New England Security User Group

 View Only

  • 1.  ServiceDesk incident level security

    Posted Oct 06, 2010 04:35 AM

    I am trying to create a secure queue in addition to a few of my regular queues in serviceDesk. The secure queue is meant to have sensitive information in it. So the only users that should be able to view the content of the ticket are users that belong to the secure queue and no one else. I want to make sure that the other servicedesk users be able to view and Edit tickets assigned to their queue.

     

    I've tried creating a permission that denies view access of process view pages to the rest of the servicedesk workers but that denied them even from viewing tickets assigned to their queue. what's the right way to resolve this issue?

     

    Thanks,



  • 2.  RE: ServiceDesk incident level security

    Posted Oct 06, 2010 05:45 PM

    bdererri,

      In order to accomplish what you are looking to do, the permissions are set on the incident not through the process manager. The easiest way I can think of accomplishing this is as follows,

    - Create a "Category" to choose when you want an incident assigned to this "secure" group

    - In the IncidentManagement workflow, the embedded model "Setup Process" in the primary model, check the classification variables for the incident. If it is the category from above, setup the incident permissions for just the secure group (and administrators), otherwise let the incident security get set normally.

     

    In this embedded model, you should see how to create new permissions for an incident.

    Hope this helps,

     David Ramazetti

     Senior Technical Solutions Consultant

     XCEND Group



  • 3.  RE: ServiceDesk incident level security

    Posted Oct 06, 2010 10:29 PM

    Hi David, thank you for your input. I did exactly what you said up top, with an addition of using a Routing rule. It didn't do what I wanted it to do.

    • I created a category for the secure queue
    • I used Routing rule to assign the ticket to the secure queue when it is created. 
    •  I used a matches rule in Incident.Management project 'Setup' embeded component to grant only the administrator and the secure group permission.
    • Published the projects and restarted both server extensions and IIS.
    • Created a test account and made it a member of a Group. Granted the group equal permission as the default 'Support I' group.
    • Tested it by creating a ticket using a totally different account. The Routing rule assigned it to the Secure queue. The permissions came out as expected with 'Administrators' and the secure queue having Edit permission while the account that's used to create the ticket had view permission.
    • Finally I logged in using the Test account that I created and searched for that task ID. It opened the incident and I was able to every content of it. The whole effort was to make sure that no one outside of the secure queue members can read the description or any information in that ticket.

    How could I prevent a person that belongs to another queue (With permission that's the same as 'Support I') from viewing contents of a Secure queue that S/he doesn't belong to? Obviously the tickets don't show up in their list of assigned tickets, but if they can search for the ticket they're able to see the content as of now. Are there permissions that I need to take away from all queues to make this happen? For now all the queues/groups except Administrators and ServiceManagers, have the same permission levels as the default 'Support I' group.