Managing CMDB class permissions for permission sets

Administrators can provide a granular control of class level access (Create, Read, Edit, Delete) by using permission sets as the basis, and without altering the Salesforce permission sets.

The permissions granted to a user on a CMDB class are a subset of:

Permissions the user has on the Base Element object through assigned profile or permission set.
Permissions granted to the class through the Class Permissions form on permission sets assigned to the user.

Note

The CMDB class level permissions do not apply to the Remedyforce Administrator.

In the earlier versions of BMC Helix Remedyforce, if you granted Read, Create, Edit access on the Base Element object through a profile or permission set, then the same access was granted on all the CMDB classes. You could not modify the access permissions for only certain classes. Thus, there was inheritance of access permissions from the Base Element object to all the CMDB classes.

To know more about the Class Permissions feature, refer to the following topics:

Use case

Consider the following scenario:

User A belongs to the HR department and is assigned two permission sets, X and Y, with the following permissions:
- Permission set X: Has Read and Edit permissions on the Base Element object.
- Permission Set Y: Has Read and Create permissions on the Base Element object.
Now, you want to assign only Read and Create permissions on the Computer System class to the user A so that User A can only Read and Create records of the class, but cannot edit them.

You can restrict access to the Computer System class by modifying permissions sets X and Y for the Computer System class on the Class Permissions page.

The following images explain the feature in more detail.

Base Element object permissions
Class Permissions page
Run time permissions

Navigating the Class Permissions page

The following table describes the Class Permissions page:

Annotation	Field name	Description
1	Class Name	Lists the classes available in the selected permission set for which you can modify the access (Read, Create, Edit, Delete) permissions.
2	Permission sets	Displays the list of permission sets.
3	Apply CMDB class permissions	Applies the configured class permissions for the selected permission sets on both Remedyforce CMDB and Remedyforce Console.
4	Class Type	Filters the listed CMDB classes based on the type CI, Asset, or both.
5	Clone from	Clones class permissions from an already configured or OOTB permission set. To clone, click Clone from and select the permission set from the list.
	Load default	Loads the OOTB permissions for all the listed classes, based on the `Base Element` object permissions of the selected permission set. Note: The Load default option is displayed only when you select an OOTB permission set from the Permission sets list.
	Import	Imports the class permissions for only custom permission sets. Note: The Import option is available only when you upgrade from earlier versions to BMC Helix Remedyforce 20.20.01. Import once performed for any specific permission set, will not be available thereafter for that permission set.
6	Hide Configuration Item Management	Hides the CI (Configuration Item) tab for the selected permission sets on the Remedyforce CMDB tab.
6	Hide Asset Management	Hides the Asset tab for the selected permission sets on the Remedyforce CMDB tab. Note: Hiding a tab does not modify permissions of the underlying CMDB classes. Class permission should be handled explicitly, else instances of these classes will remain visible on CMDB Relationships, Remedyforce Console, and other interfaces such as the Search filter. You can also hide the CI or Asset tab by not granting the Read access for all the classes of the respective tabs.

Before you begin

Before you assign or modify the class permissions and apply the feature, consider the following:

Your profile or permission set must have the required permissions on the Base Element object before you configure and apply this feature.
Before you enable this feature, ensure that you have configured appropriate class permissions for all permission sets in the Configure CMDB class level access section. Since this feature honors the class access across all users, we strongly recommend that you try this on the Sandbox first.
When you upgrade from earlier versions to BMC Helix Remedyforce 20.20.01, and opt for the Class Permissions feature, the object and user-level assignment will be disregarded.

To assign class permissions for permission sets

Perform the following steps to assign or modify class permissions.

Go to Remedyforce Administration > Configure CMDB 2.0 > Class Permissions.
In the Configure CMDB class level access section, under Permission sets column, click a permission set that you want to configure.
From the Class Name column, assign or modify the access permissions for the listed classes.
After you assign or modify class permissions for all the permission sets in use, click Save.
Click Apply CMDB class permissions.
These class permissions are honored on Remedyforce CMDB and Remedyforce Console. For more information, see Areas where class permissions are applied.

