This documentation supports the 21.3 version of BMC Helix ITSM.

To view an earlier version, select the version from the Product version menu.

Access control for ticket data



BMC Helix ITSM provides a rich set of features that protect your data from unauthorized access. Keeping information secure can be a major task in client or server environments. You want to rigorously control who can access data, yet you do not want the security process to be so complex that it intrudes on your user community or is difficult for you to implement or maintain. BMC Helix ITSM enables you to meet these seemingly opposing security goals.

 Data access control

ConceptDescriptionReference topic
Users

A user is an individual to whom you give permission to access AR System and BMC Helix ITSM applications. Users can be members of multiple groups or no group at all. Users in BMC Helix ITSM range from an administrator who maintains the entire system to employees who submit requests or view data.

You can manage users inAR System by using the User form and in BMC Helix ITSM by using the CTM:People form.

User and group access overview Open link in AR System documentation

Roles and permissions

Groups

You can assign users to groups according to their need to access information. For example, you might create a group called Help Desk whose members are permitted to view and change only certain fields on a Help Desk form. You might have another group called IT Data Access whose members are permitted to view and change all fields on the Help Desk form.

User and group access overview Open link

in AR System documentation

Form level permissionsYou can configure group access to forms so that a particular form is visible to users in specific groups. For any form, an administrator can determine which groups need to have access to requests. The administrator can grant access based on which requests are relevant to a group.

Access control overview Open link

in AR System documentation

Field level permissions

Every field on a form has access control. You can set field level permissions when you define the field properties in Developer Studio. Each field can have a list of groups that can access the field and the data entered into it.

Access control overview Open link in AR System documentation

User permissions

You can assign user permissions to control how people access and interact with the BMC Helix ITSM. You assign user permissions on the People form. There are different aspects to the user permissions, which together make up the permission model: Permission groups and Support groups.

Roles and permissions
Roles

In BMC Helix ITSM applications, access permissions are based on roles. Like groups, roles have permissions to access forms, fields, ticket data, and so on. However, unlike groups, roles are defined for an application and are then associated with groups on the server where the application is deployed.

You can assign users to groups, and then associate the groups with roles.

Mapping roles to permission groups
Permission groups

Permission groups are used to grant users access to applications, modules, and sub-components in BMC Helix ITSM.

Permission groups and application access
Support groups

Support groups control access to data. Support groups play an important role in the BMC Helix ITSM permission model by controlling access to data. A user can modify only those records that are assigned to the support groups that the user is a member of.

For example, if a user is assigned the role of Service Desk Analyst and is a member of the Hardware support group, then the user can modify only incident requests that are assigned to the Hardware support group. The user can view other incident requests but cannot modify them.

  • Creating support groups Open link
  • Configuring support groups Open link
  • Updating people information
Row-level security

Each ticket or a record is referred to as a row in BMC Helix ITSM. The ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. The Row-level security feature restricts ticket data access to only those users who require it. 

Access control with implicit groups: Row-level security
Hierarchical groups

You can configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group.

Inheriting permissions by using hierarchical groups
For BMC Helix ITSM

Functional roles

Functional roles provide extended access to an application, module, and sub-component functions.

For example, Support staff that are assigned the Broadcast Submitter functional role can create and modify broadcast messages.

Functional roles and extended application access
Multi-tenancy 

In a multitenant environment, the ticket data is accessible to users based on the following two options:

  • Unrestricted: Users with the BMC Helix ITSM Unrestricted Access role have access to all ticket data.

  • Row-level: In the Applications Permissions Model setting, you can choose to provide ticket data access at support group level or support group and company level.

Data access in a multitenant environment

People form


People information is stored on the CTM:People form. Always configure people records by opening the ITSM People form from the Application Administration Console. Information that you add or modify on the BMC Helix ITSM People form is automatically updated to the AR System User form, but information updated on the User form is not updated to the People form.

Updating people information

Visibility groups

(Knowledge Management)

BMC Helix ITSM: Knowledge Management uses visibility groups to restrict access to knowledge base content. You can specify the audience for your article by assigning one or more visibility groups to the article.

