Note

 

This documentation supports the 20.20.02 version of BMC Helix Remedyforce.

To view an earlier version, select the version from the Product version menu.

Segregating users and configuration data

When your service desk provides services to different accounts, you can use role hierarchy and sharing rules to segregate configuration data and other data that are used by these accounts. Configuration and data segregation restricts users of accounts and profiles of a branch in the role hierarchy to view data that is shared with their branch only. After segregating data, users in a branch cannot view the data of the users in other branches.

The following topics are provided:

Overview of data segregation

Salesforce provides role hierarchy and sharing rules to segregate data. To segregate data, identify the departments in your organization and how you have mapped your IT Service Desk staff to support those departments. Based on how you are aligning your IT staff to support these departments, create a role hierarchy in your Salesforce organization. For example, your organization has the following departments:

  • Finance
  • Marketing
  • Human Resource

However, your IT Service Desk is aligned as:

  • Finance: IT staff group A supports the users belonging to the Finance department.
  • Marketing: IT staff group B supports the users belonging to the Marketing department.
  • Human Resources: IT staff group C supports the users belonging to the Human Resources department.

In this case, you can create three roles for users in Salesforce for IT staff groups A, B, and C. If group B supports two departments, Marketing and Human Resources and group C does not exist, you need to create roles for groups A and B only.
While creating the role hierarchy, you must first create the role that is highest in the role hierarchy of the organization. The user in this role creates the data that is shared by all users who are assigned to any role in the role hierarchy.

Note

If a user is not assigned to any role in the role hierarchy, the user cannot view the segregated data. These users can view only data that is not segregated. For example, if the Broadcast object is segregated, these users cannot view the broadcasts of the organization. All users assigned to roles in the role hierarchy can view the broadcasts of the organization.

The users assigned to these roles can view the data shared with the branch only. A branch can be used to segregate data for users in multiple accounts. A branch corresponds to departments in your organization. For example, your IT Service Desk is aligned to the following branches:

  • Finance
  • Marketing
  • Human Resources

You want to segregate data of these branches to prevent users of the Marketing branch from using the urgency, impact, priority, status, or tasks of the Finance or Human Resources branches. First, create the role that is highest in the role hierarchy, such as ServiceDesk Head.
Prepare a list of branches in your organization and the users who belong to these branches. Also, identify the roles that are required under each branch. Based on this information, create roles in the role hierarchy. The roles that you add must be child roles to the highest role in the role hierarchy.
Since 20.13.01, Remedyforce enables you to create client users by using the Salesforce Platform license. Until this release, you were creating client users by using the Customer Portal Manager Custom license. Based on the Remedyforce version that you are using, the following types of users exist for each role in the branch if you created clients using the Customer Portal Manager Custom license:

  • Portal users - Assigning portal users to the role hierarchy is controlled by the owner of the account of the portal user.
  • Non portal users are not staff members. They are added directly in the role hierarchy.

The user who is assigned the manager role must be the owner of all accounts of the role. To assign users to the correct branch in a role hierarchy, select the correct role and profile while creating the users.
For example, create the following child roles:

  • Finance - Assign users of the Finance accounts to this role and to the roles below this role for all users in the Finance branch.
  • Marketing - Assign users of the Marketing accounts to this role and to the roles below this role for all users in the Marketing branch.
  • Human Resources - Assign users of the Human Resources accounts to this role and to the roles below this role for all users in the Human Resources branch.

If you have created clients in your Salesforce organization by using the Customer Portal Manager Custom license, then the user who is assigned the manager role of the Finance Manager branch must be the owner of all Finance accounts belonging to the Finance Manager role. Similarly, the user assigned as the role administrator of the Marketing Manager role must be the owner of all Marketing accounts belonging to the Marketing Manager role, and so on for each branch. When the manager of the Finance branch creates data of the segregated objects, this data is shared with all the users assigned to roles in the Finance branch.
For example, the user in the ServiceDesk Head role creates the Opened, Assigned, and Closed status records. The manager of the Finance branch creates the Credit and Debit status records. The manager of the Marketing branch creates the Maximum Price and Discount status records. The manager of the Human Resources branch creates the Employee Welfare and Policy status records. The following table describes which status records are available for each branch:

Role

Available status records

ServiceDesk Head

Opened, Assigned, Closed, Credit, Debit, Maximum Price, Discount, Employee Welfare, Policy

Finance Manager

Opened, Assigned, Closed, Credit, Debit

Marketing Manager

Opened, Assigned, Closed, Maximum Price, Discount

Human Resources Manager

Opened, Assigned, Closed, Employee Welfare, Policy

After creating the role hierarchy, you must create the sharing rules that segregate and share the data with all users in a branch. When the manager of a branch creates data, this data is shared with all users in the branch. The segregated data is shared with:


  • All users of the accounts where the manager owns the accounts
  • All users in portal roles below the user with manager role

For Self Service clients, you can segregate the Self Service themes. You can also configure the default settings of Self Service. Users with manager role can only assign a theme to the accounts in their branch.
BMC Remedyforce supports data segregation for the following objects:

  • Accounts
  • Base Element, Base Relationship, and Business Service
    These objects are used to segregate configuration items and services
  • Broadcast
  • Category
  • Category Type
  • Contact
  • Custom Action
  • Impact
  • Incident
  • Knowledge Article
  • Priority
  • Request Definition
  • Standard Description
  • Standard Resolution
  • Status
  • Task
  • Template
  • Urgency

Self Service supports data segregation for the following objects:

  •  Broadcast
  • Base Element, Base Relationship, and Business Service
    These objects are used to segregate configuration items and services.
  • Category
  • Impact
  • Knowledge Article
    This object is also used to segregate Top Knowledge Articles.
  • Priority 
  • Request Definition
  • Urgency
  • Template
    This object is also used to segregate Top Requests.

Important

The settings available on the Remedyforce Administration tab behave same for all the users in your organization.

Segregating CMDB data

If you want to segregate the BMC Remedyforce Configuration Management Database (CMDB), you must configure data segregation for the Base Element, Base Relationship, and Business Service objects. When you change the sharing model of these objects to Private and create the required sharing rules, users of a branch in the role hierarchy can view only those services and configuration items (CIs) that are shared with their branch. After you segregate the CMDB, the CMDB Explorer displays only those CIs that are shared with your branch. If a parent CI is not shared with your branch, the parent CI is not displayed in the CMDB Explorer.

Best practices for segregating data

BMC recommends that you follow these best practices when you implement data segregation:

  • You must not create links between the data used in different branches of the role hierarchy.
    For example, the Marketing branch uses the Campaign category and the Human Resources branch uses the Recruitment category. The system administrator should not create a parent-child relationship between the Campaign and Recruitment categories. If a relationship is created between these categories, the users of the Marketing and Human Resources branches might not be able to view these categories in the Category tree.
  • You must not mix configuration data used by different branches.
    For example, do not change the Request Detail template used in a branch's service request definition to the Request Detail template of another branch. For example, the role manager of the Marketing branch creates a Campaigns Request Detail template. The manager of the Finance branch creates a Purchase Request Detail template. The manager of the Marketing branch creates a service request definition that uses the Campaigns Request Detail template. Now, the system administrator must not update the service request definition of the Marketing branch to use the Purchase Request Detail template of the Finance branch.
  • If you have created clients by using the Customer Portal Manager Custom license, then the branch managers must be the owner of all those accounts to which their branch is supporting. If you have created clients by using the Salesforce Platform license, for each client account, create a separate branch directly under the branch manager. In this case, the branch for the staff members must be a separate branch.