Sample scenario

Consider you are User A who is assigned three permission sets with the following permissions:

ServiceDesk Staff: Has Read and Edit permissions on the Base Element object.
Configuration Manager: Has Read and Create permissions on the Base Element object.
ServiceDesk Change Manager: Has Read permission on the Base Element object.

Thus, final permissions on the Base Element object are Read, Create, and Edit.

Further, for each of the permission sets, the access permissions on the Computer System class as follows:

Permission sets	Class	Access permissions on the class
Permission sets	Class	Read	Create	Edit	Delete
ServiceDesk Staff	Computer System
Configuration Manager
ServiceDesk Change Manager

Based on the final Base Element object permissions and the combination of class permissions for the three permission sets, the final permissions are applied on the Computer System class.

Hence, when you are assigned the ServiceDesk Staff, Configuration Manager, and ServiceDesk Change Manager permission sets, you are granted the following access permissions on the Computer System class at run-time:

Permission sets	Class	Final access permissions on the class
Permission sets	Class	Read	Create	Edit	Delete
ServiceDesk Staff+ Configuration Manager + ServiceDesk Change Manager	Computer System

General guidelines

The saved CMDB class permissions for a permission set are honored only when you enable the Apply CMDB class permissions toggle.
For an OOTB permission set, the class permissions are granted based on the Base Element object permissions of the permission set.
All the CMDB classes are listed for permission configuration except the Abstract classes.
If you are granted Modify all Data or Remedyforce Administrator permission on the User object, then you can access all the CMDB classes.
If all the CI or Asset classes are not granted the Read access, then the respective tab will not be visible in Remedyforce CMDB.
If you configure and save class permissions for an OOTB permission set, and later create a new class for that permission set, you must configure its class permissions.
When you are not assigned any permission set, and you enable the Class Permissions feature, your profile permissions applied on the Base Element object are honored on all the CMDB classes.
If you grant the Read access to a parent class, its child classes do not inherit the permission. Likewise, if you grant the Read access to a child class, its parent class appears dimmed on CMDB. Hence, ensure that you grant individual access for the required classes.

Areas where class permissions are applied

The configured class permissions are honored on Remedyforce CMDB and Remedyforce Console in the following manner.

Tab	Applicable area	Details
Remedyforce CMDB	List view	The list view displays instances and sub-instances of CMDB classes on which users have the Read permission. Functionalities such as Search, Advanced Search, Column filters, and Mark as deleted honor the Read permissions on classes while displaying results. Note: In the Tree view, if only the child class has the Read permission, the parent class appears dimmed.
	Multiple Instance Editor	The Multiple Instance Editor lists the records of classes that have Edit permission on them.
	Relationships tab	The Relationships tab displays the instances and sub-instances of CMDB classes on which users have Read permission.
	CMDB Explorer	The CMDB Explorer lists instances and sub-instances of CMDB classes on which users have the Read permission.
	Analyze Impact	The Analyze Impact tab lists instances of CMDB classes on which users have the Read permission.
Remedyforce Console	Record form	The fields present on the record form of Remedyforce Console, such as CMDB lookup fields (OOTB and custom), CI sliders, and Record Details tab list instances of CMDB classes on which users have the Read permission. Note: The configured class permissions are honored on modules such as Incident, Service Request, Task, Change Request, Problem, and Release.
	Tool-tips	To display information about an instance of a class on which the user does not have Read access, a tool-tip can contain the instance information but further access of the instance will remain restricted.
	CMDB Explorer	The CMDB Explorer lists instances and sub-instances of CMDB classes on which users have the Read permission.
	Impact Analysis	The Impact Analysis tab lists instances of CMDB classes on which users have the Read permission.