This documentation is archived and is not being maintained.

About User Roles

Updated: December 1, 2010

Applies To: System Center Service Manager 2010 SP1

At your company, some employees are responsible for supporting hardware such as portable computers and servers. Some of the employees are allowed to create and update Configuration Items (CI) but not delete them, whereas others are allowed to create, update, and delete CIs.

In Service Manager, the security rights that allow users to access or update information are defined in a user role profile. A user role profile is a named collection of access rights and usually corresponds to employees’ business responsibilities. Each user role profile controls access to such artifacts as knowledge articles, work items (incidents, change requests), authoring, administration, and other credentials. Think of user role profiles as defining what you are allowed to do.

In the future, managers at your company may decide to separate the group of employees who maintain CIs in two groups: those who handle CIs for desktop computers and those who handle CIs for portable computers. They want to retain these two user role profiles, one that can create and edit, but not delete CIs, and another that can create, edit, and delete CIs. You would define these user role profiles with different scopes, one for desktops and one for portable computers. If user role profiles define what you are allowed to do, think of scopes as defining what items that you are allowed to modify. The combination of a user role profile and a scope is called a user role.

Understanding User Roles in Service Manager

In Service Manager, when you click Administration, expand Security, and then click User Roles, a User Roles pane displays a list of user roles. Each of these user roles has been configured with a user role profile and an undefined scope. Since the scope is undefined for these user roles; they can exercise their user profiles on all management pack, queues, groups, tasks, views, and form templates. The following table lists the default user roles, their associated user role profiles, and scope.

 

User Role User Role Profile Scope

Service Manager Activity Implementers

Activity Implementers

Global

Service Manager Administrators

Administrators

Global

Service Manager Advanced Operators

Advanced Operators

Global

Service Manager Change Initiators

Change Initiators

Global

Service Manager End Users

End Users

Global

Service Manager Read-Only Operators

Read-Only Operators

Global

Service Manager Authors

Authors

Global

Service Manager Problem Analysts

Problem Analysts

Global

Service Manager Workflows

Workflows

Global

Service Manager Incident Resolvers

Incident Resolvers

Global

System Center Change Managers

Change Managers

Global

Service Manager Report Users*

Report Users

Global

Release Manager

Activity Designer

noteNote
The Service Manager Report Users user role is only available after you register with the Service Manager data warehouse and after the Data Warehouse navigation button is available. To view the Service Manager Report Users user role, click Data Warehouse, expand Security, and then click User Roles.

Example

For example, you want to define one security access that allows users to create and edit, but not delete CIs, and another security access that allows users to create, edit, and delete CIs. Appendix A, at the end of this guide, lists the user role profiles and their associated artifacts. The following table shows user role profiles as they relate to configuration items.

 

User Role Profile Create Configuration Items Update Configuration Items Delete Configuration Items

Report User

No

No

No

End Users

No

No

No

Read-Only Operators

No

No

No

Activity Implementers

No

No

No

Change Initiators

No

No

No

Incident Resolvers

No

No

No

Problem Analysts

No

No

No

Change Manager

No

No

No

Advanced Operators

Yes

Yes

No

Authors

Yes

Yes

Yes

Workflows

Yes

Yes

No

Administrators

Yes

Yes

Yes

Using the table above, you can see that the Advanced Operators user role profile can create and update, but not delete CIs. The Authors user role profile can create, update, and delete CIs. These are the two user role profiles you use to set up asset management at your company. The members of the asset management team who are allowed to create and update, but not delete CIs, are made members of the predefined Service Manager Advanced Operators profile. The members of the asset management team who are allowed to create, edit, and delete CIs are made members of the predefined Authors profile.

As a best practice, assume members of the asset management team might change. You create two groups in Active Directory and make those groups a member of the Advanced Operators and Authors profiles. Then as members change, users are added and removed from the group in Active Directory and no changes have to be made in Service Manager.

In the future, if you break the asset management team into two groups, one for desktops and the other for laptops, create your own user role by using the same user role profiles, but with different scopes.

Why Some User Roles Cannot Be Created

When creating a user role, notice that four user roles are not listed: Administrator, End Users, Report User, and Workflows. These four user roles are created and populated during setup and, generally speaking, these user roles are used by Service Manager. The following sections describe each of these user roles.

Administrator

The Administrator user role is global in scope; therefore, there is no reason for creating another user role of this type.

End Users

By default, the End Users user role contains a list of all authenticated users, and similar to the Administrator user role, there is no reason for creating additional user roles like this.

Report User

The Report User user role has one purpose in Service Manager: To find the computer hosting Microsoft SQL Server Reporting Services (SSRS) for the user at a Service Manager console. When a user at a Service Manager console tries to run a report, a query is made to the Service Manager management server seeking the computer that is hosting the data warehouse management server. The Service Manager console then queries the data warehouse management server seeking the name of the computer hosting the SSRS. With that information, the Service Manager console connects to SSRS. The singular purpose of the Report User user role is to make these queries. After the Service Manager console connects to the SSRS, the credentials of the user running the console grant access as defined on the SSRS. Because of the narrow purpose of this user role, there is no reason for creating another.

Workflows

Workflows might have to read and write to the Service Manager database. During setup, you are asked to provide credentials for the Workflows user role, and it is this user role that will perform the required actions on the Service Manager database. Like the Report User user role, the narrow purpose of this user role means there is no reason for creating other user roles.

See Also

Did you find this information helpful? Please send your suggestions and comments about System Center Service Manager documentation to scsmdocs@microsoft.com.
Show: