Enable Organization-Based Security

This article contains the following topics:

The organization-based security feature lets you restrict the access of users to the organization that they belong to. When you enable organization-based security, users can only view the data from their own organizations. For example, an analyst that belongs to Organization1 can only view a ticket that User1 of Organization1 raises. The Organization-based security supersedes the other access control permissions of Serviceaide Intelligent Service Management.

Note the following points when you enable organization-based security:

  • Does not apply to administrators. The administrators can view all the tickets across all organizations.
  • Implicitly applied to self-service users. Self-service users can view only the tickets within their organization and down their organizational hierarchy.

The Organization-based security depends on the relationship between various entities of the application. The following diagram illustrates the relationship between the organizations and the other application components.

Relationship Dependencies

The effectiveness of Organization-based security implementation depends on the relationship between various application entities. Consider the following relationships:

  • Organization-Contact-Support Group: You can relate a contact to an organization or a support group that is related to an organization.
  • Organization-Configuration Item: You can relate a configuration item to only one organization. The organization of the CI owner has no impact on the organization-configuration item relation.
  • Organization-Ticket: When the end user logs a ticket, the organization of the Requester and the Requested For user becomes the organization. If the organization is absent for the Requester and the Requested for user, the ticket is logged with no organization.
  • Organization-Asset:

Impact of Enabling Organization-based Security

The implementation of Organization-based security impacts the following items:

Tickets, CIs, and Assets

  • Ticket Views and Searches: An analyst can view and search tickets and ticket-related CIs that are related to the organization of the analyst.
  • Ticket Creation: An analyst can log tickets only on behalf of the users that share the organization as of the analyst.
  • Ticket Assignment: The application assigns the tickets with no organization to the default support group. The application assigns the task tickets to the default assignment group of the parent ticket. You can assign tickets to contacts or support groups that have a related organization similar to the one in the ticket.
  • Change Approvals: The My Outstanding Approvals lists only those change approval tickets that are related to the same organization of the approver. As an administrator, you must be careful while configuring approval groups for tickets. The approvals and comments on tickets are visible to Change Approvers and Reviewers irrespective of the related organization.
  • SLA Escalations: An SLA target violation fails when target support group or contact is not related to the organization of the ticket. The application assigns such tickets to the default support group.
  • Ticket Activities: The Ticket Activity tab displays all actions and communications on the ticket, irrespective of the related organization. The View Related option in the Activity tab displays the tickets of the organization that is related to logged-in user.
  • Affected Services on Tickets: The related Affected Services on the ticket are visible irrespective of the organization. The user permissions govern the access to view and change actions on the affected service. When Requester or the Requested For user does not belong to a related organization, the analyst cannot view their contact records.
  • Asset Center: An Asset Manager or an Analyst can view only those assets that are related to the organization that they are a part of either through a direct relationship or through a support group relationship.

  • Bulk Actions for Assets: An Asset Manager or an Analyst can use the following bulk actions to modify or update assets within their organization. 

    • Update Organization: While applying this bulk action, an Asset Manager or an Analyst can view only the organizations related to their organization.

    • Update Owner: While applying this bulk action, an Asset Manager or an Analyst can view the list owners that are a part their organization.

    • Create CI: When a CI is created from an Asset, the Organization field is populated automatically, based on the Asset Managers organization.

  • Create/Edit Asset: All the assets must be linked to an organization. During asset creation the Organization/Location, Vendor, and Owner fields are displayed based on the Asset Manager's organization.

Email Communication

  • Automatic Notifications from Tickets: The outbound emails are sent to recipients identified by the communication template, irrespective of the related organizations.
  • Manual Notifications from Tickets: The application sends manual notifications irrespective of the organization.
  • Approval Notifications: A mismatch in the organization of the approver and the ticket does not send any approval notifications to the recipient.
  • Incoming Email Actions: The application creates new tickets from the incoming emails. A mismatch in the organization of the ticket, assigned contact, or support group results in the failure of auto routes. In such a case, the ticket is assigned to the default support group.
    Note: While you configure the communication templates, ensure that the recipients specified in the template can view the ticket.

Searches

  • Defined Searches: The defined searches that are available out-of-the-box do not support the organization-based security. To restrict search results for the organization-based security, modify the query.

