Understanding security roles

Updated in 8.3

Security roles enable you to control the following aspects:

Management and administration permissions

A set of special management and administration permissions is granted to the Alloy Navigator Express administrators through role membership. The full list of the management and administration permissions follows:

  • Administrative Access - these permissions grants access to the Settings App and other administrative tools such as the Import tool, the Automation Server Manager, and others.

  • Advanced Administrative Functions - these permissions control access to advanced administrative functions in Alloy Navigator Express:

    • Batch Update - allows role members to perform identical changes in multiple records at once. For details, see Batch-updating fields in multiple records.

    • IMPORTANT: You must additionally grant the Modify permission on the objects that will be updated. Otherwise, users will be unable to perform the actual Batch Update.

    • Shared View Management - allows role members to create, modify, and delete shared data views.

    • Export Views — allows role members to export data from views. For details, see Exporting grid data.

    • Local Snippets Management - allows role members to create, modify, and delete their personal snippets. For details, see Using snippets.

    • Shared Snippets Use - allows role members to use shared snippets. Note that shared snippets are configured in the Settings App by an administrator. For details, see Managing shared snippets.

  • Network Inventory - these permissions control access to the Network Inventory component of Alloy Navigator Express:

    • Administration - grants full control to all Network Inventory functions and tools.

    • Audit Management - allows role members to manage their own discovery, audit, and recalculation tasks using Network Inventory.

    • View - grants access to Network Inventory and allows role members to browse and view audited computers and network devices.

User access permissions

You can assign security roles to grant technicians certain access permissions on Alloy Navigator Express objects. User access permissions are grouped by modules and then by object classes.

  • Create - allows role members to create objects.

  • Delete - allows role members to delete objects.

    NOTE: In order to enable a technician to delete Approval Requests, you must also grant the Modify permission on the approved objects.

  • Modify - allows role members to modify objects.

    IMPORTANT: We recommend that all modifications of objects inAlloy Navigator Express8 are always implemented through Actions. The Modify permission should be granted to administrators only who have a good understanding of how direct modifications may affect the system.

    NOTE: In order to enable a technician to modify Approval Requests, you must also grant the Modify permission on the approved objects.

    NOTE: Granting the Modify permission on Products will also enable a technician to create, modify, and delete Vendor Products.

  • View - allows role members to browse and view objects. The View permission also controls the ability to view commands for accessing the module that house those objects and the reports. For example, technicians without the View permission on Tickets will see neither the link for accessing Tickets in the Sidebar nor the Tickets command in the Go menu in their Desktop App and Web App, will not be able to configure My Calendar to view Tickets.

    NOTE: Technicians without the View permission on Manufacturers and Network will still see the commands for accessing those objects in the Tools > Reference Tables menu because Manufacturers and Networks are not actually "objects" but reference tables. However, Alloy Navigator Express will not display Manufacturers and Network grids to those technicians.

    NOTE: Granting the View permission on Products will also enable a technician to view Vendor Products.

  • Service Desk > Ticket > Manage Activities - a special permission for Tickets. This permission allows role members to modify and delete Ticket activities.

  • Service Desk > Change Request> Manage Activities - a special permission for Change Requests. This permission allows role members to modify and delete Change Request activities.

  • Service Desk > Announcement > Announcement Management - a special permission for Announcements. The Announcement Management permission implicitly includes the Create, Delete, Modify, and View permissions for viewing and managing Announcements.

  • IT Assets > Consumable > Manage Rules - a special permission for Threshold Notification Rules (their lifecycle is not controlled through workflow). The Manage Rules access permission grants access to the Consumable Management module and implicitly includes the Create, Delete, Modify, and View permissions for viewing and managing Threshold Notification Rules.

Some special user access permissions are grouped under Miscellaneous:

  • Report - the Create, Delete, Modify, and View permissions on Reports allow role members to create, delete, modify reports and report folders, and view the list of reports and generate (run) reports.

    NOTE: In order to enable technicians to generate reports, you must additionally grant the View permission on objects contained in those reports (on Tickets, Computers, Consumables, etc.). Otherwise, these reports will be unavailable for users. For details on reports, see Reports.

  • Customer Satisfaction Rating - control access to rating information for Tickets, collected from Self Service Portal customers. Two different permissions (View All Ratings and View Own Ratings) allow role members to view collected star ratings and comments for all Tickets or only for their own Tickets, meaning where the role member is the Assignee.

  • Reference Tables - this is a special group for the Management permission for objects whose lifecycle is not controlled with workflow, i.e. Brands and Company Addresses. The Managementaccess permission implicitly includes View, Add, Modify, and Delete permissions for viewing and managing Brands and Company Addresses.

Availability of Actions

Usually, people involved in a business process have different roles that define what they can or can't do with an object. For example, you may want to design your Service Desk business process so that only the manager can assign and reassign Tickets.

When you configure a security role, you specify which actions will be available for the role members. Any action is available only to technicians who possess one of the roles that have this action assigned. This way, different actions can be made available to different technical teams or groups, depending on their tasks and responsibilities.

Shared view access

You can share a data view with all members of the security roles to which the view is assigned.