CA Service Management

 View Only
Expand all | Collapse all

Vendor contact

  • 1.  Vendor contact

    Posted Jul 03, 2019 01:27 AM
      |   view attached
    Hi Team.,


    We have defined Vendor contact in SDM. I have attached a screenshot which gives you idea about vendor contact creation.
    Now issue is that audit puts an observation that why do we use contact type of vendor as analyst because vendor are out of the organization person and they can't access SDM.


    So can we use Vendor Access type instead of Analyst ?  What changes could be made if we do so?


  • 2.  RE: Vendor contact

    Broadcom Employee
    Posted Jul 03, 2019 08:39 AM
    Hi Bakhtawar,

    In my opinion, what you call an Access Type or Contact Type is pretty much irrelevant. What matters more is the permissions that are associated with the Access Type. Nevertheless, you can create a new Access Type or Contact Type that mimics the Analyst and name it Vendor.

    Hope this helps?

    ------------------------------
    ===
    Kind Regards,
    Brian
    ------------------------------



  • 3.  RE: Vendor contact

    Posted Jul 04, 2019 12:52 AM
    Actually we don't know what rights should be given to vendor.
    The screenshot i provided you was some vendor already defined by former person of our team which is now not a  part .
    So we don't know whether we have to give Analyst as contact type or vendor.

    So what should we do ideally for creating vendor contact?


  • 4.  RE: Vendor contact

    Posted Sep 23, 2019 01:03 AM
    is there any solution for this ?


  • 5.  RE: Vendor contact
    Best Answer

    Broadcom Employee
    Posted Sep 23, 2019 02:02 AM
    Hello Bakhtawar,

    What's the business issue that you're trying to solve?

    Does your Auditor not like:

    A) That there is an Analyst "Access Type" CALLED "Vendor." 
    That is, it is specifically the name "Vendor" that they object to.

    Solution - rename the Access Type to something suitable, or make a new Access Type (copy the existing one) and give it a suitable name.

    B) That there is an EXTERNAL PARTY with Analyst Access Type rights to your system?
    That is, they have reviewed the Access Type, Data Partion and Role and there is something specific in these settings that they object to.

    Solution - discuss which setting that they object to (Eg Modify rights to an Incident for example), and then work with your Vendor to see that they get the level of access that they need, and which satisfies the Auditor.


    My guess is that it is the latter scenario, as that is what auditors are typically concerned about. They have a point that is valid in general - third parties should not have full access to your ticketing system.

    You need to find out which security settings are the actual concern. This is because you just can't go changing the security without potentially locking out the valid business scenario that the Vendor is performing.  I can tell you simply to compare your Analyst vs Vendor Access Type settings and see what the difference is. Or to simply restrict to the Vendor level access without looking at it and accept the consequences. 

    A better way to do it though is to do something like this.

    1) Write out a list of things that the Vendor WANTS or NEEDS to be able to do. 
    Eg:
    • View Incident, Request, Change Order, Problem.
    • Update Incident or Request with additional Activity Log information.
    • Update Incident or Request to a new Status.
    • etc

    2) Show that list to the Auditors. Get their Yes/No/Modify approval on each point.

    3) Build out that level of Access Type, Data Partition and Role within Service Management.

    We can help with (3) by advising settings if there is doubt. But you need to sort out (1) - and post it here if needed - and (2).


    Thanks, Kyle_R.










  • 6.  RE: Vendor contact

    Posted Sep 23, 2019 02:19 AM
    in our vendor access type we don't have anything defined for data partition but for level 2 analyst data partition is analyst.


  • 7.  RE: Vendor contact

    Broadcom Employee
    Posted Sep 23, 2019 02:23 AM
    Okay. That's good to know that.

    Continue with the above suggestions. Please establish what the vendor IS ALLOWED to have access to, and then we build the security. Not the other way around.

    Kyle_R.


  • 8.  RE: Vendor contact

    Broadcom Employee
    Posted Sep 23, 2019 05:27 AM
    Hi Bakhtawar,

    None of us can tell you what the security\permissions (data-partitions, etc..) must be, without knowing what your auditors are flagging as valnerability\issue\concern. You need to discuss with the auditors to find out what they need you to tighten. Once this is clear, we can point you in the right direction in terms of how to restrict access to what the Vendor users are not authorized to access.

    ------------------------------
    Kind Regards,
    Brian
    ------------------------------



  • 9.  RE: Vendor contact

    Posted Sep 23, 2019 05:36 AM

    Auditor concern is that vendor only able to :

    • View Incident, Request, Change Order, Problem.
    • Update Incident or Request with additional Activity Log information.
    • Update Incident or Request to a new Status.

    That's why auditor want from us to change its type instead of analyst to other which can fulfill all these things.

    Can vendor type able to fulfill all these ?

     

     

    Regards,

     

    Bakhtawar Butt

    Officer Technical Service Desk | ITSM Division

    Information Technology Group | MCB Bank Limited

    3rd Floor, MCB Building, Nila Gunmbad , Lahore

     

    Landline: +92 42 323 0 4610 | IPT: 042-4610

     






  • 10.  RE: Vendor contact

    Broadcom Employee
    Posted Sep 25, 2019 01:16 AM
    Edited by Kyle R Sep 25, 2019 01:16 AM
    Hello Bakhtawar,

    For your own sake, you should have a look at how security in ITSM is handled.  The key settings against a Contact for this issue are:

    • Access Type - Which Roles are available.
    • Role - The key part for this issue. Gives broad brush access to modules such as View or Modify to tickets.
    • Data Partition - More granular control by table.
    I recommend starting with this page:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/business-management/ca-service-management/17-2/administering/configure-ca-service-desk-manager/manage-roles/role-based-security.html

    Out of the box, there is an Access Type called "Vendor Staff."

    This has one Role only attached to it called "Vendor Analyst."

    You can see what this has configured against it on YOUR system (As all systems might be modified) by going to:

    • Administration
    • Security and Role Management
    • Role Management
    • Role List
    • Search for "Vendor Analyst" (By default, it is the last item on the last page.)
      • Additional Information tab
      • Function Access

    At this point, you can answer the question that you asked above. "What access does a Vendor get?"

    Out of the box, I see they get this access:

    • View Access to a bunch of stuff. Eg:
      • Announcements
      • Configuration Items
      • Contacts
      • Etc
    • Modify access to only this:
      • Incident/Problem/Request
      • Knowledge Document
      • Support Automation (If configured).
    • No Access to a bunch of stuff: Eg:
      • Security
      • InsightsReports
      • Change Orders
      • Etc

    So the key one that stands out, is that you would be taking away their ability to work on Change Orders, if you changed them from (Whatever they are - we don't know. They may have more or less rights) assuming an Analyst, over to Vendor Analyst.

    (Note that the above "Vendor Analyst" level of access is pretty deep already. Many Auditors might object to this level of access.)

    Please re-read carefully my advice above. You need to find out WHAT SPECIFICALLY your Auditor is objecting to.

    Then it is up to you to decide the level of access that they'll get.

    Note that Data Partitions can be used to fine-tune even further.


    IN SUMMARY
    1. Yes, switching to "Vendor" will probably give you what you want, provide you add the ability to work on Change Orders.
    2. However, you should thoroughly discuss with you Vendors and Auditors as I have suggested above, to ensure that there are no surprises to the Vendors, and so that the Auditor's key concerns are addressed.

    Thanks, Kyle_R.









  • 11.  RE: Vendor contact

    Posted Sep 25, 2019 01:22 AM

    I can set contact and access type but what about data partition what would i select in data partition?

     

     

    Regards,

     

    Bakhtawar Butt

    Officer Technical Service Desk | ITSM Division

    Information Technology Group | MCB Bank Limited

    3rd Floor, MCB Building, Nila Gunmbad , Lahore

     

    Landline: +92 42 323 0 4610 | IPT: 042-4610

     






  • 12.  RE: Vendor contact

    Broadcom Employee
    Posted Sep 27, 2019 02:23 AM
    Hello Bakhtawar,


    There is no out of the box Data Partition for "Vendor." 

    The questions are though:

    1) WHICH Data Partition do you use ALREADY for your Analysts?
    The default, no-brainer answer is to use the SAME data partition that you're already using.

    But . . . 

    2) What OBJECTION (IF ANY) does your AUDITOR have with this level of security?

    3) And if there is an objection that means you need to CHANGE something, what does your VENDOR say about it?


    I'm going to say this again. Please speak to your auditor and vendor to plan these changes. This really is key. You change the system security to meet the business requirements if you can, not the other way around if it is possible.

    Thanks, Kyle_R.