Example:

Old Query
SELECT <columns> FROM <table>[INNER JOIN <table having org Id>] WHERE <existing where clause> ${@eval. 
"${usercache.usergroup.is_user_an_administrator}".equals ("false") && 
"${syssliceconfig.enable_organization_based_access_control}".equalsIgnoreCase ("true"))?(AND EXISTS 
(SELECT 1 FROM vorg_contact_group_derived_relations WHERE slice=<outer table alias>.slice AND org_id 
=<outer table alias>.<outer table org id> AND user_id=${usercache.userprofile.user_id})):))eval}
Changed Query
SELECT row_id AS ''ID'', lvl1_name AS ''Company Name'', lvl2_name AS ''Site Name'', lvl3_name AS 
''Building'', floor AS ''Floor'', suite AS ''Suite'', office_cube AS ''Office/Cube'', closet AS 
Closet FROM vorg_attrb_location v WITH(NOLOCK) WHERE slice=${usercache.userslice.active_slice} 
${@eval.("${usercache.usergroup.is_user_an_administrator}".equals ("false") 
&& "${syssliceconfig.enable_organization_based_access_control}".equalsIgnoreCase ("true"))?(AND 
EXISTS (SELECT 1 FROM vorg_contact_group_derived_relations WHERE slice=v.slice AND org_id = 
v.lvl1_id AND user_id=${usercache.userprofile.user_id})):))eval}
  • Personal Searches: The personal searches that the logged-in user configures for tickets and configuration items honor the organization-based security.

  • Search Communication History: Analysts having access to this option can view the records for tickets or related organizations.

Reports, Dashboards, and Charts

Reports, Dashboards, and Charts display results for tickets, assets, and configuration items that belong to the organization of the logged-in user.

Knowledge Articles

Organization-based security does not control access to the knowledge articles. After you enable organization-based security, the Related Items tab  displays the assets, CIs, and organizations of the logged-in user.

Web Services

The web services users are related to an organization, site, and location. When you enable the organization-based security, the web services user can view only those records of the related organization. The same is applicable to the records that the web service calls return for ticket and CI records.

Record Configuration by Users Who Are Not Administrators

You can assign administrative permissions to analysts and support groups for the following actions:

  • Manage Contact
  • Manage Organization
  • Create Configuration Item

The organization-based security presents the following implications on the configurations by users who are not administrators:

Manage Organization

The Manage Organization list displays all organizations. The Location Information tab lists all Sites and Locations, irrespective of the organization of the analyst. The Contacts tab lists only those contacts that have the same organization as of the logged-in user. When the user takes the Add Contacts action, the Name Search lookup displays the contacts only from the related organization. The Groups lookup displays all support groups, irrespective of the organization of the logged-in user.

Manage Support Groups

The Manage Support Group list displays all support groups, irrespective of the organization of the logged-in user. The Location tab displays only those organizations that the logged-in user is related to. When a user takes the Add Location action, the Group Location lookup displays the logged-in user-related locations. The Members list displays all contacts related to the support group. When you add contacts to the support group, the Name Search lookup displays contacts only from the related organization.

The support group remains unaffected when the related organization is deleted.

Manage Contacts

The Contact list displays only those contacts that belong to the related organizations of the logged-in user. If a contact is related to multiple organizations, the application displays only the logged-in user-related organizations. When you add a location to relate a contact to an organization, the lookup only displays the logged-in user-related organization. The Open Items and Related CI tabs display the tickets and CIs that belong to the organization of the  user.

Discovery Configurations

Specify an organization while defining the discovery configuration. When discovery runs, all the assets that are discovered as a part of that configuration with the Organization provided on the discovery configuration.

Configuration Item

When you relate an organization to a CI in the Organization lookup, the lookup displays the organization of the user. The Name Search lookup displays only those contacts and support groups that are related to the organization.

The View Organization Tickets check box on the support group record is only functional for the self-service group. The application displays the Support Groups tab on the organization records. The application also displays the Location tab on the Support Group form irrespective of the organization-based security status.

Enable Organization-based Security

Follow these steps:

  1. Navigate to MANAGE> ADMINISTRATION> Tools> Configuration Parameters.
  2. Select the parameter ENABLE_ORGANIZATION_BASED_ACCESS_CONTROL of category System.
  3. Set the Parameter Value to Yes and click Apply Changes.
    The Organization-based access control is enabled.

Organization Based Security Scenarios

Scenario: Implicit OBS for Self Service Users

In this scenario, users can view tickets requested by them and the other tickets within their organization or down the hierarchy. The following example describes how the default implicit control is implemented for Self-Service Users:

  • ABC Inc is the root level organization.
  • Bruce Adams is the Self-Service User who is directly related to the root level organization.
  • Head Quarters is the child organization under ABC Inc.
  • Cat Taylor and Colter Ames are the Self-Service Users related to the child organization.

Configurations:

  • Parameter Category = Self-Service Parameter Category
  • Parameter Name = SSU_VIEW_MY_REQUESTS_ONLY
  • Parameter Value = No

On the default support group Self-Service, select the View Organization Tickets option.

