Inheriting permissions by using hierarchical groups
In a hierarchical group structure, row-level view access assigned to a child group are passed on to all its parent groups. This structure enables you to easily organize larger groups in a hierarchical order. You can simplify permission management by assigning a parent group to a group for which you want to give access to the data belonging to different groups.
Parent group users can view the tickets of its child groups at all levels. However, the parent group users can edit the tickets of the immediate child groups only.
The hierarchical group concept implemented in BMC Helix ITSM is based on the AR System hierarchical groups. By using the hierarchical groups, you can extend the ticket access. For example, you can extend the ticket access to the entire IT Staff and restrict the access for non-IT staff. For more information about hierarchical groups, see .
The following graphic depicts the hierarchical group structure within the support groups of Calbro Services:
In a hierarchical structure, the following members have access to ticket data:
- Child groups can access their own tickets.
- Parent groups have view access to their own tickets and tickets of all their child groups in the hierarchy.
- Edit access of a child group tickets are passed only on to its immediate parent group.
Why to use hierarchical groups
BMC Helix ITSM uses the hierarchical group structure across companies and within companies::
Across companies—In a multi-tenant BMC Helix ITSM environment that contains multiple companies, some users might require access to ticket data of multiple companies. For example, if your organization opened new branches or if there is any other change in your organization, you must modify the user's access for each company, which might result in performance issues or maintenance challenges. By giving access to all the companies in a multi-tenant environment, you do not need to modify the user's access every time there is a change.
Hierarchical groups enable you to structure the companies hierarchically and assign the users to the required groups to provide them relevant ticket data access.
Calbro Services has several offices located across the globe. Multiple companies might be associated with each location. Rather than assigning users to all the companies associated with the location, you can create a group for each location and assign the users to that location group. Using the hierarchical group feature, you can configure the location group as a parent to all the companies associated with a location. Even when the companies associated with a location keep changing, you do not have to update the users' access as the users are part of the parent group and can access the the tickets of all child groups.
Within a company—In BMC Helix ITSM, ticket data access is managed at the support group level. There might be a need to extend this ticket data access to the support groups across your company. You can extend the ticket data access by creating a parent group and then defining the required support groups as children.
Calbro Services has a parent support group Calbro IT Data Access Support. Members belonging to this group can access the tickets of all its child groups. To restrict certain ticket types (for example, security), you can keep the relevant group separate and not define it as a child group of Calbro IT Data Access Support.
Before you begin
A user with Contact Administrator permissions can configure hierarchical groups across companies or support groups.
To configure hierarchical groups
To configure hierarchical groups, select Application Administration Console > Foundation > Advanced Options > Hierarchical Group Configuration and update the required information on the Hierarchical Group Configuration form. By using this form, you can add or remove a parent group for a company or a support group.
- You can simplify permission management by assigning a parent group to a group for which you want to give access to the data belonging to different groups.
- To create a parent-child hierarchy and maintain ticket data access efficiently between various support groups or companies, you must configure the required support group or company as a parent of the support groups or companies.
In this example, let us configure the hierarchy between the support groups of a company. Let us consider that you need the Service Desk Support group of Calbro Services to inherit the permissions of Backoffice Support group of Calbro Services.
Follow the steps given below to define a Service Desk Support group as a parent group for Backoffice Support group:
- On the Application Administration Console > Foundation > Advanced Options > Hierarchical Group Configuration form, in the Select Parent Group For field, select the Support Group option to define a support group as a parent for another support group. A list of all the support groups in the application is displayed.
- Select the Backoffice Support check box.
- In the Select Parent Group Type field, select the Support Group option to define this as a parent group.
- In the Parent Group Name field, click
A list of support groups is displayed..
- Select the Service Desk support group.
- Click Save.
The Parent Group Name column displays the updated parent group for the Backoffice Support group.
To unlink a parent group
Due to organizational restructuring or other reasons specific to your organization, you might have to remove the parent-child relationship between support groups or companies. When you remove the parent group of a company or support group, the parent group is no longer associated with the child group and hence cannot access the data of the child group.
- On the Hierarchical Group Configuration form, select the Parent Group For field, and then select the Company or Support Group option.
A list of companies or support groups is displayed.
- Select the required company or support group from the list.
- In the Parent Group Name field, select the Set as Blank check box to remove the parent group.
- Click Save.
The Parent Group Name column is displayed blank for the selected company or support group.
To correct or delete invalid parent groups
If duplicate and invalid entries with the same parent group, support group, or permission group ID exist in the CTM:SYS-Access Permission Grps or Group form, you might encounter an error when upgrading BMC Helix ITSM to a higher version. The upgrade might also fail due to the invalid and duplicate entries.
- Run the Configuration Check utility before upgrade, which verifies whether any duplicate and invalid entries exist in the CTM:SYS-Access Permission Grps or Group form.
- If duplicate and invalid entries exist in the CTM:SYS-Access Permission Grps or Group form, correct or delete them.