Access control for ticket data
BMC Helix ITSM provides a rich set of features that protect your data from unauthorized access. Keeping the information secure can be a major task in the client or server environments. You want to rigorously control who can access the data, yet you do not want the security process to be so complex that it intrudes on your user community or is difficult for you to implement or maintain. BMC Helix ITSM enables you to meet these seemingly opposing security goals.
Data access control
| Concept | Description | Reference topic |
|---|---|---|
| Users | A user is an individual to whom you give permission to access the AR System and BMC Helix ITSM applications. Users can be members of multiple groups or no group at all. Users in BMC Helix ITSM range from an administrator who maintains the entire system, to employees who submit requests or view data. You can manage users inAR System by using the User form and in BMC Helix ITSM by using the CTM:People form. |
User and group access overview
|
| Groups | You can assign users to groups according to their need to access information. For example, you might create a group called Help Desk whose members are permitted to view and change only certain fields on a Help Desk form. You might have another group called IT Data Access whose members are permitted to view and change all the fields on the Help Desk form. |
User and group access overview
in the AR System documentation |
| Form level permissions | You can configure group access to forms so that a particular form is visible to users in specific groups. For any form, an administrator can determine which groups need to have access to requests. The administrator can grant access based on which requests are relevant to a group. | in the AR System documentation |
| Field level permissions | Every field on a form has access control. You can set field level permissions when you define the field properties in Developer Studio. Each field can have a list of groups that can access the field and the data entered into it. |
Access control overview
|
| User permissions | You can assign user permissions to control how people access and interact with BMC Helix ITSM. You must assign user permissions on the People form. There are different aspects to the user permissions, which together make up the permission model, which consists of Permission groups and Support groups. | Roles and permissions |
| Roles | For BMC Helix ITSM applications, access permissions are based on roles. Like groups, roles have permissions to access forms, fields, ticket data, and so on. However, unlike groups, roles are defined for an application and are then associated with groups on the server where the application is deployed. You can assign users to groups, and then associate the groups with roles. | Mapping roles to permission groups |
| Permission groups | Permission groups are used to grant access to users for applications, modules, and sub-components in BMC Helix ITSM.
| Permission groups and application access |
| Support groups | Support groups play an important role in the BMC Helix ITSM permission model by controlling access to data. A user can modify only those records that are assigned to the support groups that the user is a member of. For example, if a user is assigned the role of a service desk analyst and is a member of the Hardware support group, then the user can modify only incident requests that are assigned to the Hardware support group. The user can view other incident requests, but cannot modify them.
| |
| Row-level security | Each ticket or a record is referred to as a row in BMC Helix ITSM. The ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups that are associated with a ticket. The Row-level security feature restricts the ticket data access to only those users who require it. | Access control with implicit groups: Row-level security |
| Hierarchical groups | You can configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group. | Inheriting permissions by using hierarchical groups |
For BMC Helix ITSM | ||
Functional roles | Functional roles provide extended access to an application, module, and sub-component functions. For example, the support staff that are assigned the Broadcast Submitter functional role can create and modify broadcast messages. | Functional roles and extended application access |
| Multi-tenancy | In a multitenant environment, the ticket data is accessible to users based on the following options:
| Data access in a multitenant environment |
People form | Since the people information is stored on the CTM:People form, you must configure people records by opening the CTM:People form from the Application Administration Console. The information that you add or modify in the People form is automatically updated in the AR System User form, but the information updated in the User form is not updated in the People form. | Updating people information |
Visibility groups (Knowledge Management) | BMC Helix ITSM: Knowledge Management uses visibility groups to restrict access to knowledge base content. You can specify the audience for your article by assigning one or more visibility groups to the article. You can create visibility groups for a specific company or for the Global company. A knowledge article is visible to users according to this configuration. |
How knowledge articles are found
in theKnowledge Management documentation |
For ITSM Insights and BMC Helix Portal | ||
Sync BMC Helix ITSM users with BMC Helix Portal | For the users to use their existing credentials to authenticate in to BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, contact BMC Customer Support. | |
Types of data in BMC Helix ITSM
- Configuration data refers to the objects that the user has access to. Configuration data access is set at the company level. This can be managed through two configurations, which are Profiles (User roles) and Permission sets (Groups).
- Transactional data refers to the permissions at the ticket or record level in BMC Helix ITSM. Each ticket is treated as a row. Access to this data is determined by various aspects of data access model such as permission groups, Row-level security, and hierarchical groups.
Salient features of BMC Helix ITSM data access model
The following table lists the details of the data access model:
Feature / capability | Details |
|---|---|
| Separating permissions for configuration and transactional (ticket) data access | Configuration data is managed at the company level. However, the ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and the support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. The users who are not connected to a ticket cannot access it. For more information, see Access control with implicit groups: Row-level security. |
| Hierarchical group support | By using the hierarchical group support feature, a parent group can access its own ticket data and the ticket data of its child groups. It enables you to simplify the configuration and maintenance of controlling the data access. You can configure the hierarchy of groups across companies or within the support groups of a company. For more information, see hierarchical groups. |
| Assignment menus are tied to the company fields in addition to permissions | Assignment menus display support groups relevant to the location and contact companies mentioned on a ticket. The ability to configure the support groups associated with a company enables secured manual assignment of support groups while creating or modifying a ticket. For more information, see
Setting up assignment routing to support groups
|
To implement row-level access in BMC Helix ITSM applications
Every form defined in AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. AR System uses the permissions defined in the Request ID (Field ID 1) field to determine who should have access to a ticket.
The following permissions are defined on most BMC Helix ITSM forms. Individuals or groups defined under these permissions can access a ticket. For more information, see Access control with implicit groups: Row-level security and Inheriting permissions by using hierarchical groups.
An example of Row-level security
Calbro Services has a number of support groups for various services and functions. In order to provide access to ticket types that are relevant to each of these groups, as an administrator, you can use the Row-level security feature of BMC Helix ITSM as explained in this example.
Users and their profiles that are used in the example:
- Business users—Britney, Harry, Peter, and Ann
- Service Desk agents—Francie, Allen, and Ronald
- Associated support groups—IT Operations, IT Data Access, IT Support, Backoffice Support, and Help Desk
| Service Desk agent | Support group |
|---|---|
| Francie | Help Desk |
| Allen | Help Desk Backoffice support |
| Ronald | IT Data Access (parent of Help Desk and Backoffice Support) |
| Julie | IT Operations (parent of IT Data Access) |
Depending on the Row-level security, the following users can access the records that they are associated with:
| Request ID | Customer | Contact | Assigned support group | Parent of support group | Owner group | Parent of Owner group | Who all can access this record |
|---|---|---|---|---|---|---|---|
INC000000000175 | Britney | Ian | Help Desk | IT Data Access | IT Support | IT Operations |
|
| INC000000000185 | Harry | John | Backoffice Support | IT Data Access | IT Support | IT Operations |
|
| INC000000000187 | Peter | James | Help Desk | IT Data Access | IT Support | IT Operations |
|
| INC000000000204 | Britney | Ian | IT Data Access | IT Operations | IT Support | IT Operations |
|
Comments
Log in or register to comment.