Hierarchical groups: Using a parent group for permission inheritance
In a hierarchical group structure, all permissions assigned to a child group are passed on to its parent group. This structure allows you to easily organize larger groups in hierarchical order. If a group must have access to data belonging to different groups, assigning a parent group can simplify permission management.
The hierarchical group concept implemented in BMC Remedy ITSM is based on the BMC Remedy AR System hierarchical groups. For more information on hierarchical groups, see Using a parent group for permissions inheritance.
Using the hierarchical groups, you can extend the ticket access. For example, you can extend the ticket access to the entire IT Staff group and restrict the access to non-IT staff.
The following graphic depicts the hierarchical group structure within the support groups of Calbro Services:
In a hierarchical structure, the following members have access to ticket data:
- Child groups can access their own tickets.
- Parent groups can access their own tickets and tickets of their respective child groups.
- All permissions assigned to a child group are passed on to its parent group.
This topic explains the following:
Need for hierarchical groups
BMC Remedy ITSM uses the hierarchical group structure:
Across companies — In a multi-tenant BMC Remedy ITSM environment (which includes multiple companies), some users might require access to ticket data of multiple companies. Assigning users access to the required companies allows them to view ticket data for all those companies. For example, if your organization opened new branches or if there is any other change in your organization, you will have to modify the user's access for each company, which might result in performance issues or maintenance challenges.
Hierarchical groups allow you to structure the companies hierarchically and assign the users to the required groups to provide them relevant ticket data access.
Calbro Services has several offices located across the globe. Multiple companies may be associated with each location. Rather than assigning users to all the companies associated with the location, you can create a group for each location and assign the users to that location group. Using the hierarchical group feature, you can configure the location group as a parent to all the companies associated with a location. Even when the companies associated with a location keep changing, you do not have to update the users' access as the users are part of the parent group and can access the the tickets of all child groups.
Within a company — In BMC Remedy ITSM, ticket data access is managed at support group level. There might be a need to extend this ticket data access to the support groups across your company. You can extend the ticket data access by creating a parent group and then defining the required support groups as children.
Calbro Services has a parent support group Calbro IT Data Access Support. Members belonging to this group can access the tickets of all its child groups. To restrict certain ticket types (for example, security), you can keep the relevant group separate and not define it as a child group of Calbro IT Data Access Support.
To configure hierarchical groups, select Application Administration Console > Foundation > Advanced Options > Hierarchical Group Configuration and update the required information on the Hierarchical Group Configuration form. Using this form, you can add/remove a parent group for a company or a support group.
A user with Contact Administrator permission can configure hierarchical groups across companies or support groups.
Working with hierarchical groups
If a group must have access to data belonging to different groups, you can assign a parent group to simplify permission management.
Defining a parent group
To create parent-child hierarchy and maintain ticket data access efficiently between various support groups or companies, you must configure the required support group or company as a parent of support groups or companies.
In this example, let us configure the hierarchy between the support groups of a company. You need the Service Desk Support group of Calbro Services to inherit the permissions of Backoffice Support group of Calbro Services. To define Service Desk Support group as the parent group for Backoffice Support group:
- On the Application Administration Console > Foundation > Advanced Options > Hierarchical Group Configuration form, Select Parent Group For field, select the Support Group option as you wish to define a support group as a parent for another support group. This displays a list of all the support groups existing in the application.
- Select the Backoffice Support check box for which a parent group is to be configured.
- In the Select Parent Group Type field, select Support Group option as the parent to be defined is also a support group.
- In the Parent Group Name field, click to display a list of support groups.
- Select Service Desk Support group.
- Click Save. The Parent Group Name column displays the updated parent group for Backoffice Support group.
Unlinking a parent group
Due to organizational restructuring or other reasons specific to your organization, you might have to remove the parent-child relationship between support groups or companies. When you remove the parent group of a company or support group, the parent group is no longer associated with the child group and hence cannot access the data of the child group.
Use the following procedure to remove the parent-child relationship between companies or support groups:
- On the Hierarchical Group Configuration form, Select Parent Group For field, select the Company or Support Group option to display a list of companies or support groups.
- Select the required company or support group from the list.
- In the Parent Group Name field, select the Set as Blank check box to remove the parent group.
- Click Save to save the changes. The Parent Group Name column displays blank for the selected company or support group.
Correct or delete invalid parent groups
If duplicate and invalid entries with the same parent group, support group, or permission group ID exist in the
CTM:SYS-Access Permission Grps or
Group form, you may encounter an error when upgrading BMC Remedy IT Service Management to a higher version, and the upgrade may fail due to the invalid and duplicate entries. To prevent the upgrade failure, BMC recommends you to:
- Run the BMC Remedy Configuration Check utility before upgrade which verifies whether any duplicate and invalid entries exist in the
CTM:SYS-Access Permission Grpsor
- If duplicate and invalid entries exist in the
CTM:SYS-Access Permission Grpsor
Groupform, correct or delete them. For details see, BMC Remedy ITSM checks.