5 - SM7 IE Class Slides, Module 5 SysAdmin as of 10-28

8/2/2019 5 - SM7 IE Class Slides, Module 5 SysAdmin as of 10-28

1/50

M7.00 I.E.


2/50

When implementing Service Manager, you must define a users profile foreach Service Manager application based on the users functions andresponsibilities in your organization. A users role determines what type ofuser profiles are assigned. By assigning a user role in an operator record,you can determine the user's access and privileges within different Service

Manager applications. User roles range from a basic user with limitedaccess, to a system administrator with full access.

M7.00 I.E.


3/50

Levels of Security

Security in Service Manager can be set on multiple layers. The three mainlevels consist of:

System Access

The System Information Definition record, also called the SystemInformation record, identifies system wide settings and defaults in theoperator record. The operator record identifies the logon name andpassword required to access Service Manager.

Application Access

The operator record identifies the initial menu and capability words for theuser to access specific applications and utilities in Service Manager.

Functional Access

The profile identifies the functionality available to the user within anapplication.

Security in Service Manager can be compared to a gated community of aneighborhood.

1st level, Gated Community (Service Manager)

The 2nd level, Getting into the house (system access)

The 3rd level, What room can I see? (module access)

The 4th level, Getting the beer out of the fridge (functional

access)

M7.00 I.E.


4/50

M7.00 I.E.


5/50

When implementing Service Manager, one record defines the overallcharacteristics and settings of the system. The System InformationDefinition record sets default values that are used by all users. Someoptions may be redefined in an individuals operator record. Within theSystem Information Definition record, defaults include setting password

requirements and composition, default time zone, active integrations, andothers.

M7.00 I.E.


6/50

The System Information record enables system administrators to:

Set the menu title.

Set user lockout and account expiration conditions.

Set password reset, format, and lifetime restrictions.

Enable password history.

Set the time zone and date and month format the system uses

Set the default language and currency the system uses.

Set the maximum size for a file attachment, and the maximum memoryall file attachments can use.

Enable/disable case sensitivity.

Set the maximum time allowed for queries.

The System Information record settings are those that apply across allapplications on the server. Some settings can be overridden by profilesettings, but the system wide defaults are defined in the SID.

M7.00 I.E.


7/50

The Login Info tab defines general login information, user lockouts, andaccount expirations of Service Manager. You can use this tab to set thesynchronization between the contacts records and the operator records andthe default operator template for LDAP users.

Note: To switch the case mode, go to the Options menu, and select SetCase Insensitive (or Set Case Sensitive, if you are already running in CaseInsensitive mode).

M7.00 I.E.


8/50

The Password Standards tab enables the password reset function. Optionsinclude resetting passwords by user name, prompting for a value or using aspecific value. This temporary password allows the user into the system onlyto be prompted to change the temporary password to a user definedpassword. The ability to store a history of passwords (and optionally prevent

re-use) is also contained within the tab.

The Password Composition tab enables you to set the minimum andmaximum password lengths and defines which characters are permitted in apassword, as well as allowing you to require certain types of characters in apassword (strong password standards). Selecting Always Require aPassword will enforce passwords for every user in the system, while leavingit unselected will allow the ability for users to have blank passwords.

The Password Lifetime tab defines the expiration period of passwords,

whether it be a time period, or a certain number of logins. You can choose tonotify users by e-mail whenever their passwords are changed.

M7.00 I.E.


9/50

The General tab defines multiple functions of Service Manager. You can usethis tab to run the multi-company mode, view the case mode (CaseSensitive or Case Insensitive), initiate adaptive learning for the ServiceManager Knowledge Base, and more.

Note: To switch the case mode, go to the Options menu, and select SetCase Insensitive (or Set Case Sensitive, if you are already running in CaseInsensitive mode).

M7.00 I.E.


10/50

M7.00 I.E.


11/50

User Quick Add Utility enable system administrators to add users from onecentral place.

M7.00 I.E.