Implementing configuration and data segregation

The following table provides an overview of steps that help you in implementing data segregation:

StepRelated information
Create the required users, accounts, and profiles

If all the required users, accounts, and profiles exist in your Salesforce organization, skip this step. However, if the required users, accounts, and profiles do not exist, create them first. For more information, see Adding or editing usersCreating accounts, and Managing profiles. The ServiceDesk Change Manager profile contains all the required access permissions as required by the branch manager. Therefore, you can clone this profile to create a profile that you can use to create the branch manager users ensuring that you select the ReadCreateEdit, and Delete check boxes in the Custom Object Permissions section for the following custom objects:

  • Custom Actions
  • Fulfillment Inputs
  • Fulfillment Mappings
  • Process Controls
  • Process Templates
  • Request Definitions
Create roles in role hierarchyCreate a list of roles that are required as per your business requirements. While you create roles, assign the required users to the roles. For more information, see Creating roles and Salesforce Help.
Set up sharing rulesYou have identified roles in your organization. Similarly, identify what information do you want to segregate. For example, you want to have separate categories for each department. In this case, set up sharing rule that segregates categories for various departments. For all the objects whose data you are segregating, ensure that you set the organization-wide defaults to private. For more information, see .Segregating users and configuration data v20.20.01.002.
Enable users in different branches to create duplicate records by deactivating the validation rules that prevent the creation of duplicate recordsDifferent branches in your organization might need same values of the object that you segregate. For example, you segregate the Urgency object, and all the branches need the urgency values as High, Medium, and Low. By default, duplicate records are not allowed as the object is same. However, with the steps mentioned in Enabling creation of duplicate records,you can enable users in different branches to create duplicate records.
(Optional) Assign themes to accountsTo enable users of different accounts to have different look and feel of the application, you can assign themes to accounts. For more information, see Assigning a theme to accounts.
Segregate users of different branchesBy default, users of all the branches are shown in the user lookups (such as the lookup that the staff members use to assign a record to another staff member). On the Remedyforce Console (Incidents/Service Requests, Tasks, Problems, Change Requests, and Releases)Incident ConsoleTask ConsoleIncidentsTasksProblemsChange RequestsReleases, and Broadcasts tabs, all the users are shown in the lookups. If a staff member selects a wrong user, an error is shown. For more information, see .Segregating users and configuration data v20.20.01.002.

To create roles

In Salesforce, roles are shown in a hierarchical way. You can create roles based on your business and Service Desk requirements and assign users to these roles.

  1. Click the Remedyforce Administration tab.
  2. On the Home page, click the Manage Users tile, and from the menu select Roles.
  3. From the Select User Role View list, select Show in tree view.
    This view allows you to view the parent-child relationships between roles.
  4. Click Add Role.
    For more information about viewing and editing roles, see Salesforce Help.
  5. In the Label field, type the label of the role.
  6. In the Role Name field, type the name of the role.
  7. Click the This role reports to lookup.
  8. In the Lookup window, select the required role.
  9. Click Save.
    In the user scenario, first create the role that is highest in the role hierarchy. Next, create the Finance, Marketing, and Human Resources as child roles to the Service Desk Head.

To assign user to a role

  1. Click Assign next to the role.
  2. In the Available Users list, select the type of users that you want to assign.
    If you select a role in the Available Users list, all users belonging to the role appear in the column below the list.
  3. Select the users to assign to the role in the column below the list.

    Note

    Portal user assignment to the role hierarchy is controlled by the owner of the account of the portal user.

  4. To move the selected users from the Available Users list to the Selected Users list, click the right arrow.
  5. Click Save.
    In the user scenario, assign all users of the Finance accounts to appropriate roles in the Finance branch of the role hierarchy. Next, assign all users of the Marketing accounts to appropriate roles in the Marketing branch of the role hierarchy. Next, assign all users of the Human Resources accounts to appropriate roles in the Human Resources branch of the role hierarchy.

    Note

    When you assign a user as the role manager, you must ensure that this user owns all accounts of the role.

Configuring sharing rules

Correct data segregation can be achieved with carefully planned role hierarchy and sharing rules. Based on your Service Desk requirements, determine the sharing rules that you require.

Create the sharing rules as follows:

  • Create a sharing rule for the role that is highest in the role hierarchy.
  • For each role manager in the role hierarchy, create a sharing rule to share data with users belonging to their branch.