You can create visibility groups for a specific company or for the Global company. A knowledge article is visible to users according to this configuration.

How knowledge articles are found Open link

in Knowledge Management documentation

For BMC Helix ITSM Insights and BMC Helix Portal
Sync BMC Helix ITSM users with BMC Helix Portal

For the users to use their existing credentials to authenticate into BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, contact BMC Support.

User identities in BMC Helix Portal Open link

Types of data in ITSM

  • Configuration data refers to the objects that the user has access to. Configuration data access is set at company level. This can be managed through two configurations, which are Profiles (User roles) and Permission sets (Groups).
  • Transactional data refers to the permissions at ticket or record level in BMC Helix ITSM. Each ticket is treated as a row. Access to this data is determined by various aspects of data access model such as permission groups, Row-level security, and hierarchical groups.


Salient features of ITSM data access model

The following table lists the details of the data access model:

Feature / capability

Details

Separating permissions for configuration and transactional (ticket) data access 

Configuration data is managed at the company level. However, the ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. The users who are not connected to a ticket cannot access it.

For more information, see Access control with implicit groups: Row-level security.

Hierarchical group support

By using the hierarchical group support feature, a parent group can access its own ticket data and the ticket data of its child groups. It enables you to simplify the configuration and maintenance of controlling the data access.

You can configure the hierarchy of groups across companies or within the support groups of a company. For more details, see hierarchical groups

Assignment menus are tied to the company fields in addition to permission

Assignment menus display support groups relevant to the location and contact companies mentioned on a ticket.

The ability to configure the support groups associated with a company enables secured manual assignment of support groups while creating or modifying a ticket.

For more details, see Setting up assignment routing to support groups.

Implementation of Row-level access in ITSM applications

Every form defined in AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. AR System uses the permissions defined in the Request ID (Field ID 1) field to determine who should have access to a ticket. The following permissions are defined on most BMC Helix ITSM forms. Individuals or groups defined under these permissions can access a ticket. For more details, see Access control with implicit groups: Row-level security and Inheriting permissions by using hierarchical groups.



An example of Row-level security

Calbro Services has a number of support groups for various services and functions. In order to provide access to ticket types that are relevant to each of these groups, as an administrator you can use the Row-level security feature of BMC Helix ITSM as explained in this example.

Users and their profiles that are used in the example:

  • Business users - Britney, Harry, Peter, Ann
  • Service Desk agents- Francie, Allen, Ronald
  • Associated support groups - IT Operations, IT Data Access, IT Support, Backoffice Support, Help Desk
Service Desk agentSupport group
FrancieHelp Desk
Allen

Help Desk

Backoffice support

RonaldIT Data Access (parent of Help Desk and Backoffice Support)
JulieIT Operations (parent of IT Data Access)


Hierarchical groups

Depending on the Row-level security, the following users can access the records that they are associated with:

Request IDCustomerContactAssigned support groupParent of support groupOwner groupParent of Owner groupWho all can access this record

INC000000000175

BritneyIanHelp DeskIT Data AccessIT SupportIT Operations

•Britney •Ian •Francie •Allen •Ronald •Julie

INC000000000185HarryJohnBackoffice SupportIT Data AccessIT SupportIT Operations

•Harry •John •Allen •Ronald • Julie

INC000000000187PeterJamesHelp DeskIT Data AccessIT SupportIT Operations

•Peter •James •Francie •Allen •Ronald •Julie

INC000000000204BritneyIanIT Data AccessIT OperationsIT SupportIT Operations

•Britney •Ian •Ronald •Julie

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Martin Rosenbauer

    The link on this page, to "Setting up assignment routing to support groups .", seems to be broken. It is probably supposed to call URL https://docs.bmc.com/docs/itsm213/setting-up-assignment-routing-to-support-groups-1074789787.html

    Jul 26, 2022 02:42
    1. Aditya Kirloskar

      Hello Martin,

      Thanks for pointing this out. The issue is fixed.

      Regards,

      Aditya

      Aug 04, 2022 01:19