2 Replies Latest reply on Apr 11, 2011 10:28 AM by Stu McNeill

    Groups, roles and priviliges

    Apprentice

      Hello,

      I've scanned the forum for information on the above subject but, apart from a small white paper, there is little information on the subject.

      I need to be able to explain to our LANDesk users how roles, groups and priviliges work in very simple terms, perhaps with a diagram.

      Does anyone have any further information on the subject that they would be willing to share.

      In particular, I just can't get my head round the need for roles when priviliges can be assigned to groups.

      Also, are the 'roles-based administration' concepts for 'Management Suite 9.0' pertinent to Service Desk or is that a different kettle of fish?

      Any help would be greatly appreciated,

      regards,

      Keiron.

        • 1. Re: Groups, roles and priviliges
          karenpeacock SupportEmployee

          Hi

           

          I'd like to write up something a bit more at some point but:

           

          Roles are more your job title rather than the department or team that you work in which might be your group.  So for example in the following scenario:

           

          Team 1 - Networks

          Team 2 - Databases

           

          In Team 1 there could be Bob (Support Analyst), Sue (Support Analyst), Louise (Team Leader) and in Team 2 there could be Frank (Support Analyst), Dave (Support Analyst), and Ben (Team Leader).   Maybe the ratio of manager to staff is a little high in this company

           

          Bob, Sue, Frank and Dave all need to be able to be assigned incidents that they work on, update and resolve.  They do this by running a query that shows them the work for their group so Bob and Sue are in a group called Networks and Frank and Dave are in a group called Databases.  They all need the same access to the system in terms of being able to add notes, progress incidents etc so a role called Support Analyst has been created and given to them.

           

          Ben and Louise also stand in to do Support Analyst duties when a member of their team is on holiday or off sick.  So they are given the Support Analyst role too.  However additionally as they are team leaders they need to be able to create new queries against the data in the system and also have the ability to re-open any closed incidents.  A new role called Team Leader is created and this just contains those additional privileges.  This is given the Ben and Louise so they can now do everything that the Support Analyst role gave them plus also the additions given to them via the Team Leader privilege.

           

          So in summary:

          Roles allow you to have people working in the same team but having different access to the system.  They also allow you to define access levels for a particular job role.

           

          In other words you may want to give a limited number of people within your organisation a specific privilege, such as giving a number of your management team or change advisory board the ability to authorise a change. Then you only need to give them the role that you have created called Change Authoriser which just specifically has that privilege and you don’t need to worry about ensuring that the role includes privileges the other things that these people need to be able to do in the system – as other roles they’ve been allocated already should include these.

           

          I hope that this makes sense?  There are also some explanations for the differences between roles and groups in the Service Desk Administrators Guide.  This is available in the Documentation section of the Service Desk community.

           

          Best wishes

          Karen

          • 2. Re: Groups, roles and priviliges
            Stu McNeill Employee

            Just to add to Karen's splendid description its worth knowing that while you can add privileges to groups if you want the best practice is to always use roles and only use groups for the organisational side of the system such as assigning incidents, etc.

             

            By splitting up the two it gives you better flexibility and control over privileges (and less places to hunt through to check what privileges a user has!).