To configure sharing rules

  1. Navigate to the required path: 
    • For Salesforce Classic, go to Setup > Administer > Security Controls > Sharing Settings.
    • For Salesforce Lightning, go to Setup > Settings > Security > Sharing Settings.
  2. In the Organization-Wide Defaults section, click Edit.
  3. For the objects whose data you want to segregate, select Private from the Default Access list.
    If you want to segregate the BMC Remedyforce Configuration Management Database (CMDB), you must configure data segregation for the Base Element, Base Relationship, and Business Service objects.
  4. Select the Grant Access Using Hierarchies check box.
  5. Click Save.
  6. To share all data with users in the role hierarchy, create sharing rules for all the roles in the role hierarchy including the highest role in the role hierarchy and except the lowest role. Perform the following actions for each object whose data you want to segregate and for each role in the role hierarchy:
    1. From the Manage sharing settings for list, select the required object.
      In the example, you want to ensure that only users in the Finance role can view the broadcasts that are created for the Finance account. From the Manage sharing settings for list, select Broadcast and then select the Grant Access Using Hierarchies check box for the Broadcast object.
    2. In the <Object name> Sharing Rules section, click New.
    3. In the Label field, type the label of your sharing rule.
    4. In the Rule Name field, type the name of your sharing rule.
    5. In the Step 2: Select your rule type section, ensure that the Based on record owner option is selected.
    6. In the Step 3: Select which records to share section, select Roles from the first list.
    7. In the Step 3: Select which records to share section, select the required from the second list.
      When you select this role, the <Object name> records of the users in the selected role are shared. For example, if you are creating a sharing rule for the Urgency object, all urgency records of the users in the highest role are shared.
    8. In the Step 4: Select the users to share these records with section, select Roles, Internal and Portal Subordinates.
    9. In the Step 4: Select the users to share these records with section, select the role of the organization's highest role from the second list.
      When you select this role, the <Object name> records are shared with all the users in this role, all users in roles below this role, and all users in portal roles below this role. For example, if you are creating a sharing rule for the Urgency object, all urgency records are shared with all the users in this role and all users in roles below this role, including partner portal and Customer Portal roles.
    10. In the Step 5: Select the level of access for the users section, select the type of access you want to provide for the users in the role.
      You can decide to provide Read or Read/Write access.
    11. Click Save.
    12. In the confirmation dialog box, click OK.
      In the example, create the sharing rule for the Service Desk Head role to share all data with all the roles in the role hierarchy.
      For more information, see Salesforce Help.
      In the example, create the sharing rule for the role manager of the Finance branch to share all data with all the roles in the Finance branch of the role hierarchy. Next, create the sharing rule for the role manager of the Marketing branch to share all data with all the roles in the Marketing branch of the role hierarchy. Next, create the sharing rule for the role manager of the Human Resources branch to share all data with all the roles in the Human Resources branch of the role hierarchy.

To enable creation of duplicate records

This section provides you steps to enable users in different branches to create duplicate records by deactivating the validation rules that prevent the creation of duplicate records.

  1. Navigate to the required path: 
    • For Salesforce Classic, go to Setup > Build > Create > Objects.
    • For Salesforce Lightning, go to Setup > Platform Tools > Objects and Fields > Object Manager.
  2. Click the required <custom object name>.
  3. In the Validation Rules section, click Edit in the Action column of the required validation rule.
    If you want to use a category, template, impact, or urgency record with the same name in different branches after segregation, you must deactivate the following validation rules for these objects:

    ObjectValidation rule
    CategoryUnique_Category_Id
    TemplatetemplateNameUniqueValidation
    ImpactUniqueImpactIdCheck
    UrgencyUniqueUrgencyCheck
  4. Clear the Active check box.
  5. Click Save.
    You cannot create duplicate records of the Request Definition, Custom Action, CIs and Services of the Base Elements object. BMC Remedyforce requires unique records of the Request Definition object for correctly processing the data.

To assign a theme to accounts

To distinguish the look and feel of the application for different accounts, you can assign a theme to an account.