12/50

A Power User can access Service Manager either through a Windows or Webclient. A Power User is usually someone who needs perform administrative duties,such as a System Administrator or Helpdesk person. A Power User consumes alicense upon logging into the system unless accessing the system through theEmployee Self Service (ESS) portal.

For example, a Self Service Power User has two ways to access the Service Desk.The access method depends on the task to complete:

They have a Service Desk profile that enables them to log on to ServiceDesk (or other Service Manager applications) using the Windows clientconnection dialog or any valid Web client URL to view, add, update, ordelete records. For example, Bob Helpdesk has a Service Desk profile thatenables him to take service requests and provide services to a usercommunity.

They have a self service profile that enables them to initiate service requests

through a self service URL. For example, Bob can use this feature torequest services for himself.

A Self Service User has a regular Service Desk profile that enables them to log onto Service Desk only through a self service Web client URL. A self service usernever consumes a Service Desk license when logged on because access is limitedto only the user's requests for service.

M7.00 I.E.


13/50

M7.00 I.E.


14/50

The User Quick Add Utility enables administrators to add an operatorrecord and specify the access rights to applications within Service Manager.This utility creates a new operator record by guiding you through a series ofprompts that request information. Within this utility, you can also create anew contact record for the operator. In addition, all application tabs provide

access to profiles, groups, and environment configuration forms.

M7.00 I.E.


15/50

M7.00 I.E.


16/50


17/50

Administration and creation of operator records can be done within the UserQuick Add Utility. Service Manager includes several predefined operatorrecords that you can use as templates to create your own operators.

M7.00 I.E.


18/50

M7.00 I.E.


19/50

The General tab enables you to specify the logon name, language, profiles,and other general information. In addition, you can change the role andprofiles of an operator for individual Service Manager applications.

Each operator must be associated with a contact record. This association istracked through the Contact ID field on the operator record.

Login Name The name used to log in to Service Manager. This will bereferenced in the Connections from a client.

Contact ID the contact record associated with the operator.

Date Information Sets the time zone of the user, and the date format usedfor the user.

Application Profiles Sets the user role and/or any application profiles.

M7.00 I.E.


20/50

The Options menu allows system administrators to reset passwords andreinstate locked-out users.

M7.00 I.E.


21/50

The Security tab enables you to view information regarding a users sessionand set parameters including password, locking, and LDAP.

M7.00 I.E.


22/50

The Startup tab defines the initial RAD application and the capability wordsto access to Service Manager applications and utilities.

RAD Name the name of the RAD application to be run when the user

initially logs on. Typically, this is menu.manager, in order to display an initialmenu to the user.

Activate Command Line on Startup If checked, the EmbeddedCommand Line will be available to the user (Best Practice: Limit commandline access to System Administrators only). If unchecked, the command linewill not be available.

Parameter Names/Parameter Values The name(s) and the correspondingvalue(s) of parameter(s) to be passed to the RAD application referenced inthe RAD Name field.

Execute Capabilities The list of capability words associated with the

user.

M7.00 I.E.


23/50

Capability words provide a security mechanism to control access to ServiceManager applications by enabling or disabling parts of the interface. You canadd capability words to a user role or individual operator to control access toService Manager. In some cases, capability words are redundant to theprivileges and views that are provided by application profiles. In cases where

capability words and application profiles overlap, Service Manager uses themost restrictive set of permissions.

Service Manager stores capability words in the capability table. You canaccess the capability table from User Quick Add Utility or from an operatorrecord (using Find).

M7.00 I.E.


24/50

M7.00 I.E.


25/50

To have access to SD functionality, users must have at least one of theabove capability words in their operator record.

M7.00 I.E.


26/50

To have access to IM functionality, users must have at least one of the abovecapability words in their operator record.

M7.00 I.E.


