Access control for ticket data
Data access control
Concept | Description | Reference topic |
|---|---|---|
Users | A user is an individual to whom you give permission to access the AR System and BMC Helix ITSM applications. Users can be members of multiple groups or no group at all. Users in BMC Helix ITSM range from an administrator who maintains the entire system, to employees who submit requests or view data. You can manage users inAR System by using the User form and in BMC Helix ITSM by using the CTM:People form. | User and group access overview in the AR System documentation |
Groups | You can assign users to groups according to their need to access information. For example, you might create a group called Help Desk whose members are permitted to view and change only certain fields on a Help Desk form. You might have another group called IT Data Access whose members are permitted to view and change all the fields on the Help Desk form. | User and group access overview in the AR System documentation |
Form level permissions | You can configure group access to forms so that a particular form is visible to users in specific groups. For any form, an administrator can determine which groups need to have access to requests. The administrator can grant access based on which requests are relevant to a group. | in the AR System documentation |
Field level permissions | Every field on a form has access control. You can set field level permissions when you define the field properties in Developer Studio. Each field can have a list of groups that can access the field and the data entered into it. | Access control overview in the AR System documentation |
User permissions | You can assign user permissions to control how people access and interact with BMC Helix ITSM. You must assign user permissions on the People form. There are different aspects to the user permissions, which together make up the permission model, which consists of Permission groups and Support groups. | |
Roles | For BMC Helix ITSM applications, access permissions are based on roles. Like groups, roles have permissions to access forms, fields, ticket data, and so on. However, unlike groups, roles are defined for an application and are then associated with groups on the server where the application is deployed. You can assign users to groups, and then associate the groups with roles. | |
Permission groups | Permission groups are used to grant access to users for applications, modules, and sub-components in BMC Helix ITSM.
| |
Support groups | Support groups play an important role in the BMC Helix ITSM permission model by controlling access to data. A user can modify only those records that are assigned to the support groups that the user is a member of. For example, if a user is assigned the role of a service desk analyst and is a member of the Hardware support group, then the user can modify only incident requests that are assigned to the Hardware support group. The user can view other incident requests, but cannot modify them.
| |
Row-level security | Each ticket or a record is referred to as a row in BMC Helix ITSM. The ticket data access is granted to individuals (for example, submitter, on behalf of, and assignee) and support groups that are associated with a ticket. The Row-level security feature restricts the ticket data access to only those users who require it. | |
Hierarchical groups | You can configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group. | |
For BMC Helix ITSM | ||
Functional roles | Functional roles provide extended access to an application, module, and sub-component functions. For example, the support staff that are assigned the Broadcast Submitter functional role can create and modify broadcast messages. | |
Multi-tenancy | In a multitenant environment, the ticket data is accessible to users based on the following options:
| |
People form | Since the people information is stored on the CTM:People form, you must configure people records by opening the CTM:People form from the Application Administration Console. The information that you add or modify in the People form is automatically updated in the AR System User form, but the information updated in the User form is not updated in the People form. | |
Visibility groups (Knowledge Management) | BMC Helix ITSM: Knowledge Management uses visibility groups to restrict access to knowledge base content. You can specify the audience for your article by assigning one or more visibility groups to the article. You can create visibility groups for a specific company or for the Global company. A knowledge article is visible to users according to this configuration. | How knowledge articles are found in theKnowledge Management documentation |
For ITSM Insights and BMC Helix Portal | ||
Sync BMC Helix ITSM users with BMC Helix Portal | For the users to use their existing credentials to authenticate in to BMC Helix Portal, the BMC SaaS Operations team needs to perform some configurations to sync the BMC Helix ITSM users into BMC Helix Portal. For more information, contact BMC Customer Support. | |
Types of data in BMC Helix ITSM
- Configuration data refers to the objects that the user has access to. Configuration data access is set at the company level. This can be managed through two configurations, which are Profiles (User roles) and Permission sets (Groups).
- Transactional data refers to the permissions at the ticket or record level in BMC Helix ITSM. Each ticket is treated as a row. Access to this data is determined by various aspects of data access model such as permission groups, Row-level security, and hierarchical groups.
Salient features of BMC Helix ITSM data access model
The following table lists the details of the data access model:
Feature / capability | Details |
|---|---|
Separating permissions for configuration and transactional (ticket) data access | Configuration data is managed at the company level. However, the ticket data access is managed based on individuals (for example, submitter, on behalf of, and assignee) and the support groups associated with a ticket. This restricts access to only those users who are directly connected to a ticket or to a support group associated with a ticket. The users who are not connected to a ticket cannot access it. For more information, see Access-control-with-implicit-groups-Row-level-security. |
Hierarchical group support | By using the hierarchical group support feature, a parent group can access its own ticket data and the ticket data of its child groups. It enables you to simplify the configuration and maintenance of controlling the data access. You can configure the hierarchy of groups across companies or within the support groups of a company. For more information, see hierarchical groups. |
Assignment menus are tied to the company fields in addition to permissions | Assignment menus display support groups relevant to the location and contact companies mentioned on a ticket. The ability to configure the support groups associated with a company enables secured manual assignment of support groups while creating or modifying a ticket. For more information, see Assign or reassign requests by using the Assignment component. |
To implement row-level access in BMC Helix ITSM applications
Every form defined in AR System contains a set of core fields. The Request ID core field has a unique field ID of 1. AR System uses the permissions defined in the Request ID (Field ID 1) field to determine who should have access to a ticket.
The following permissions are defined on most BMC Helix ITSM forms. Individuals or groups defined under these permissions can access a ticket. For more information, see Access-control-with-implicit-groups-Row-level-security and Inheriting-permissions-by-using-hierarchical-groups.
Users and their profiles that are used in the example:
- Business users—Britney, Harry, Peter, and Ann
- Service Desk agents—Francie, Allen, and Ronald
- Associated support groups—IT Operations, IT Data Access, IT Support, Backoffice Support, and Help Desk
Service Desk agent | Support group |
|---|---|
Francie | Help Desk |
Allen | Help Desk Backoffice support |
Ronald | IT Data Access (parent of Help Desk and Backoffice Support) |
Julie | IT Operations (parent of IT Data Access) |
Depending on the Row-level security, the following users can access the records that they are associated with:
Request ID | Customer | Contact | Assigned support group | Parent of support group | Owner group | Parent of Owner group | Who all can access this record |
|---|---|---|---|---|---|---|---|
INC000000000175 | Britney | Ian | Help Desk | IT Data Access | IT Support | IT Operations |
|
INC000000000185 | Harry | John | Backoffice Support | IT Data Access | IT Support | IT Operations |
|
INC000000000187 | Peter | James | Help Desk | IT Data Access | IT Support | IT Operations |
|
INC000000000204 | Britney | Ian | IT Data Access | IT Operations | IT Support | IT Operations |
|