2 Replies Latest reply on Apr 25, 2017 9:07 AM by nick2

    Does anyone have an example of minimum object permissions?

    nick2 Apprentice

      I have been stripping and adding back role permissions trying to baseline a minimum requirement. But there are many objects that the functionality is not clear let alone allow deletion of records.. But I can't have my Self Service users adding CI's and creating other controlled Module records like Change, Problem and Release.

        • 1. Re: Does anyone have an example of minimum object permissions?
          AlasdairRobertson ITSMMVPGroup

          Rather than looking at every possible option in the permissions list, do your self service users have access to those workspaces?  e.g. if you self service user cannot even see any CI's as they do not have access to the workspace do you need to restrict their permissions to create them?  This is the premise that the ootb permissions are set on in my experience, otherwise there are 804 ish object ootb to start with an then 4 options Add, view ,edit, delete and that is before you review any specific field visibility options or other security rules...a lot of possible options there.

           

          When I create my Self Service roles I only make changes to the CI object permissions if I grant the user the ability to view CI's and then I usually only allow a user to see any CI's which are assigned to the them.

           

          Do you have a specific scenario in mind?

          1 of 1 people found this helpful
          • 2. Re: Does anyone have an example of minimum object permissions?
            nick2 Apprentice

            Thanks for the reply Alasdair. My situation is somewhat unique as we have many high level roles in our enterprise. I was exaggerating with the Self Service comment but we have actually had folks delete CI's Add Lines Of Business, add and update status values. The proverbial cornucopia of surprises. Never underestimate the end user. I have made some progress. Painful but productive. I think I have scrubbed this pretty well. As we continue to implement I am updating to get a single role established, then I will clone that for others.