The table shows how the users related to each organization would view the tickets:

User 

View Tickets of ABC Inc.

View Tickets of Head Quarters

Bruce AdamsYesYes
Cat TaylorNoYes
Colter AmesNoYes

Scenario: Specific OBS for Self-Service Users

In this scenario, we can restrict the user from what they view. The following example describes how to set up specific OBS for serf-service users:

  • We have two organizations Royal Mail and Parcel Force.
  • Self-Service Users Lynn Parker and Mary Newburg are related to the Royal Mail organization.
  • Self-Service Users Jeff Hardy and Joe Smith are related to the Parcel Force organization.
  • Requirement:
    • Lynn Parker and Mary Newburg from Royal Mail would view tickets that they have requested. Lynn Parker would not view the tickets reported by Mary Newburgl.
    • Jeff Hardy and Joe Smith from Parcel Force would view tickets that they have requested and the other tickets requested within Parcel Force organization.

Configurations:

  • Lynn Parker and Mary Newburg are related to a support group Royal Mail SSU Group and the default group Self-Service.
  • Jeff Hardy and Joe Smith are related to a support group Parcel Force SSU Group and the default group Self-Service.
  • Parameter Category = Self-Service Parameter Category
  • Parameter Name = SSU_VIEW_MY_REQUESTS_ONLY
  • Parameter Value = No
  • On the default support group Self-Service, clear the selection for View Organization Tickets.
  • On the support group Royal Mail SSU Group, clear the selection for View Organization Tickets.
  • On the support group Parcel Force SSU Group, select the View Organization Tickets option.

The table shows how the users related to each organization would view the tickets:

User 

View self-requested tickets

View other tickets in the same organization

Jeff Hardy

Yes 

Yes 
Joe SmithYes Yes 
Lynn ParkerYes Yes 
Mary NewburgYes No

Users can view the tickets in their organization from My Tickets.

Follow these steps:

  1. Navigate to Service Center and click My Tickets.
  2. Click Filt er and select Show my organization’s tickets.

Note: If this filter option is not available, users cannot view other tickets in their organization.

Scenario: OBS for Analysts – Direct Organization Relationships

This scenario describes the impact of OBS on Analysts with direct relationship with organization.

  • Paul Martin is a member of the support group Parcel Force Support.
  • Paul Martin is also a member of the Parcel Force Organization.
  • Support group Parcel Force Support is directly related to Parcel Force Organization.

Configurations:

  • Parameter Category = System
  • Parameter Name = ENABLE_ORGANIZATION_BASED_ACCESS_CONTROL
  • Parameter Value = Yes

Result:

  • From Ticket Center, Paul Martin can view the tickets where the assigned_to_group on ticket is Parcel Force Support Group.
  • Paul Martin can run a Global Search for tickets that are related to the Parcel Force Organization, which means either the Requester on the ticket OR the Requested For on the ticket has the organization set to Parcel Force Organization.

Scenario: OBS for Analysts – Indirect Organization Relationships

This scenario describes the impact of OBS on Analysts with indirect relationship with organizations.

  • Sue Sponsor is directly related to organization Royal Mail.
  • Sue Sponsor is a member of Database Support Group.
  • The Database Support Group in turn is related to the Oscar Inc Organization and so Sue Sponsor is indirectly related to the Oscar Inc Org.
  • Database Support Group is NOT related to Royal Mail Organization.

Sue Sponsor can do the following tasks:

  • From Ticket Center view the tickets that are assigned to Database Support group.
  • View the tickets of the organizations to which the user is either directly or indirectly related.
  • Search for any tickets related to Royal Mail Organization and Oscar Inc. The global search will look for tickets where either Requester or Requested For has the organization set to Royal Mail Organization or Oscar Inc.

Summary:

  • From Ticket Center, Analysts can view tickets assigned to any of the Support Groups of which they are a member.
  • Analysts who are part of multiple organizations, can see tickets for all the associated organizations.
  • Analysts cannot view the tickets assigned to Support Groups that they are not associated with.
  • Analysts related directly or indirectly to the Requester or Requested For Organization on the ticket, can do the following tasks:
    • Search for unlisted ticket by a keyword or ticket number.
    • Open and edit the ticket.
  • If the Requester Organization is different from the Requested For Organization on the ticket, and if Analyst is a member of any one of those Organizations, then the ticket will be accessible to Agent.
  • If an Analyst has access to a ticket but one of the contacts (either Requester or Requested For) does not belong to a related Organization; the contact details will continue to be displayed on the ticket, but the user cannot view the contact record. A message "The Contact you are requesting does not exist or you are not permitted to access it" is displayed.

© 2019 Serviceaide 1-650-206-8988 http://www.serviceaide.com info@serviceaide.com