Hello Bakhtawar,
What's the
business issue that you're trying to solve?
Does your Auditor not like:
A) That there is an Analyst "Access Type"
CALLED "Vendor."
That is, it is specifically the name "Vendor" that they object to.
Solution -
rename the Access Type to something suitable, or make a
new Access Type (copy the existing one) and give it a suitable name.
B) That there is an
EXTERNAL PARTY with Analyst Access Type rights to your system?
That is, they have reviewed the Access Type, Data Partion and Role and there is something specific in these settings that they object to.
Solution - discuss
which setting that they object to (Eg Modify rights to an Incident for example), and then work with your Vendor to see that they get the level of access that they need, and which satisfies the Auditor.
My guess is that it is the latter scenario, as that is what auditors are typically concerned about. They have a point that is valid in general - third parties should
not have full access to your ticketing system.
You need to find out which security settings are the actual concern. This is because you just can't go changing the security without potentially locking out the valid business scenario that the Vendor is performing. I can tell you simply to compare your Analyst vs Vendor Access Type settings and see what the difference is. Or to simply restrict to the Vendor level access without looking at it and accept the consequences.
A better way to do it though is to do something like this.1) Write out a list of things that the Vendor WANTS or NEEDS to be able to do.
Eg:
- View Incident, Request, Change Order, Problem.
- Update Incident or Request with additional Activity Log information.
- Update Incident or Request to a new Status.
- etc
2) Show that list to the Auditors. Get their Yes/No/Modify approval on each point.
3) Build out that level of Access Type, Data Partition and Role within Service Management.
We can help with (3) by advising settings if there is doubt. But you need to sort out (1) - and post it here if needed - and (2).
Thanks, Kyle_R.
Original Message:
Sent: 09-23-2019 01:03 AM
From: Bakhtawar Butt
Subject: Vendor contact
is there any solution for this ?
Original Message:
Sent: 07-04-2019 12:37 AM
From: Bakhtawar Butt
Subject: Vendor contact
Actually we don't know what rights should be given to vendor.
The screenshot i provided you was some vendor already defined by former person of our team which is now not a part .
So we don't know whether we have to give Analyst as contact type or vendor.
So what should we do ideally for creating vendor contact?
Original Message:
Sent: 07-03-2019 01:24 AM
From: Bakhtawar Butt
Subject: Vendor contact
Hi Team.,
We have defined Vendor contact in SDM. I have attached a screenshot which gives you idea about vendor contact creation.
Now issue is that audit puts an observation that why do we use contact type of vendor as analyst because vendor are out of the organization person and they can't access SDM.
So can we use Vendor Access type instead of Analyst ? What changes could be made if we do so?