Service Desk User Security

Note: When you create a pre-defined service desk using the Service Desk > Desk Template page, much of the user security issues described in this topic are configured for you.

Note: See System > User Security for an introduction to VSA user security concepts mentioned in this topic.

Access to desk definitions, tickets, and KB articles comprise five levels of user security:

• Role Types
• User Roles
• Users
• Scopes
• Field Permissions

Note: Machine roles and Service Desk are discussed in a separate topic, Integrating Service Desk, Live Connect, and Portal Access.

Role Types

Kaseya licensing is purchased by role type. There are separate role types for licensing users by user role type and licensing machines by machine role type. Each role type enables selected functions listed in the User Roles > Access Rights tab and Machine Roles > Access Rights tab. The number of role type licenses purchased displays in the System > License Manager > Role Type tab. Each role type license specifies the number of named users and concurrent users allowed.

User licensing for the Service Desk module is purchased and managed using two user role types:

• Service Desk Administrators - Equivalent to a Master role user within the Service Desk module only.
• Service Desk Technicians - A user who works with tickets and KB articles.

Note: The Master role is assigned the Service Desk Administrators role type by default.

User Roles

Three user roles are created when the Service Desk module is installed. These user roles provide three types of function access typically required by Service Desk users. You can use them as is, or modify them if you like, or use them as models for creating your own new user roles.

• SD Admin – A Service Desk administrator who has access to all Service Desk functions and tickets, regardless of scope. An SD Admin can create and edit desk definitions, configure Service Desk support tables and Service Desk procedures, and perform all actions on tickets. Only SD Admin users have access to advanced functions in the Service Desk > Tickets table such as Delete and Unlock. Like a Master role user, an SD Admin user is not limited by field permissions, described below. This user role is a member of the Service Desk Administrators role type.
• SD User – A Service Desk user who works with Tickets, Archived Tickets, Search All and User Preferences. This role does not permit access to desk definitions, procedures or any other support tables. This user role can only view published KB articles, but cannot create or edit KB articles. This user role is a member of the Service Desk Technicians role type.
• KB Admin – A Service Desk administrator who creates, edits and manages KB articles. The KB Admin user has access to all Service Desk functions. This user role is a member of both the Service Desk Administrators and Service Desk Technicians role type.

Users

A VSA user only has access to the Service Desk module and functions by assigning that VSA user to a user role using the Service Desk Administrators or Service Desk Technicians role type.

Scopes

Scopes and Service Desks

The following applies to a VSA user using a role that is linked to the Service Desk Technicians role type and that same role is not linked to the Service Desk Administrators role type.

• Assigning a desk definition to a scope using System > Scopes provides:
  • Visibility and selection of the service desk in drop down lists in Service Desk.
  • Visibility and selection of service desk tickets in ticket tables.
• Scope access only provides visibility of tickets. Further access to editing tickets is determined by role field permissions.

Note: See Visibility of Service Desk Tickets by a Staff Member for an alternate method of making tickets visible to staff members.

Scopes, User Roles and Knowledge Base Desks

The following applies to a VSA user using a role that is linked to the Service Desk Technicians role type and that same role is not linked to the Service Desk Administrators role type.

• Knowledge base desks do not need to be added to any user role or any scope for KB articles to be visible to VSA users using those roles and scopes.
• If you are using the pre-configured KnowledgeBase desk, any KB articles set to the Published stage are visible and viewable for all service desk users and machine users in Live Connect, regardless of user role or scope. The same is true for any knowledge base desk created from scratch, so long as the KB article is set to the End stage, whatever the name of that End stage.
• If you want non-service desk administrators to be able to create a new KB article and edit the KB article, but don't want those same users complete service desk administrator access, select or create a user role associated with the Service Desk Technicians role type. Then associate the knowledge base with the user role using Role Preferences or the Desk Definition > Access > Roles tab. Then assign users to that user role. The KB Admin user role can be used for this purpose. The KB Admin is already associated with the KnowledgeBase desk. You only need to remove the Service Desk Administrator roletype from the KB Admin user role.

Field Permissions

Field permissions are set by role. For VSA users using roles linked to the Service Desk Technicians role type, field permissions determine what fields a user can view or edit within the ticket editor or KB article editor. Typical field permissions include: Editable, View Only, Hidden, or Required. Default field permissions are set by editing template.

Note: VSA users using a role linked to the Service Desk Administrators role type can see and work with any field in any ticket editor or KB article editor. Master role users also always have complete field permission access, regardless of roletype assignment.

Editing Templates

An editing template serves three purposes:

1. The editing template defines the layout of the dialog used to edit a ticket or KB article.
2. An editing template may mask selected fields, even though the fields are defined by the desk definition. Using an editing template to mask a field overrides whatever field permission is set for that field.
3. The editing templates also sets default field permissions for editing a ticket or KB article. Whether assigned by role or by user, you can override the default field permissions set by the editing template to suit your business requirements.

An editing template is applied to a combination of desk definition and user role (or machine role) using Role Preferences or the Desk Definition > Access > Roles tab. An editing template can also be applied to a combination of desk definition and user using User Preferences. User Preferences has precedence over Role Preferences. The default editing template for all roles and all users working with a service desk is specified in the Service Desk > Desk Definition > New or Edit > General Info tab.

Default Field Permissions

Portal Access users (machine users) use ticket field level permissions defined for the Default machine role. The Default machine role also applies to VSA users using a user role that does not include either the Service Desk Administrator or Service Desk Technician roletype. When a VSA user is using the Default machine role to view or edit a ticket, a Default Permissions Apply message displays at the top of a service desk ticket. If even the Default machine role does not provide access to a ticket, then an error message tells the user their role does not permit access to the ticket.

Unassigned Tickets

Tickets can be created without assigning an organization to the ticket. The Desk Definition > General Info tab > Only Masters see Unassigned Tickets checkbox determines whether master users or all users can see unassigned tickets.