I'd prefer the following method:
- I set all permissions in Roles only.
- There are two windows for the services, one for the Analysts (attributes are writable if necessary), one for the EndUsers (all attributes read only).
- There is a view rule that will display the windows from above by user type.
- To publish the service items in the catalog, you can either use roles or groups or both.
Then you should be set and good to go.
SO, I created a copy of the Service Window, renamed it so ServiceWindowRO, then I changed all the field values to a protection level of READ ONLY.
Would this work? I guess I am asking on how do I restrict certain users/roles so that they get this window instead of the SERVICEWINDOW that has more rights...........or am I going at this totally wrong.
Where would I set the VIEW RULE at?
Per IVANTI Support, they said this, which states it cannot be done:
"There's no way to isolate the Service Catalog from the rest of Request Management, so if you were to remove the Write privileges from a role/group, that role/group would no longer be able to submit requests in the Service Catalog. The Service Catalog operates by
publishing via role or group and doesn't have specific privileges that you could allow a read-only view for. "
the supporters are quite right, there is no way to separate it using the permissions in your Roles. But you can show different windows to different Roles, Groups, User Types or even Users. So it might get you where you want with the downside that you may have to use and maintain multiple view rules. They can be set in the Window Manager.
You can even copy your window again and set some attributes to read only and others to read/write and distribute them to different users. I think that will be the only option you have.
There should be a description in the help section. Just take a look at help.ivanti.com and select the Service Desk section.