Once we have inserted the users into our system, we can create groups to organize our working teams and the end user groups.
The use of groups, in fact, allows you to:
- Assign workin teams to records: the team that has taken in charge a request or the team that has to manage a device of the CMDB.
- Permissions to create/read/update/delete a record: Deepser allows you to differentiate permissions of the user groups inside the modules they can access.
Difference between permissions linked to Groups and Roles
Before starting the groups configuration, it is very important to understand the difference between permissions linked to user Roles and to user Groups.
To be more concise, we will give an example.
We want to configure an Agent user that accesses the Dashboard module and also to the Service module and another Agent user that accesses only the Service module.
In the real life, the first user is a manager that requests a back-end access to take a look at the charts and the details of the requests.
The second user is typically an operator of the IT Service that doesn’t need to see the charts, but only to manage the requests.
For the first user we can configure a new role of type Agent, called “Agent Dashboard”.
Go to the menu System > Permissions > Roles and click on “Add Role” button.
Inser tthe data of the new Role, specifying it is an Agent.
Once we have saved the role, go to the Tab “Role Resource” and select in the modules tree the item Dashboard and the item Service.
We are telling the system that we have created a new role which users are of type Agent.
Every Agent associated to that role will access the Dashboard module and the Service module.
Now a question arises: what will able to do the Agents of that role inside the modules? Will they only create records, or update, or update only the records assigned to them?
Infact, we could have Agents that view and modify all the records in the Service modules, other that can only see some kind of requests but not edit them or delete them.
This setting is NOT defined using roles, but with the use of groups, to make the configuration of Deepser more flexible.
Two users with the same role (ans thus the same user type) can access the same modules, but the first user could view and modify all record, while the second could only see them without edit privilege.
Or rather, a user could delete the records, while the other could not.
To define those policies for every module we use the groups.
Note: generally all the operation related to CRUD (Create Read Update Delete) of the records are defined using groups. Talking about module visibility (eg: the access to the back-end or not) we use roles.
Coming back to our example, we can configure a new role called “Agent Service”.
In the tab “Role Resource” we configure this role to see only the Service module.
That way, we are telling the system there is a new role, which users will be Agents.
Any Agent of the role will access only the Service module.
Once defined the roles to view the modules we can create groups to give CRUD permissions inside every module
Before looking at the groups permissions, let’s see how to insert them.
To insert a new group, go to the menu System > Permissions > Groups.
We will see the grid with all groups listed.
Click on the button on the upper right corner of the main screen.
We will see the form to insert a new group.
We explain the meaning of every field in the screen:
|Name||The name of the group, displayed in the select-boxes in the system.|
|Status||If the group is active or not.|
|The group email (if present), to send notifications to the mailbox dedicated to the team.|
|Level||The support level of the group. It is a number, very useful for the automations and the metrics. For example, if we wanted to measure the time to resolve of the first level support groups, we could set this field to 1 in order to group all the first level teams by their level in a report.|
A user that belongs to a group with that field set, will see only data of his company (or sub-companies). If the user is of type “User” this field is ignored because an end user can see only data of its company.
Note: the same field is also displayed on the user form, so the system checks first if the user record has this flag set, then checks the group settings of the user.
|Description||The description of the group. Use it to document or to describe better the group.|
Insert users into a group
Once created a group it is possible to insert users in it by clicking on the tab Members.
We will see a list with the users that already belong to the group (it will be empty in case of no user in the group).
Click on the button Add to see the window with the list of all users.
Select the users using the ckeck-box and then select the menu item Add in the select-box upper on the right.
Click on the button Submit to insert the users into the group.
Delete users from a group
To delete users from a group, select the tab Members, select the users in the check-box. Select the item Delete in the select-box upper on the right and click the button Submit.
As said before, Deepser lets you configure CRUD permissions based on user groups.
To set permissions, once the group is created and has memebers, access the tab “Rules”.
We will see a list of the permission rules configured for that group.
Note: if a group doesn’t have roles then that group has full read / edit / delete / create permissions on all records. So, it is important to configure carefully all the group permissions before starting to use the system.
The list with all permissions is very granular in Deepser, infact clicking on the button “+” we can insert “Create / Read / Update / Delete” roles on every entity of the system. By clicking on the buttons beside the rule we can delete or edit that rule.
In the screen of every single rule we can configure the permissions with a high flexibility for every entity and also for every create / read / edit / delete permissions.
Coming back to the opening example, once we have created the roles “Agent Dashboard” and “Agent Service” we must associate the users to their permissions on the records.
The user with role “Agent Dashboard” will be member of a “Service Read Only” group, woth read-only privileges on the records.
To do that, configure permissions for Create / Update / Delete to false:
Click on the Apply button upper on the right to save.
Configure Read and Grid permissions:
Similarly, for the user with role “Agent Service”, create a new group “IT Support” with all permissions set to true.
We can easily understand we can create infinite combinations of roles and groups. More in depth, we can decide that users with different roles can see different modules (eg: an Administrator and an Agent, or a Key User and an Agent), but give them the same permissions on the records of the common access modules.
We could decide an Agent can only access the module Service and create records only for a certain company. At the same time, we can configure another Agent to see all modules and create only records for the same company of the first Agent.
Talking about groups, Deepser has other powerful configuration features, but for this chapter we have covered all the main topics.
To learn more about groups, please read: Groups Advanced Configuration.
Assign a Service Record to a group
Once the group configuration is completed, the records of Deepser can be assigned to groups.
For example, in the module “Service”, we can define the Assigne To user of a request.
Once selected the group (the working team), the select-box with all the users will be filtered with the users that are members of the selected group.