Understanding security roles

Updated in 8.7

Security roles enable you to control the following aspects:

Security roles can have a restricted access scope.

Management and administration permissions

A set of special management and administration permissions is granted to the Alloy Navigator administrators through role membership. The full list of the management and administration permissions follows:

  • Administrative Access - these permissions control the level of administrative access to the Settings App:

    • Basic Administrative Access - allows role members to log in to the Settings App and grants access to other administrative tools such as the Import tool, the Automation Server Manager, and others.

    • General, Security Management, Business Logic Management, etc. - control the level of access to the Settings App. Each permission corresponds to an individual section. The Settings App hides unavailable sections from the user.

  • Advanced Administrative Functions - these permissions control access to advanced administrative functions in Alloy Navigator:

    • Batch Update - allows role members to perform identical changes in multiple records at once. For details, see Batch-updating fields in multiple records.

    • IMPORTANT: You must additionally grant the Modify permission on the objects that will be updated. Otherwise, users will be unable to perform the actual Batch Update.

    • Recurrent Ticket Management - grants access to the Recurrent Tickets feature. With this permission, users can set up auto-creation of Service Desk Tickets based on a schedule.

    • Sharing Local Views - allows role members to create shared copies of their local views.

    • Local View Management - allows role members to create, modify, and delete local data views.

    • Export Views — allows role members to export data from views. For details, see Exporting grid data.

    • Local Dashboard Customization - allows role members to locally customize dashboards. Note that dashboard customization is available only in the Desktop App. For details, see Customizing dashboards.

    • Local Snippets Management - allows role members to create, modify, and delete their personal snippets. For details, see Using snippets.

    • Shared Snippets Use - allows role members to use shared snippets. Note that shared snippets are configured in the Settings App by an administrator. For details, see Managing shared snippets.

User access permissions

You can assign security roles to grant technicians certain access permissions on Alloy Navigator objects. User access permissions are grouped by modules and then by object classes.

  • Delete - allows role members to delete objects.

    NOTE: In order to enable a technician to delete Approval Stages and Approval Requests, you must also grant the Modify permission on the approved objects.

  • Modify - allows role members to modify objects.

    IMPORTANT: We recommend that all modifications of objects inAlloy Navigator8 are always implemented through Actions. The Modify permission should be granted to administrators only who have a good understanding of how direct modifications may affect the system.

    NOTE: In order to enable a technician to modify Approval Stages and Approval Requests, you must also grant the Modify permission on the approved objects.

    NOTE: Granting the Modify permission on Products will also enable a technician to create, modify, and delete Vendor Products.

  • View - allows role members to browse and view objects. The View permission also controls the ability to view commands for accessing the module that house those objects and the reports. For example, technicians without the View permission on Incidents will see neither the link for accessing Incidents in the Sidebar nor the Incidents command in the Go menu in their Desktop App and Web App, will not be able to configure My Calendar to view Incidents.

    NOTE: In order to enable a technician to view Approval Stages and Approval Requests, you must also grant the View permission on the approved objects.

    NOTE: Technicians without the View permission on Brands and Company Addresses will still see the commands for accessing those objects in the Tools > Reference Tables menu because Brands and Company Addressess are not actually "objects" but reference tables. However, Alloy Navigator will not display Brands and Company Addresses grids to those technicians.

    NOTE: Granting the View permission on Products will also enable a technician to view Vendor Products.

  • Manage Activities - allows role members to modify and delete activity records for a particular object class.

    NOTE: This permission allows to modify and delete only activities whose category is not set to read-only.

  • Management - a special permission for Stock Rooms (objects whose lifecycle is not controlled with workflow). The Management access permission implicitly includes View, Add, Modify, and Delete permissions for viewing and managing Stock Rooms.

Some special user access permissions are grouped under Miscellaneous:

  • Report - the Create, Delete, Modify, and View permissions on Reports allow role members to create, delete, modify reports and report folders, and view the list of reports and generate (run) reports.

    NOTE: In order to enable technicians to generate reports, you must additionally grant the View permission on objects contained in those reports (on Incidents, Computers, Consumables, etc.). Otherwise, these reports will be unavailable for users. For details on reports, see Reports.

  • Announcement - the Management permission for Announcements includes View, Add, Modify, and Delete permissions for viewing and managing Announcements.

  • Customer Satisfaction Rating - control access to rating information for Incidents and Service Requests, collected from Self Service Portal customers. Two different permissions (View All Ratings and View Own Ratings) allow role members to view collected star ratings and comments for all Tickets or only for their own Tickets, meaning where the role member is the Assignee.

  • Reference Tables - this is a special group for the Management permission for objects whose lifecycle is not controlled with workflow, i.e. Brands and Company Addresses. The Managementaccess permission implicitly includes View, Add, Modify, and Delete permissions for viewing and managing Brands and Company Addresses.

Availability of workflow Actions

Security roles allow you to control the availability of workflow Actions to technicians. Any Action is available only to technicians who possess one of the roles assigned to that Action. This way, different Actions can be made available to different technical teams or groups, depending on their tasks and responsibilities.

Shared view access

You can share a data view with all members of the security roles to which the view is assigned.

Access scope

If you want a role to grant its members access to only a limited scope of Alloy Navigator objects, you can restrict a role's access scope by organizations or by data segments. This means that for each role you can specify a list of organizations or data segments for which the role will apply.

Security roles with a restricted access scope apply only to objects (such as Computers, Purchase Orders, Tickets) that belong to certain organizations and/or data segments, based on the values of the Organization and Data Segment fields of those objects.