  1. Click the Remedyforce Administration tab.
  2. On the Home page, click the Configure Self Service tile, and from the menu select Branding.
  3. Click the Assign Theme to Accounts link.
  4. In the Select Accounts for the Theme window, select the required accounts.
  5. Click the right arrow to move the selected accounts from the Available Accounts list to the Selected Accounts list.
  6. (Optional) To remove the accounts that should not be assigned to the selected theme, select the accounts in the Selected Accounts list and click the left arrow to move the selected accounts from the Selected Accounts list to the Available Accounts list.
  7. Click Apply to save the accounts assignment to the selected theme.
    The selected theme is available to Self Service clients after they log on.
  8. In the confirmation dialog box, click OK.
  9. Click Save.
    The selected theme becomes the default theme and is available to Self Service clients after they log on. The Self Service log on page appears in the default theme for all Self Service clients. The default theme is displayed to:
    • All portal users of the accounts that do not have a theme assigned to the account.
    • All nonportal users who use Self Service.

Segregating users according to the role hierarchy

Best practice

If you have implemented data segregation in your organization, we recommend that you also segregate users in your organization. 
Users are segregated at the levels immediately below the root role. For example, say that you have the following roles and subroles in your ServiceDesk under the ServiceDesk Head root role:

RoleSub-roles
FinanceDirector of Finance, Finance Analyst, and Finance HelpDesk Director
MarketingMarketing Analyst and Marketing Director
Human ResourcesHuman Resource Analyst and Human Resource Director

The following figure shows the role hierarchy. 



Users are segregated in the roles that are immediately under the ServiceDesk Head role. Along with the preceding figure, the following important points might help you understand how users are segregated:

  • The users shown in the a Client ID, Owner, Change Initiator, Release Coordinator, Staff, or any custom lookup field on the user object show segregated users on the Remedyforce Console tab based sharing rules configured.
  • If a Finance user applies a template to a record, the Owner and Staff field value are not populated from a template if the owner and staff user are a part of the Marketing hierarchy or Human Resources hierarchy. However, the template values are populated for the Client ID, Change Initiator, Release Coordinator, or any custom lookup fields even if the users are from other hierarchies.
  • Staff members in the Finance role hierarchy can create incidents for clients belonging to the Finance role hierarchy only.
  • Staff members in the Finance role hierarchy can assign incidents or other records to users belonging to the Finance role hierarchy only.
  • Staff members in the Finance role hierarchy cannot create incidents for clients in the Marketing or Human Resource role hierarchy .
  • Staff members in the Finance role hierarchy cannot assign incidents or other records to users belonging to the Marketing or Human Resources role hierarchy.
  • When staff members in the Finance branch select a client, the following types of users are available:
    • Portal users of all accounts owned by users in the Finance branch of the role hierarchy.
    • All nonportal users in the roles of the Finance branch of the role hierarchy. The role is assigned to nonportal users when you create the them.
    • All system administrator users. The profiles of these users have View All Data and Modify All Data permissions. For more information about permissions, see Salesforce Help.

      Note

      If you want to apply the sharing rules, ensure that you disable the View All Users permission for the multisite provider system administrator.

  • When staff members in the Finance branch select a staff member, the following types of users are available:
    • All staff member users in the roles of the Finance branch of the role hierarchy. A role is assigned to staff member users when you create them.
    • All system administrator users. The profiles of these users have View All Data and Modify All Data permissions. For more information about permissions, see Salesforce Help.
  • Based on the this hierarchy, consider the following example for different sharing rules:
CriteriaShared WithResult
Member of Role and Internal Subordinates: FinanceRole and Internal Subordinates: FinanceUsers in the Finance hierarchy can see Finance hierarchy users
Member of Role and Internal Subordinates: FinanceRole and Internal Subordinates: MarketingMarketing users can see Finance users

All of the points in the preceding section are also true for Human Resources and Marketing roles.

To segregate users by using Salesforce Platform sharing rules

  1. For the Users object, change the sharing setting to Private.
    For information about changing the sharing setting, see .Segregating users and configuration data v20.20.01.002.

    Note

    Ensure that the Users object is available in the sharing settings. For more information, see Salesforce Help.

