Online Help | Desktop App

Understanding security roles

Updated in 2024.2

Security roles control the following aspects:

Management and administration permissions

A set of special management and administration permissions is granted to the Alloy Navigator Express administrators through role membership. The full list of the management and administration permissions follows:

  • Administrative Access: These permissions grant access to the desktop Settings App and web-based Admin Center and other administrative tools, such as the Import tool, the Automation Server Manager, and others.

  • Advanced Administrative Functions: These permissions control access to advanced administrative functions in Alloy Navigator Express:

    • Batch Update: Allows role members to perform identical changes in multiple records at once. For details, see Batch-updating fields in multiple records.

    • IMPORTANT: You must additionally grant the Modify permission on the objects that will be updated. Otherwise, users will be unable to perform the actual Batch Update.

    • Local Snippets Management: Allows role members to create, modify, and delete their personal snippets. For details, see Using snippets.

    • Shared Snippets Use: Allows role members to use shared snippets. Note that shared snippets are configured in the Settings App by an administrator. For details, see Managing shared snippets.

    • Add New Tags: Allows role members to create new tags from object detail forms and data views. For details, see Tagging.
  • View Management: These permissions control access to shared and local views, as well as the ability to share personal views and export grid data.

    • Shared View Management: Allows role members to create, modify, and delete shared data views, regardless of their ownership

  • Network Inventory: These permissions control access to the Network Inventory component of Alloy Navigator Express:

    • Administration: Grants full control to all Network Inventory functions and tools.

    • Audit Management: Allows role members to manage their own discovery, audit, and recalculation tasks using Network Inventory.

    • View: Grants access to Network Inventory and allows role members to browse and view audited computers and network devices.

User access permissions

You can assign security roles to grant technicians certain access permissions on Alloy Navigator Express objects. User access permissions are grouped by modules and then by object classes.

  • Create: Allows role members to create objects.

  • Delete: Allows role members to delete objects.

    NOTE: In order to enable a technician to delete Approval Requests, you must also grant the Modify permission on the approved objects.

  • Modify: Allows role members to modify objects.

    IMPORTANT: We recommend that all modifications of objects inAlloy Navigator Express2024 are always implemented through Actions. The Modify permission should be granted to administrators only who have a good understanding of how direct modifications may affect the system.

    NOTE: In order to enable a technician to modify Approval Requests, you must also grant the Modify permission on the approved objects.

    NOTE: Granting the Modify permission on Products will also enable a technician to create, modify, and delete Vendor Products.

  • View: Allows role members to browse and view objects. The View permission also controls the ability to view commands for accessing the module that house those objects and the reports. For example, technicians without the View permission on Tickets will see neither the link for accessing Tickets in the Sidebar nor the Tickets command in the Go menu in their Desktop App and Web App, will not be able to configure My Calendar to view Tickets.

    NOTE: Technicians without the View permission on Manufacturers and Network will still see the commands for accessing those objects in the Tools > Reference Tables menu because Manufacturers and Networks are not actually "objects" but reference tables. However, Alloy Navigator Express will not display Manufacturers and Network grids to those technicians.

    NOTE: Granting the View permission on Products will also enable a technician to view Vendor Products.

  • Service Desk > Ticket > Manage Activities - a special permission for Tickets. This permission allows role members to modify and delete Ticket activities.

  • Service Desk > Change Request> Manage Activities: A special permission for Change Requests. This permission allows role members to modify and delete Change Request activities.

  • Service Desk > Announcement > Announcement Management: A special permission for Announcements. The Announcement Management permission implicitly includes the Create, Delete, Modify, and View permissions for viewing and managing Announcements.

  • IT Assets > Consumable > Manage Rules: A special permission for Threshold Notification Rules (their lifecycle is not controlled through workflow). The Manage Rules access permission grants access to the Consumable Management module and implicitly includes the Create, Delete, Modify, and View permissions for viewing and managing Threshold Notification Rules.

Some special user access permissions are grouped under Miscellaneous:

  • Report: The Create, Delete, Modify, and View permissions on Reports allow role members to create, delete, modify reports and report folders, and view the list of reports and generate (run) reports.

    NOTE: In order to enable technicians to generate reports, you must additionally grant the View permission on objects contained in those reports (on Tickets, Computers, Consumables, etc.). Otherwise, these reports will be unavailable for users. For details on reports, see Reports.

  • Customer Satisfaction Rating: These permissions control access to rating information (star ratings and comments) for Tickets, collected from Self Service Portal customers.

    • View All Ratings: Allows role members to view ratings of all tickets.

    • View Own Ratings: Allows role members to view ratings only of their tickets, meaning where the role member is the Assignee.

  • Reference Tables: This is a special group for the Management permission for objects whose lifecycle is not controlled with workflow, i.e., Brands and Company Addresses. The Managementaccess permission implicitly includes View, Add, Modify, and Delete permissions for viewing and managing Brands and Company Addresses.

Availability of Actions

Usually, people involved in a business process have different roles that define what they can or can't do with an object. For example, you may want to design your Service Desk business process so that only the manager can assign and reassign Tickets.

When you configure a security role, you specify which actions will be available for the role members. Any action is available only to technicians who possess one of the roles that have this action assigned. This way, different actions can be made available to different technical teams or groups, depending on their tasks and responsibilities.