27/50

To add a new capability word:

1. Type the word in the Capability field.

2. Enter a significant description.

3. Click Add to complete the record.

Service Manager 6.1 and later releases organize capability words into apermission hierarchy. To limit access, choose a subordinate capability word;to grant a broad range of permissions, choose a parent capability word, suchas SQLAdmin or SysAdmin. If you assign a parent capability word to a useror user profile, Service Manager automatically assigns the subordinatecapability words. In the above example, the incident managementcapability word has IncidentAdmin as its parent capability word.IncidentAdmin, in turn, has SysAdmin as its parent capability word. So, ifa user has SysAdmin capability, they automatically have IncidentAdmin

and incident management capabilities, as well as others.

Best Practice: Do not modify or delete the existing capability words. Toprovide additional security on menus, forms, and profiles, words can beadded and referenced by using functions and conditional expressions.

M7.00 I.E.


28/50

M7.00 I.E.


29/50

M7.00 I.E.


30/50

Profile records grant specific rights and privileges within a specific application(such as Service Desk or Incident Management) to Service Manageroperators. Multiple operators can use a single profile record, which definesjob-specific privileges.

Enhancing job-specific privileges is done using roles. You can set up a userrole, which contains a set of application-specific profiles and capabilitywords, to be referenced within a specific operator record.

Best Practice: Roles is the preferred method of granting rights andprivileges within the Service Manager system.

M7.00 I.E.


31/50

Application profiles are security settings that determine which features (suchas Find, Fill, Update, or Add) a user can access from a particular ServiceManager application. Each of the Service Manager applications has a set ofapplication profiles that determine which features a user can see. Anapplication profile defines the access settings that a particular business

function or role has to the application. Typically, system administrators assignapplication profiles as part of user roles, but the administrator can alsoassign an individual application profile that overrides the default settings of auser role. The above table shows applications and the tables that store theprofiles specific to each application. Once established, a profile can beassociated with one or more users by setting the operator record(s) to usethe proper profile.

Example: A user may needs to update records in Configuration Managementbut not in Change Management. Therefore, in Configuration Management,the user would be assigned a profile which would define the update privilege

to betrue,

but the user would also be assigned a profile in ChangeManagement would define the update privilege to be false.

M7.00 I.E.


32/50

M7.00 I.E.


33/50

Each applications profile has a different set of settings and configurations.Most settings involve granting or denying permission to certain actions andutilities within the application. However, some settings determine whichforms appear at different times within the application.

The above example defines a Service Desk Profile called HELPDESKTECH. Users with this profile in their operator record (under Service Profile)will be able to Browse, Open, Update, Close, and Print records withinService Desk (interactions). They will be able to use Find, Fill, andAdvanced Search, but will not be able to create personal Inboxes, use theCount function, or invoke alternate Views of Service Desk forms. They willnot be added to any Service Catalog Approval groups.

M7.00 I.E.


34/50

User Profile

A user profile is a selection of rights and restrictions that aid in a usersfunctionality within Service Manager applications. Profiles can be used in agroup, where everyone has the same rights and privileges, or profiles thatare specific to one user.

Default Profile

Each application is delivered with a profile record named DEFAULT. Theenvironment record allows access to the application without a specific userprofile reference. When this occurs, the DEFAULT profile is used.

When a user attempts to access one of the Service Managerapplications, the system performs the following steps to determine

which profile should be used:The system retrieves the user profile name from the operator record, thenaccesses the profile record for the application.

1. If the system cannot find a user profile, the system uses the DEFAULTprofile.

2. If you deny the ability to access an application without a profile, a userprofile must be defined to access to the application (i.e., the DEFAULTprofile will not be used unless specifically invoked in the operatorrecord).

M7.00 I.E.


35/50

A user role is a template that combines a collection of application profilesand capability words into a single record. Service Manager has out-of-boxuser roles with appropriate capability words and application profiles thatdefine a variety of business functions. By defining user roles, a systemadministrator can grant an operator all the capability words and applicationprofiles to do their job.

Roles also contain information about whether or not users accessing the rolealso have access to the Embedded Command Line. Roles also candetermine which application runs when the user initially logs in, and thus candetermine the structure of the users System Navigator.

To access user roles, use one of the following methods:

1) From the System Navigator, expand Menu Navigation.

