Data access model enhancements in BMC Remedy ITSM
The data access model of BMC Remedy ITSM is modified to enhance data security. The table below lists the details of enhancements or changes made to the data access model:
|Enhancement||Reason for enhancement or change||Details|
|Separating permissions for configuration and transactional (ticket) data access||In versions earlier than 9.1, configuration and ticket data access was managed using the company fields on the application form allowing access to all members within a company. However, the data access needs for configuration and ticket data are different. All users in a company need access to the configuration but not to the ticket data.|
Configuration data is still managed at the company level but ticket data access has changed. In the older versions of BMC Remedy ITSM, ticket data access was controlled at the company level. Starting with 9.1, ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. With this enhancement, users who are not connected to a ticket cannot access it.
For more details on this enhancement, see Row-level security.
Note: These changes are applicable for BMC Remedy ITSM applications and BMC Service Request Management. There is no change to BMC Service Level Management.
To know the visibility of your pre 9.1 ticket data, see Post-upgrade activities.
|Hierarchical group support|
BMC Remedy ITSM needed a parent child group hierarchy:
The hierarchical group support feature introduced in version 9.1 is based on the existing hierarchical group feature in BMC Remedy AR System and allows you to create collector groups that are parents of other groups. The parent group can access its own ticket data and the ticket data of its child groups. It allows you to simplify the configuration and maintenance overhead of the system.
You can configure hierarchy across companies or within the support groups of a company. For more details, see hierarchical groups
|Assignment menus are tied to the company fields in addition to permission|
In earlier versions of BMC Remedy ITSM, manual assignment of support groups was controlled by the user’s company access permissions. Due to this, the assignment menus included all the support groups of companies that a user has access to. This could allow incorrect assignments of tickets and expose the ticket data to companies that did not need to view it.
The following enhancements are introduced in version 9.1:
Note: While upgrading from an older version of BMC Remedy ITSM to 9.1, the data of the following forms is migrated to the new Configure Assignment Groups for a Service Company form.
After upgrading from an older version to BMC Remedy ITSM 9.1, all the enhancements mentioned above are available.
You must consider performing the following activities relevant to BMC Remedy ITSM data access model after upgrading from an older version to BMC Remedy ITSM version 9.1:
- Parent group of all existing support groups:
- To provide backward compatibility, during the upgrade, the parent group of each of the existing support groups is set to the company it is part of. Setting a company as a parent to support groups allows the ticket data to be accessible to the entire company just as it was prior to the upgrade.
- To change the visibility of your ticket data after the upgrade, change the parent of support groups. For example, create a support group Calbro IT Data Access Support and configure it as a parent of all the support groups. Any new tickets created after the upgrade are accessible to the assigned support groups, parent groups of the assigned support groups, and the companies associated with the ticket.
- Transactional (ticket) data:
- The tickets created before the upgrade follow the old data access model as the row level access fields are not changed during the upgrade. This means, the ticket level access of pre 9.1.00 data remains at company level.
- Tickets created after the upgrade follow the new data access model which means the ticket level access is managed at support group level.
After upgrading to 9.1, if you make changes to the data access fields of your pre 9.1 ticket data, the values of Assignee Group (field 112) are recomputed based on the new data access model. The values of Vendor Assignee Group (field 60900) remain as is and continue to have the company permission group ID. As a result, the ticket data continues to be visible to the companies mentioned in field 60900.
- Field 112:
- The functionality of this field remains the same in 9.1. This means the groups or individuals mentioned in this field have access to a ticket.
- In pre 9.1, this field included support groups and companies. However from 9.1, this field includes:
- Support groups
- Support groups and individuals for whom BMC configures the access. In the older versions of BMC Remedy ITSM, some of these groups and individuals were put in 112 and 60900 but in 9.1 all these groups and individuals are included in 112.
- Field 60900: The functionality of this field remains the same. A group or individual defined in this field, continues to have access to a ticket. However, the inputs to this field are changing in 9.1. This field is left blank by BMC. Customers can define this field to meet their additional security needs.
Hierarchical groups and reconciling overlays: When you are upgrading from an older version of BMC Remedy ITSM to version 9.1, most of the BMC Remedy ITSM, BMC Service Level Management, and BMC Service Request Management forms are upgraded to include the hierarchical group fields, workflow, and data. If there are overlays on any of these objects and the overlays are of the type Overwrite, you must reconcile the objects to ensure that the hierarchical group changes take effect.
You must carefully check the Other Definitions properties of a form. The Dynamic Permissions Inheritance field is part of the Other Definitions panel of a form but in the BMC Remedy Developer Studio, the Dynamic Permissions Inheritance field is grouped with the Permissions properties. Whether the Dynamic Permissions Inheritance field is overlaid or not, it is controlled by the Overlay Type specified in the Other Definitions panel. If the Overlay Type is set to Overwrite, the Dynamic Permissions Inheritance information that was updated in the base definition during the upgrade is replaced by the pre-existing overlay information.
For troubleshooting on the enhanced data access model, see Frequently asked questions on BMC Remedy ITSM Data Access Model.
The following topics provide additional information about multi-tenancy and the supporting fields: