How To: Understand the structure of privileges in the Service Desk database

Version 7

    Verified Product Versions

    Service Desk 2016.xAsset Manager 2016.xService Desk 2017.x

    Requires Access To:

    • Database server
    • Service Desk console


    How To:

    This article is intended to understand how privileges are organised in the Service Desk database so as to help in some situations of troubleshooting.


    First things first:

    When a privilege is modified from the administration component in the console, it immediately modifies the value in the database without pressing the Save button. It will then set the right value for the relevant privilege of the role or group that is modified.

    Privileges in Administration.png



    The privileges configuration is defined byt the following tables in the database:

    • md_privileged_item, where is the definition of all the privileged items in Service Desk

    For instance, the Incident Task action "Add Note" has a related privileged item


    • tps_privilege, contains the values of privileges. This is where we know what privilege is enable or not (... for a specific group or role).
      Each value is of course associated with its privilege definition (md_privileged_item)

    • tps_privilege_collection, this table links a group or a role to a whole of privilege values.
      This table gives Service Desk the capacity to associate either a group or a role to a configuration of privileges.


    • tps_group or tps_role, which are the tables that store the definition of groups and roles in Service Desk.


    The global structure is represented below:

    LDSD_Privileges_Relationships_V2 (No text).png


    Summary and example:

    In this example, we want to amend a privilege of the role SelfServiceUser.

    We set the "Execute" privilege to true for "Modules > Incident Management > Process Related Object > Task Incident --> Add Note".

    Privileges in Administration.png


    Role (tps_role):

    In the database: the tps_role (role) entry "SelfServiceUser" has a link to its associated tps_privilege_collection (collection) entry.



    Collection (tps_privilege_collection):

    The tps_privilege_collection table will simply store the list of existing collections for both roles and groups.



    Privilege Values (tps_privilege):

    In the tps_privilege table (the privilege value), there's a value change ( 16) for the entry that is bound to the above role collection and to the privileged item "IncidentManagement.Task.Function.AddNote".



    Privilege Definition (md_privileged_item):

    The above column "tps_item_guid" refers to the privilege definition in the md_privileged_item table:



    Additional information:

    From the version 2016.1 of Service Desk, Test to Live doesn't transfer the privileges of existing groups and roles

    If a privilege has never been configured, it's deactivated by default and there will be no associated entry in the "tps_privilege" table. Changing this privilege for the first time will create a new entry in this table.