Use > Change Management > Security

Change Management security

Micro Focus Service Manager controls access to Change Management functions based on security roles, security areas, and rights.

Change Management security areas

User Role: System Administrator

The security areas in Change Management are Changes, Change Tasks, and Change Management Configuration. These areas contain the default security rights and settings for Change Requests in the Change Management module. The security right settings will be inherited by the new roles created in an area when no settings are specified in the security role.

The change areas are used to set permissions to operators to provide access to particular area of Change Management. For example, for the Change Coordinator security role, set change area as Change Management Configuration and rights as View and Admin. Then, an operator with this security role can view and configure only the Change Management Configuration items under Change Management.

The following table lists the areas and the relevant Change Management menu items the operators can access.

Security area

System Navigator menu items for this area

Change

This area contains the default security rights and settings for change requests in the Change Management module.

For example, Create New Change, Change Queue, Task Queue, and Search Changes.

Change Tasks

This area contains the default security rights and settings for change tasks in the Change Management module.

For example, Create New Tasks, and Search Tasks.

Change Management Configuration

This area contains the default security rights and settings for Change Management configuration.

For example, Alerts, Approvals, Change Categories, Change Models, Change Workflows, Messages, Subcategories, and Task Categories.

The default rights defined in areas are inherited when you create new security roles. The following table shows the out-of-box default rights defined in the Change, Change Task and Change Management Configuration areas.

Security area View New Update Delete/Close Expert Admin
Change TRUE FALSE Never Never FALSE FALSE
Change Tasks TRUE FALSE Never Never FALSE FALSE
Change Management Configuration FALSE FALSE Never Never FALSE FALSE

Change Management security roles and settings

User Role: System Administrator

The out-of-box security roles for Change Management include the following:

  • change advisory board (CAB)
  • change analyst change

  • change analyst tasks
  • change approver

  • change coordinator
  • change coordinator change
  • change coordinator tasks
  • change domain expert (CDE)
  • change implementer

  • change manager
  • change owner
  • change requestor

Tip If you have upgraded from a previous version of Change Management, which is not Process Designer based, see Change Management security profiles mappings for more information about the mappings between the legacy Change Management profiles and the current Process Designer security roles.

Rights and settings

To view the rights and settings that are defined for out-of-box Change Management security roles, follow these steps:

  1. Navigate to System Administration > SecurityRoles.
  2. In the Name field, select a Change Management security role.
  3. Click Search.
  4. Double-click a security area to open the Rights form.

    This form lists the rights and settings of the security role for the selected security area.

  5. View the Rights and Settings sections in the form.

    The following table describes possible rights for Change Management security areas.

    Security role rights Description
    New Can create new records in this area
    View Can view records in this area.
    Expert

    Has Expert rights in this area

    Admin

    Has Admin rights in this area

    Modify Template Can modify template records in this area
    Update Can update records in this area
    Delete/Close Can delete or close records in this area
    Allowed Categories Specifies the categories in this area that users with this role can select
    Allowed Statuses Specifies the status values in this area that users with this role can select

    The following is a list of settings available for Change Management security areas.

    • Allow Inefficient Query: When this option is true, users with this role can run incomplete (inefficient) queries in this area, but receive a warning message. The Skip Inefficient Query Warning option overrides this setting. If not selected, users with this role cannot run inefficient queries in this area.
    • Skip Inefficient Query Warning: Turns off inefficient query warnings for this area. This option overrides the Allow Inefficient Query option.
    • Can Approve: Users with this role can approve records in this area.
    • Can Delegate Approvals: Users with this role can delegate their own approvals in this area to another user.
    • Reopen: Users with this role can reopen records in this area.
    • Change Manage Format: The name of the form to display as the default change queue form. If left blank, sc.manage.chm is used.
    • Default Category: Unused
    • Default Task Category: Unused
    • Initial Change View: Unused. Service Manager automatically saves the Change view that users with the role opened last time.
    • Initial Task View: Unused. Service Manager automatically opens the Change Task view that users with this role opened last time.
    • Initial Format: The initial format that is used when users with this role search change records. If left blank, cm3r.search is used.
    • List Format: Also known as QBE Format. This is the QBE form to use when displaying records to users with this role. If left blank, cm3r.qbe is used.
    • Task Manage Format: The name of the form to display as the default task queue form. If left blank, sc.manage.cmt is used.
    • Append Query: This field stores an expression to append to all queries in this area run by users with this role. This expression restricts the records that the user with this security role can see, by appending (adding on) this query to everything the user does in this module. You must use the field name from the dbdict in the expression. For example, you can enter priority.code=”3” so that users with this security role can only see Priority 3 records.
  6. View the Security Folders section.

