Calbro Services' access implementation
Calbro Services has several different business units. Although each business unit is part of the overall company, the various business units need access to different applications and data. For example, all employees of Calbro Services can install Microsoft Word, but only certain members of Finance should install and work with the payroll application. HR has a similar restriction on the job posting and recruitment application used by that business unit. Members of IT should have access to all applications.
Calbro Services must set up product access and restrictions in the Product Catalog for Finance and HR. IT will have access to all possible products. The following figure illustrates the access in this scenario, in which some people have access to Finance products, some people have access to HR products, and others have unrestricted access to all products.
Access to applications in business units
This scenario includes the following groups:
- Finance — People in this group can access products used only by Finance.
- HR — People in this group can access products used only by HR.
- IT — People in this group can access all products, including those used by HR and Finance.
Allen Allbrook, the Calbro Services administrator, creates Operating Company entries for Finance, HR, and IT in the Product Catalog. This automatically creates BMC Remedy Action Request System (BMC Remedy AR System) regular groups for these Operating Companies.
Next, Allen assigns individual employees to these BMC Remedy AR System groups. For example, Allen adds Patrick Paycheck to the Finance group, Betty Benefits to the HR group, and himself to the IT group.
Allen can then configure the Product Catalog entries for application access according to the Operating Company. Allen allows the Global company (everyone at Calbro Services) access to Microsoft Word, the Finance company access to the payroll application, the HR company access to the job posting and recruitment application, and the IT company access to all applications.
Membership in a business unit is not the same as access to a business unit.
Product Catalog entries do not restrict employee access to applications, but Allen can run discovery reports about the applications installed on employee computers, and then uninstall applications that are not approved for use according to the Product Catalog.
Additionally, people in Finance need to see employee information stored in the BMC_Person form, while people in HR need access to change information on that form. To accomplish this, Allen establishes instance permissions to data on the BMC_Person form. He first makes sure that the Finance and HR groups have access to the CMDB Data View role. Next, Allen adds the Finance and HR groups to the
CMDBRowLevelSecurity attribute value for BMC_Person entries those employees should see. Allen then adds the HR group to the
CMDBWriteSecurity attribute value for entries that HR employees should have access to modify.
For more information about how permissions and multitenancy are related to products used by a company, see Product Catalog and multitenancy. For information about setting permissions, see Managing permissions in BMC Atrium Core.