Using Enhanced Object Permissions
Neurons for ITSM enables full access rights to the business objects associated with a role when you create it. You have to manually modify the permissions for each role. The enhanced object permissions feature allows you to apply permissions for a role based on the Top Level Tabs and metadata configuration.
Enable the Global Constant to Use Enhanced Object Permissions Feature
1.Log in to Ivanti Neurons for ITSM with the Administrator user role.
2.Click Configure Application to go to the Configuration Console.
3.Click Build > Global Constants to open the Global Constants window.
4.Set the EnableEnhancedObjectPermission value to True. By default, EnableEnhancedObjectPermission value is False.
5.Click Save.
Assigning Enhanced Object Permissions to a New Role
1.From the Configuration Console, click Configure > Users and Permissions > Roles and Permissions to open the Roles and Permissions workspace.
2.Click Add new.... The system displays the Role Details page.
3.Click Top Level Tabs to add the permission type. For more information, see Setting-up Roles.
4.Click the Object Permissions tab.
By default, the application gives minimum permissions to the new role.
5.Click Apply Enhanced Permissions. The system displays a Confirmation dialogue box.
Confirmation Dialogue Box
By default, all permissions are granted to the admin role. As a result, the Apply Enhanced Permissions button will not be available for the admin role.
6.Click Ok. The system automatically selects the permissions based on the objects available in the Top Level Tabs workspace and metadata configuration.
When you add any object in the Top Level Tabs workspace, you must click Apply Enhanced Permissions to update the permissions.
If you remove objects from the Top Level Tabs workspace after applying enhanced object permissions, clicking Apply Enhanced Permissions will update the permissions, but will not help you to revoke the permissions for the objects you removed. However, to apply new changes, first remove the enhanced object permissions (see Removing Enhanced Object Permissions), and then click Apply Enhanced Permissions.
Any manual changes made prior to applying enhanced object permissions will be retained even after the permissions are applied.
Enhanced object permissions feature will not support the following top level tabs: License Manager Wizard, ProcessWizard, IPCMWebStat, and AdminUiTreeMetadata. So you must manually update the permissions for any associated business objects.
7.Enter data in the remaining fields. For more information about creating a role, see Setting-up Roles.
8.Click Save.
You must click Apply Enhanced Permissions to update the additional permissions when making changes such as publishing dashboards/saved search/Quick Actions, enabling disabled business rules, or changing metadata such as adding fields.
Enhanced object permissions does not include Create (For Self) permissions such as Actions, Search and Dashboard in the System Permissions tab. These permissions are user specific, and you must manually apply required permissions to the role.
Assigning Enhanced Object Permissions to an Existing Role
1.From the Configuration Console, click Configure > Users and Permissions > Roles and Permissions to open the Roles and Permissions workspace. The system displays a list of roles.
2.Open a role to apply the enhanced object permissions. The system displays the Role Details page.
3.Click the Object Permissions tab.
4.Click Apply Enhanced Permissions. The system displays a Confirmation dialogue box.
When you apply the enhanced object permissions, the system creates a backup of the existing permissions. This backup is used to restore the permissions if necessary.
5.Click Ok. The system automatically selects the permissions based on the objects available in the Top Level Tabs workspace and metadata configuration.
6.Click Save.
If you give admin rights to an existing role after applying enhanced object permissions, you must remove enhanced permissions (see Removing Enhanced Object Permissions) before granting admin rights to that role.
Removing Enhanced Object Permissions
1.From the Configuration Console, click Configure > Users and Permissions > Roles and Permissions to open the Roles and Permissions workspace. The system displays a list of roles.
2.Open the role for which you want to edit the object permissions. The system displays the Role Details page.
3.Click the Object Permissions tab.
4.Click Remove Enhanced Permissions to revert the permissions to the initial stage (see the note in Step 4 in the Assigning Enhanced Object Permissions to an Existing Role section). The system displays a Confirmation dialogue box.
Confirmation Dialogue Box
By default, all permissions are granted to the admin role. As a result, the Remove Enhanced Permission button will not be available for the admin role.
You must be careful to remove enhanced object permissions after modifying the permissions. Because clicking Remove Enhanced Permission removes all manual modifications made in the Object Permissions, System Permissions and Permission to Grant Roles tabs, and reverts the permissions to its initial stage (see the note in step 4 in the Assigning Enhanced Object Permissions to an Existing Role section). It is therefore recommended that you can manually modify these three tabs before applying the enhanced object permissions for the first time. You can also remove the enhanced object permissions, make the manual changes, and then apply the enhanced permissions.
5.Click Ok. The system will remove all enhanced object permissions and display initially saved permissions. For new roles, the system will automatically select all access rights associated with the business objects.
6.Click Save.
If you disable the EnableEnhancedObjectPermission Global Constant after applying enhanced object permissions, you cannot remove or apply enhanced permissions to a role. Because the Apply Enhanced Permissions and Remove Enhanced Permission buttons will not be available when you disable the Global constant. Then you must manually modify the permissions.
Tips for Using Enhanced Object Permissions Feature
•When you configure a role without including the Employee business object as the top level tab, the View and/or Edit permissions will be granted to Employee business object due to its dependency on other business objects. Because of this dependency, you can configure the segregation rules to the Employee business object by clicking Edit in the Access column of the Object Permissions workspace.
Below example restricts the self service user from viewing all records. However, the user can update his/her own Employee data.
•You can configure the fields permissions based on your business requirement.
•When configuring the Social Board top level tab, you must provide Edit permission to the additional fields. Because the additional fields rely on the Employee business object to update your profile information in the Social Board workspace.
For example, see below:
•Analytic Metrics is independent of enhanced object permissions and the metrics functionalities will continue to work even if the associated permissions are revoked.