Get started > Use case scenarios - customizing with business rules > Delegating permissions for service catalog creation and editing

Delegating permissions for service catalog creation and editing

The following use case scenario demonstrates how a tenant administrator or catalog administrator can delegate the creation and editing of service catalogs to other people.

The service catalog is comprised of three levels:

  • The category level (first level), which contains the top level tiles that a user sees when viewing the home page of the Service Portal.
  • The service (service-definition entity) level (second level), which aggregates all offerings (third level) related to the specific service.

Service definitions are named in this way as the best practice is to aggregate service and support offerings by their affinity to a specific service. For example, a category named Email and collaboration might contain services such as Lotus email or Exchange email, which in turn might include offerings such as “Create a new Public distribution list”, “Change public distribution list owner”, and “Increase mailbox quota”.

Separating catalog offerings into services enables service owners to maintain their respective catalog areas, that is, to have the tools and permissions to create and update offerings related to the services they own. A service owner is the organizational persona in charge of maintaining a service, providing support for that service, and fulfilling service requests against this service. It would stand to reason that this person would be able to define and edit the service and support offerings related to the service. The service owner should be able to:

  • Define the offerings and how they appear to end users in the Service Portal.
  • Describe the purpose of the offerings and how to use them. The names and descriptions of the offerings are also used for search matching, so the service owner should be able to include keywords in the descriptions that match what end users search for when looking for this offering.
  • Specify the audience for the offerings, that is, which end users would be able to see and request the offering in the Service Portal (for example, whether or not the offering is specific to a certain location).
  • Define a task plan for fulfilling the offering. For example, a local IT help desk manager responsible for distribution and maintenance of personal computers and related equipment would be able to define the process for issuing a laptop for a new employee. The tasks may include checking the stock, ordering a new laptop if none is found in stock, installing the company’s OS image on the laptop, and so on.
  • Define a form for the offering.

All of these activities require the person creating and editing the offering to be very familiar with how the service operates.

Create a Catalog Editor role

As a prerequisite for enabling groups or individuals to edit catalogs or parts of catalogs, these groups or individuals must get permissions to edit catalog entities. To distinguish these users from the more inclusive Catalog Administrator role, it is suggested to create a new Catalog Editor role, as follows:

  1. From the main menu, select Administration > Master Data > People > Roles.

  2. Click Add iconAdd at the top of the left pane.

  3. Type Catalog Editor in the New role dialog box.

  4. Click OK. Service Management confirms that the new role is saved.

  5. Set the following permissions:

    Record type Permissions
    Create View Update Delete Admin Comments
    Actual Service          
    Asset Model          
    Category          
    Entitlement Rule          
    Fulfillment Plan    
    Record Category          
    Location          
    Offering    
    Service Definition          

     

    Resources Permissions
    Create View Update Delete Admin Comments
    User Options    
  6. Click the People tab.

  7. Select the person to whom you want to assign the new role.

  8. Click Edit and scroll to System use definitions section.

  9. In the Role field, add the new Catalog Editor role that you just created.

  10. Repeat these steps for any person or group to whom you want to assign catalog editing permissions.

Define service ownership

Define an owner and support groups for the relevant service as follows:

  1. From the main menu, select Plan > Service Catalog > Catalog.

  2. Locate the relevant category in the left column and then the service for which you want to assign an owner in the middle column.
  3. Click the service definition title to view its details and edit it.
  4. In the Overview section, click next to the Owner field and select the name of the person who owns the service.

    In addition, in the Details section of the form, you can specify the 1st, 2nd, and 3rd level support groups for the service.

  5. From the main menu, select Administration > Configuration > Studio.
  6. Select Offering in the drop-down list at the top of the page.
  7. Click the Processes and Rules tab and select Offering at the top of the tree. Select the After change process event.
  8. Add the following business rule:

    Validate ${current_user.IsPermitted (null, 'Catalog Administrator') || (entity.Service != null && entity.Service.OwnedByPerson != null && current_user == entity.Service.OwnedByPerson)} and display You are not permitted to edit this offering in case of a failure

    This business rule enables only the Catalog Administrator and the owner of the service to edit the offerings in a specified service.

    Alternatively, you can assign permission to an entire group to edit the service offerings of a specific service. For example, the following rule enables the members of the 3rd level support group to edit the offerings of a specified service:

    Validate ${ current_user.IsPermitted (null, 'Catalog Administrator') || (entity.Service != null && entity.Service.OwnedByPerson != null && current_user == entity.Service.OwnedByPerson) || (entity.Service != null && entity.Service.SupportLevel3Group != null && is_in_group(current_user.Id, entity.Service.SupportLevel3Group.Id)) } and display You are not permitted to edit this offering in case of a failure

Define category ownership

You may be required to delegate the editing of offerings for an entire service catalog category. For example, each category might aggregate the services and offerings of a service provider such as HR, IT or Facilities. To do this, define the Owner field and the Owning Group field on the Category level.

Enable the delegation of catalog editing to a category owner or category owning group as follows:

  1. Define an owner and support groups for the relevant category:

    1. From the main menu, select Plan > Service Catalog > Catalog.

    2. Find the category that you want to update and click the category title.
    3. In the category form, find the Owner and Owning group fields and set them to the relevant person or group.

      Note If you do not see the Owner and Owning group fields, add them to the Full Category form. For more information, see How to edit a form.

  2. From the main menu, select Administration > Configuration > Studio.

  3. Select the Offering record type in the drop-down list at the top of the page.

  4. Click the Processes and Rules tab and select Offering at the top of the tree. Select the After change process event.
  5. Add one of the following rules (these are similar to the rules for defining service ownership, with added permissions for category owners):

    Validate ${current_user.IsPermitted (null, 'Catalog Administrator') || current_user == entity.Service.OwnedByPerson || current_user.Id == entity.OfferingToCategory.OwnedByPerson.Id} and display You are not permitted to edit this offering in case of a failure

    This business rule enables the Category owner, Catalog Administrator, or Service Definition owner to edit any offering under the category.

    Alternatively, you can assign permission to an entire group to edit the offerings of a specific category. The following rule enables the members of the Category Owners group to edit offerings in the category:

    Validate ${ current_user.IsPermitted (null, 'Catalog Administrator') || current_user == entity.Service.OwnedByPerson || is_in_group(current_user.Id, entity.OfferingToCategory.OwnedByGroup.Id)} and display You are not permitted to edit this offering in case of a failure