Administer > Application setup > Process Designer > Process Designer security model

Process Designer security model

The Process Designer security model provides a consistent method of assigning permissions to users across all facets of Service Manager data and accounts for out-of-box rights that can be configured for a specified role within an area. It also provides standardized methods to manage user rights.

Note The Process Designer security model is implemented for Knowledge Management, Change Management, Service Desk, Incident Management, Problem Management, Request Fulfillment, and Service Level Management modules. For all other areas and modules, the traditional security features for Service Manager still apply.

The Process Designer security model includes the following components:

  • Area: An area defines a specific functional area or module within Service Manager, such as Knowledge Management or Knowledge Management administration. Each area definition includes default rights that are copied to the role whenever a new role is created. In addition to the out-of-box areas, system administrators are able to define additional areas.

    In an out-of-box system, the following three security areas are shared by several modules: Tailoring, Common Configuration, and Security. These areas contain the default security rights and settings that apply to the Change Management, Service Desk, Incident Management and Problem Management modules:

    • The Tailoring area is used to set the permissions that control operator access to Workflows.
    • The Common Configuration area is used to set the permissions that control access to common configurations, including Alert Definitions, Approval Definitions, Assignment Groups, Service Desk/Problem Solution Matching, and Environment.
    • The Security area is used to set the permissions that control operator access to Security configurations.

    Note The rights to access Settings are controlled by the separate Configuration area in each module.

  • Rights: The system includes a set of rights such as view, new, update, and delete that control an operator's data access. When an administrator creates a role, the default rights from each area are used to set the rights for that role. Rights can be modified for a specific area and role by an administrator that has update rights for the area and role. Each combination of role and area creates a collection of rights.

    Security Rights also include the following configurations:

    • Allowed Statuses: This field displays the list of statuses that are available to operator when they access records. A System Administrator specifies the allowed statuses for a role within an area. When this list is populated, the role may only update the records that are in one of the listed statuses. If a record has a status that is not in the list, the role will not be able to modify it. However, when the role updates records, the statuses that are available for selection are not limited to the list. If no statuses are listed, the role may modify records in any status.

    • Allowed Categories: This field displays the list of categories that are available to the operator when they access category data. A System Administrator specifies the allowed categories for a role within an area. When this list is populated, only the listed categories are available for selection when the role creates a new record or updates a record in the Category field. If no categories are listed, all categories are available for the role within the area.

    • Admin: This option indicates if the current Role has Admin rights for the current Area.
    • Expert: This option indicates if the current Role has Expert rights for the current Area.
    • Modify Template: This option indicates if the current Role is able to modify Template records for the current Area.
    • ESS Only: If this option is selected, the current Role has the specified rights for the current Area only when logged in to the ESS web client (ess.do). When this option is not selected, the specified rights take effect for both the standard and ESS web clients (index.do and ess.do).
  • Settings: Settings are configurable security extensions such as an initial view, a format to display a list, or an approval check box. Settings are added for an area. The types of settings include number, string, Boolean, date/time, global list, manual list, record, and condition.

  • Security Folders: If Folder Entitlement is enabled in the system, a System Administrator must select the security folders that each security role can access. If a role is not granted rights to a specific folder, operators associated with that role will not be able to access records in that folder.

  • Roles: A role has a set of rights and settings assigned to it. Each operator is assigned a role or roles which, along with area, determine the access rights for the operator. Whenever the roles on an operator record are updated, the operator must log out and then log in for the changes to take effect.

    Note The out-of-box system includes a default role for the Security area that cannot be deleted.

  • Data Policy records: The data policy records include an Area field used to specify the area associated with the table. An area needs to be associated with a Data Policy record in order to access the information from the table.