2 Replies Latest reply on Sep 14, 2010 10:04 AM by philh

    Role-based privileges not working as expected ?


      My understanding of the role-based privileges in LANDesk Service Desk is that they are additive, i.e. if a user holds any role that provides privilege to perform a particular action then they are able to perform that action.


      I have a user on our system that I want to give two roles; "Change Manager" and "Service Delivery Manager" (the actual role names are not really important) - the "Change Manager" role includes permission to approve changes, whilst the "Service Delivery Manager" role does not. If I just give the user the "Service Delivery Manager" then, correctly, they are not able to approve changes; however if I then add the "Change Manager" role they are still not able to approve changes


      My understanding of how the role-based privileges work would seem to indicate that adding the "Change Manager" role should provide my user with the permission to approve changes. Am I doing something wrong here, or is my understanding of how role-based privileges combine incorrect ?


      Phil H

        • 1. Re: Role-based privileges not working as expected ?

          Hi Phil,


          You're absolutely correct, privileges are cumulative - a User has all the privileges provided to him by all the roles and groups he is a member of.  There are two reasons I suspect this doesn't work for you:


          1) When changing a Users' privileges - either by adding them to groups or roles or by editing the privileges provided by a group or role they are a member of; a cache refresh is required before the changes take effect.  The easiest way to do this is with an IIS reset.


          2) We've recently discovered a problem where a User who is a member of custom roles and groups may not actually receive all of the privileges provided by those roles and groups.  This problem requires a quite specific set of circumstances to combine in order to manifest though.  This is Problem 4968.


          If an IIS Reset doesn't make the privileges work for your affected User then please raise an Incident with your support provider to look in to this further for you.




          • 2. Re: Role-based privileges not working as expected ?



            The IIS Reset didn't work, however it appears the problem was associated with the way in which LANDesk refreshes the privileges ? I went into the Change privileges for the "Change Manager" role, and removed the execute privileges for all actions using the "Apply to Column" option. I then reset IIS and returned to the Change privileges for the "Change Manager" role adding the execute privileges for all actions using the "Apply to Column" option, finally resetting IIS once more. After these actions were performed the privileges appear to be operating as expected.


            Phil H