2) Select Utilities > Administration > Security > User Quick Add Utility.

3) Double-click User Role.

OR1) From the User Quick Add Utility menu:

2) Select Utilities > Administration > Security > User Quick Add Utility> User and Contact Utilities > Search for User Roles.

OR

1) At the Database Manager prompt, type userrolein the File field

2) Click Search.

Important: When a user role is updated, it does not automatically updateoperator records using the role. You must access the operator records and

Fill again from the User Role field.

M7.00 I.E.


36/50

M7.00 I.E.


37/50

M7.00 I.E.


38/50

A system administrator can specify what functions an IM user (or a group ofusers) can access, as well as other IM security features and functionsettings. Incident Management (IM) has an extensive environment thatcontrols its functionality.

M7.00 I.E.


39/50

Each application has an Environment record, which defines options thateffect the functionality of an application for all users. Some of the typicaloptions stored in this record include:

The relationship model

Access rights

A default category

M7.00 I.E.


40/50

To access the SD Environment record:

From the Service Desk menu Security Files > Environment tab.

From the System Navigator Menu Navigation > Utilities >

Administration > Security > User Quick Add Utility > Service DeskEnvironment.

Some Environment options are:

Allow Access Without Operator Record? When unchecked, userswithout a specific SD profile in their operator record will be unable to accessSD. When checked, users without a profile will be allowed access to SDusing the DEFAULT SD profiles settings.

Delay Assigning Interaction ID? When selected, this check box signalsthe system to assign an interaction ID only after a save action is attempted.

Return to Blank Interaction? When selected, this check box prompts thesystem to return to a blank interaction form after the creation of aninteraction.

The three Post back Link fields show the link record that controls what isposted back to the interaction record after a related Incident, Change, orRequest ticket is closed.

The Environment record also determines which SD Record RelationshipModel is followed to manage closure of interactions in relation to otherapplications.

M7.00 I.E.


41/50

The IM Environment Record determines the overall settings for the IMmodule.

To access the Incident Management Environment record:

From the Incident Management menu:

Security Files > Environment tab.

From the System Navigator:

Menu Navigation > System Administration > Ongoing Administration >Environment Records > Incident Management Environment.

Some of the most frequently used settings of the IM Environment are:

Use Paging? - Adds a new record to the problem table each time a ticketis updated.

Use Journalled Updates? - Makes any information entered in the Actions

tab a permanent part of the record that cannot be deleted. Most to Least Recent Lists updates to the record chronologically

beginning with the most recent.

Least to Most Recent Lists updates to the record chronologicallybeginning with the least recent.

Use Resolved Status? - Activates the two-step closure process in IM.

M7.00 I.E.


42/50

The closure model for Incident Management is determined by the UseResolved Status? setting in the IM Environment record. When UseResolved Status? is checked, the Two-Step Closure Model is in use, andwhen it is unchecked, the Single-Step Closure Model is in effect.

The ability to Resolve or Close within the Two-Step model is regulated bythe IM Profile record of the user in question.

M7.00 I.E.


43/50

M7.00 I.E.


44/50

An organization has employees whose roles and responsibilities vary inService Desk (SD). A system administrator can specify what functions an SDuser or a group of users can access, security features, and global functionsettings.

M7.00 I.E.


45/50

Risk: Many folders may create administrative burdens.

M7.00 I.E.


46/50

--You must log out and back on to Service Manager after updating the EnableFolder Entitlement setting.

M7.00 I.E.


47/50

Walk-through the different access defined under the Helpdesk Tech &Reviewer Service Desk Profiles

--the Helpdesk Tech profile has full rights to view, add, update, and delete in eachFolder.

--the Reviewer profile grants limited rights, allowing no access to the ACME folder,only View access to the HP & GENRICOM folders, and update access to theDEFAULT folder only for tickets assigned to the user.

M7.00 I.E.


48/50

M7.00 I.E.


49/50

M7.00 I.E.


50/50

5 - SM7 IE Class Slides, Module 5 SysAdmin as of 10-28

Documents