  2. Based on your requirements, create roles for your organization.
    For information about creating roles, see Creating roles.
  3. Create the required sharing rules.
    For information about creating sharing rules, see .Segregating users and configuration data v20.20.01.002.

    The records in all fields on the User object (for example, Client ID, Owner, Staff, Release Coordinator, Initiator ID,and any custom fields) are segregated based on the sharing rules that you configure. 

    Best practice

    The Populate Role Hierarchy Data check box is available only if you were using the Remedyforce user segregation before upgrading to BMC Remedyforce 20.14.02. If you have upgraded to BMC Remedyforce 20.14.02, we recommend that you use the Salesforce Platform user segregation feature.

To segregate users according to the role hierarchy by using Remedyforce user segregation

  1. Click the Remedyforce Administration tab.
  2. On the Home page, click the Manage Users tile, and from the menu, select User Settings.
  3. In the Configuration Segregation section, click Populate Role Hierarchy Data.
    When you click this button, a batch process starts that populates the updated role hierarchy data in BMC Remedyforce. The batch process might take a few minutes to complete depending on your role hierarchy.

    Warning

    If you click the Populate Role Hierarchy Data button after selecting the Segregate Users check box, any changes made to the role hierarchy while the batch process is running are not reflected when you are creating or assigning records. If you select the Segregate Users check box and do not click the Populate Role Hierarchy Data button, the user data might not be correctly segregated. If you have updated the role hierarchy but you have not clicked the Populate Role Hierarchy Data button to populate the role hierarchy data, the user data might not be correctly segregated.

  4. Select the Segregate Users check box.

    Important

    After the batch process is completed, you receive an email about the success or failure of the role populating the hierarchy data. Select this check box only after you receive the email about the success of the batch job.

  5. Click Save.

Segregating Salesforce knowledge articles

To use Salesforce knowledge articles, you must have the Salesforce Knowledge license and your users must have the Salesforce Knowledge feature license. If you want to segregate Salesforce knowledge articles, you must create the required article types. Next, you must ensure that users assigned to a branch of the role hierarchy use only the assigned article types when they create Salesforce knowledge articles. In the example, you create the Sales Call and Customer Issues as article types. You must ensure that only users in the Marketing branch of the role hierarchy use these article types to create Salesforce knowledge articles. Users of the Finance and Human Resources branches of the role hierarchy must not use these article types to create Salesforce knowledge articles.

When you want to segregate Salesforce knowledge articles, you must remove the Read and Create permissions of the article types that are not shared with other branches in the role hierarchy. You must remove these permissions from the profiles of all users in restricted branches. In the example, remove the Read and Create permissions from the profiles of the users in the Finance and Human Resources branches to prevent users of these branches from viewing the Salesforce knowledge articles of the Marketing branch.

For more information about creating Salesforce article types, see Salesforce Help. For more information about creating Salesforce knowledge articles, see Salesforce Help.

Note

If you have enabled the enhanced profile user interface in your Salesforce organization, the steps to segregate Salesforce knowledge articles are different. For information about using the Enhanced Profile User Interface, see Salesforce Help.

To segregate Salesforce knowledge articles

  1. Create the required article types.
    For more information about creating Salesforce article types, see Salesforce Help.
  2. If you are in the Salesforce set up area, navigate to the required path:
    • For Salesforce Classic, go to Setup > Administer > Manage Users > Profiles.
    • For Salesforce Lightning, go to Setup > Administration > Users > Profiles.
  3. If you are in the Remedyforce application, perform the following steps:
    1. Click the Remedyforce Administration tab.
    2. On the Home page, click the Manage Users tile, and from the menu select Profiles.
  4. In the Profile Name column, click the <profile name> of the users in a branch.
  5. Click Edit.
  6. In the Article Type Permissions section, clear the Read and Create check boxes of the article types that are not shared with other branches in the role hierarchy.
  7. Click Save.
  8. Repeat step 4 through step 7 for all profiles of the users in the restricted branches.
Was this page helpful? Yes No Submitting... Thank you

Comments