Access control for ticket data
BMC Helix ITSM provides a rich set of features that protect your data from unauthorized access. Keeping information secure can be a major task in client or server environments. You want to rigorously control who can access data, yet you do not want the security process to be so complex that it intrudes on your user community or is difficult for you to implement or maintain. BMC Helix ITSM enables you to meet these seemingly opposing security goals.
Data access control
A user is an individual to whom you give permission to access AR System and BMC Helix ITSM applications. Users can be members of multiple groups or no group at all. Users in BMC Helix ITSM range from an administrator who maintains the entire system to employees who submit requests or view data.
You can manage users inAR System by using the User form and in BMC Helix ITSM by using the CTM:People form.
in AR System documentation
You can assign users to groups according to their need to access information. For example, you might create a group called Help Desk whose members are permitted to view and change only certain fields on a Help Desk form. You might have another group called IT Data Access whose members are permitted to view and change all fields on the Help Desk form.
in AR System documentation
|Form level permissions||You can configure group access to forms so that a particular form is visible to users in specific groups. For any form, an administrator can determine which groups need to have access to requests. The administrator can grant access based on which requests are relevant to a group.|
in AR System documentation
|Field level permissions|
Every field on a form has access control. You can set field level permissions when you define the field properties in Developer Studio. Each field can have a list of groups that can access the field and the data entered into it.
in AR System documentation
You can assign user permissions to control how people access and interact with the BMC Helix ITSM. You assign user permissions on the People form. There are different aspects to the user permissions, which together make up the permission model: Permission groups and Support groups.
|Roles and permissions|
In BMC Helix ITSM applications, access permissions are based on roles. Like groups, roles have permissions to access forms, fields, ticket data, and so on. However, unlike groups, roles are defined for an application and are then associated with groups on the server where the application is deployed.
You can assign users to groups, and then associate the groups with roles.
|Mapping roles to permission groups|
Permission groups are used to grant users access to applications, modules, and sub-components in BMC Helix ITSM.
|Permission groups and application access|
Support groups control access to data. BMC Helix ITSM permission model by controlling access to data. A user can modify only those records that are assigned to the support groups that the user is a member of.play an important role in the
For example, if a user is assigned the role of Service Desk Analyst and is a member of the Hardware support group, then the user can modify only incident requests that are assigned to the Hardware support group. The user can view other incident requests but cannot modify them.
Each ticket or a record is referred to as a row in BMC Helix ITSM. The ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. The Row-level security feature restricts ticket data access to only those users who require it.
|Access control with implicit groups: Row-level security|
You can configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group.
|Inheriting permissions by using hierarchical groups|
|For BMC Helix ITSM|
Functional roles provide extended access to an application, module, and sub-component functions.
For example, Support staff that are assigned the Broadcast Submitter functional role can create and modify broadcast messages.
|Functional roles and extended application access|
In a multitenant environment, the ticket data is accessible to users based on the following two options:
|Data access in a multitenant environment|
People information is stored on the CTM:People form. Always configure people records by opening the ITSM People form from the Application Administration Console. Information that you add or modify on the BMC Helix ITSM People form is automatically updated to the AR System User form, but information updated on the User form is not updated to the People form.
|Updating people information|
BMC Helix ITSM: Knowledge Management uses visibility groups to restrict access to knowledge base content. You can specify the audience for your article by assigning one or more visibility groups to the article.
You can create visibility groups for a specific company or for the Global company. A knowledge article is visible to users according to this configuration.
in Knowledge Management documentation
|For BMC Helix ITSM Insights and BMC Helix Portal|
|Sync BMC Helix ITSM users with BMC Helix Portal|
For the users to use their existing credentials to authenticate into BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, contact BMC Support.
Types of data in ITSM
- Configuration data refers to the objects that the user has access to. Configuration data access is set at company level. This can be managed through two configurations, which are Profiles (User roles) and Permission sets (Groups).
- Transactional data refers to the permissions at ticket or record level in BMC Helix ITSM. Each ticket is treated as a row. Access to this data is determined by various aspects of data access model such as permission groups, Row-level security, and hierarchical groups.
Salient features of ITSM data access model
The following table lists the details of the data access model:
Feature / capability
|Separating permissions for configuration and transactional (ticket) data access|
Configuration data is managed at the company level. However, the ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. The users who are not connected to a ticket cannot access it.
For more information, see Access control with implicit groups: Row-level security.
|Hierarchical group support|
By using the hierarchical group support feature, a parent group can access its own ticket data and the ticket data of its child groups. It enables you to simplify the configuration and maintenance of controlling the data access.
You can configure the hierarchy of groups across companies or within the support groups of a company. For more details, see hierarchical groups
|Assignment menus are tied to the company fields in addition to permission|
Assignment menus display support groups relevant to the location and contact companies mentioned on a ticket.
The ability to configure the support groups associated with a company enables secured manual assignment of support groups while creating or modifying a ticket.
For more details, see Setting up assignment routing to support groups.
Implementation of Row-level access in ITSM applications
Every form defined in AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. AR System uses the permissions defined in the Request ID (Field ID 1) field to determine who should have access to a ticket. The following permissions are defined on most BMC Helix ITSM forms. Individuals or groups defined under these permissions can access a ticket. For more details, see Access control with implicit groups: Row-level security and Inheriting permissions by using hierarchical groups.
An example of Row-level security
Calbro Services has a number of support groups for various services and functions. In order to provide access to ticket types that are relevant to each of these groups, as an administrator you can use the Row-level security feature of BMC Helix ITSM as explained in this example.
Users and their profiles that are used in the example:
- Business users - Britney, Harry, Peter, Ann
- Service Desk agents- Francie, Allen, Ronald
- Associated support groups - IT Operations, IT Data Access, IT Support, Backoffice Support, Help Desk
|Service Desk agent||Support group|
|Ronald||IT Data Access (parent of Help Desk and Backoffice Support)|
|Julie||IT Operations (parent of IT Data Access)|
Depending on the Row-level security, the following users can access the records that they are associated with:
|Request ID||Customer||Contact||Assigned support group||Parent of support group||Owner group||Parent of Owner group||Who all can access this record|
|Britney||Ian||Help Desk||IT Data Access||IT Support||IT Operations|
•Britney •Ian •Francie •Allen •Ronald •Julie
|INC000000000185||Harry||John||Backoffice Support||IT Data Access||IT Support||IT Operations|
•Harry •John •Allen •Ronald • Julie
|INC000000000187||Peter||James||Help Desk||IT Data Access||IT Support||IT Operations|
•Peter •James •Francie •Allen •Ronald •Julie
|INC000000000204||Britney||Ian||IT Data Access||IT Operations||IT Support||IT Operations|
•Britney •Ian •Ronald •Julie