    This section specifies security folders that are accessible to this Role for records of this area. For more information, see Add folder permissions to a security role.

    The out-of-box security folders available in Service Manager are DEFAULT and advantage. You can also create security folders to meet your business needs. By default, all security folders are assigned to a new security role created. Once a role is created and rights are configured, you can modify the security rights for a role within an area.

Configuring Change Management security

User Role: System Administrator

Change Management Administration enables you to perform the following Change Management security configurations:

Set rights to changes and change tasks

The Change Administrator can set rights to changes and tasks using the role-based security. The Changes, Change Tasks, and Change Management Configuration areas contain default security rights and settings. The rights are copied to new roles created for these areas. However, the settings are inherited only if there are no settings specified on the roles.

Note Whenever the roles in an operator record are updated, the operator must log out and then log in for the changes to take effect.

Add security roles and settings

User Role: System Administrator

To create a security role and assign rights and settings to it, follow these steps:

  1. Click System Administration > Security > Roles.
  2. Click New.

    The security role form is displayed.

  3. Type a security role name.
  4. Type a security role description.
  5. Click Save.
  6. Select a security area.

    The security rights and settings form is displayed.

    1. Under Rights, select the rights to be assigned to the security role.

      For example, set Expert rights for the security role. The Expert security right enables the operator to view alert logs, opened tasks, affected services, and clocks of change requests. It also enables the operator to set reminders, send notifications, create hot news, and associate change requests to incidents, interactions, requests, and know errors.

  7. Under Settings, add required settings.
  8. Under Folders, add folder permissions to the security role.

    The out-of-box security folders available in Service Manager are DEFAULT and advantage. You can also create security folders to meet your business needs. By default, all security folders are assigned to a new security role created. Once a role is created and rights are configured, you can modify the security rights for a role within an area.

Modify an operator record to enable Change Management access

Applies to User roles: System Administrator

To modify an operator record to enable Change Management access, follow these steps:

  1. Click System Administration > Ongoing Maintenance > Operators.
  2. Use search or advanced search to find one or more records.
  3. Click the operator record that you want to view.
  4. Click the General tab.
  5. Add the desired Change Management security roles to the Security Roles table.
  6. Click Save.
  7. Click OK.

Enable approval delegation

Approval delegation is an optional feature that enables users with approval rights to temporarily delegate their approval authority to another qualified operator. For more information, see Approval delegation.

To enable an operator to delegate approval authority, a System Administrator must make changes to a specific security role of the operator.

The following example illustrates how to enable approval delegation for the Change Management application.

To edit the security role to which you want to grant approval delegation authority, follow these steps:

  1. Log in to Service Manager with a System Administrator account.
  2. Click System Administration > Security > Roles.

    Service Manager displays a list of security roles.

  3. Optionally, in the Name field, type the name of the security role to which you want to grant approvals, for example, change approver.
  4. Click Search. The security role or a list of security roles opens.

  5. Locate the security role you want to edit, and select a Change Management security area, Change or Change Tasks.
  6. Select Can Delegate Approvals under Settings.
  7. Click Save.

Note It is a best practice to enable the Delegate Approvals or Can Delegate Approvals option only for operators who can also view and approve objects in the application.

Now, the operator can delegate approvals for the selected security area. For information about how to delegate approvals to another operator, see Delegate approvals to another operator.

 

Related topics

Process Designer security model
Add folder permissions to a security role