and incident management capabilities, as well as others. Best Practice: Do not modify or delete the existing capability words. To provide additional security on menus, forms, and profiles, words can be added and referenced by using functions and conditional expressions.

SM7.00 I.E.

241

SM7.00 I.E.

242

SM7.00 I.E.

243

Profile records grant specific rights and privileges within a specific application (such as Service Desk or Incident Management) to Service Manager operators. Multiple operators can use a single profile record, which defines job-specific privileges. Enhancing job-specific privileges is done using roles. You can set up a user role, which contains a set of application-specific profiles and capability words, to be referenced within a specific operator record. Best Practice: Roles is the preferred method of granting rights and privileges within the Service Manager system.

SM7.00 I.E.

244

Application profiles are security settings that determine which features (such as Find, Fill, Update, or Add) a user can access from a particular Service Manager application. Each of the Service Manager applications has a set of application profiles that determine which features a user can see. An application profile defines the access settings that a particular business function or role has to the application. Typically, system administrators assign application profiles as part of user roles, but the administrator can also assign an individual application profile that overrides the default settings of a user role. The above table shows applications and the tables that store the profiles specific to each application. Once established, a profile can be associated with one or more users by setting the operator record(s) to use the proper profile. Example: A user may needs to update records in Configuration Management but not in Change Management. Therefore, in Configuration Management, the user would be assigned a profile which would define the update privilege to be true, but the user would also be assigned a profile in Change Management would define the update privilege to be false.

SM7.00 I.E.

245

SM7.00 I.E.

246

Each applications profile has a different set of settings and configurations. Most settings involve granting or denying permission to certain actions and utilities within the application. However, some settings determine which forms appear at different times within the application. The above example defines a Service Desk Profile called HELPDESK TECH. Users with this profile in their operator record (under Service Profile) will be able to Browse, Open, Update, Close, and Print records within Service Desk (interactions). They will be able to use Find, Fill, and Advanced Search, but will not be able to create personal Inboxes, use the Count function, or invoke alternate Views of Service Desk forms. They will not be added to any Service Catalog Approval groups.

SM7.00 I.E.

247

User Profile A user profile is a selection of rights and restrictions that aid in a users functionality within Service Manager applications. Profiles can be used in a group, where everyone has the same rights and privileges, or profiles that are specific to one user. Default Profile Each application is delivered with a profile record named DEFAULT. The environment record allows access to the application without a specific user profile reference. When this occurs, the DEFAULT profile is used. When a user attempts to access one of the Service Manager applications, the system performs the following steps to determine which profile should be used: The system retrieves the user profile name from the operator record, then accesses the profile record for the application. 1. If the system cannot find a user profile, the system uses the DEFAULT profile. 2. If you deny the ability to access an application without a profile, a user profile must be defined to access to the application (i.e., the DEFAULT profile will not be used unless specifically invoked in the operator record).

SM7.00 I.E.

248

A user role is a template that combines a collection of application profiles and capability words into a single record. Service Manager has out-of-box user roles with appropriate capability words and application profiles that define a variety of business functions. By defining user roles, a system administrator can grant an operator all the capability words and application profiles to do their job. Roles also contain information about whether or not users accessing the role also have access to the Embedded Command Line. Roles also can determine which application runs when the user initially logs in, and thus can determine the structure of the users System Navigator. To access user roles, use one of the following methods: 1) From the System Navigator, expand Menu Navigation. 2) Select Utilities > Administration > Security > User Quick Add Utility . 3) Double-click User Role.

OR
1) From the User Quick Add Utility menu: 2) Select Utilities > Administration > Security > User Quick Add Utility > User and Contact Utilities > Search for User Roles. OR 1) At the Database Manager prompt, type userrole in the File field 2) Click Search. Important: When a user role is updated, it does not automatically update operator records using the role. You must access the operator records and Fill again from the User Role field.
SM7.00 I.E.

249

SM7.00 I.E.

250

SM7.00 I.E.

251

A system administrator can specify what functions an IM user (or a group of users) can access, as well as other IM security features and function settings. Incident Management (IM) has an extensive environment that controls its functionality.

SM7.00 I.E.

252

Each application has an Environment record, which defines options that effect the functionality of an application for all users. Some of the typical options stored in this record include: The relationship model Access rights

A default category

SM7.00 I.E.

253

To access the SD Environment record: From the Service Desk menu Security Files > Environment tab. From the System Navigator Menu Navigation > Utilities > Administration > Security > User Quick Add Utility > Service Desk Environment. Some Environment options are: Allow Access Without Operator Record? When unchecked, users without a specific SD profile in their operator record will be unable to access SD. When checked, users without a profile will be allowed access to SD using the DEFAULT SD profiles settings. Delay Assigning Interaction ID? When selected, this check box signals the system to assign an interaction ID only after a save action is attempted. Return to Blank Interaction? When selected, this check box prompts the system to return to a blank interaction form after the creation of an interaction. The three Post back Link fields show the link record that controls what is posted back to the interaction record after a related Incident, Change, or Request ticket is closed. The Environment record also determines which SD Record Relationship Model is followed to manage closure of interactions in relation to other applications.

SM7.00 I.E.

254

The IM Environment Record determines the overall settings for the IM module. To access the Incident Management Environment record: From the Incident Management menu:
Security Files > Environment tab.

From the System Navigator:

Menu Navigation > System Administration > Ongoing Administration > Environment Records > Incident Management Environment.

Some of the most frequently used settings of the IM Environment are: Use Paging? - Adds a new record to the problem table each time a ticket is updated. Use Journalled Updates? - Makes any information entered in the Actions tab a permanent part of the record that cannot be deleted. Most to Least Recent Lists updates to the record chronologically beginning with the most recent. Least to Most Recent Lists updates to the record chronologically beginning with the least recent.

Use Resolved Status? - Activates the two-step closure process in IM.

SM7.00 I.E.

255

The closure model for Incident Management is determined by the Use Resolved Status? setting in the IM Environment record. When Use Resolved Status? is checked, the Two-Step Closure Model is in use, and when it is unchecked, the Single-Step Closure Model is in effect. The ability to Resolve or Close within the Two-Step model is regulated by the IM Profile record of the user in question.

SM7.00 I.E.

256

SM7.00 I.E.

257

An organization has employees whose roles and responsibilities vary in Service Desk (SD). A system administrator can specify what functions an SD user or a group of users can access, security features, and global function settings.

SM7.00 I.E.

258

Risk: Many folders may create administrative burdens.

SM7.00 I.E.

259

--You must log out and back on to Service Manager after updating the Enable Folder Entitlement setting.

SM7.00 I.E.

260

Walk-through the different access defined under the Helpdesk Tech & Reviewer Service Desk Profiles --the Helpdesk Tech profile has full rights to view, add, update, and delete in each Folder. --the Reviewer profile grants limited rights, allowing no access to the ACME folder, only View access to the HP & GENRICOM folders, and update access to the DEFAULT folder only for tickets assigned to the user.

SM7.00 I.E.

261

SM7.00 I.E.

262

SM7.00 I.E.

263

SM7.00 I.E.

264