Role Structure
In SimpleOne, roles can be divided into three abstract layers based on their daily duties and authority. Role layers are sorted in ascending order:
Depending on your business tasks and demands, use standard system roles or create a new one. To configure role permissions and responsibilities, create an ACL Rule for it.
A user can get a role in many ways. See the Role Inheritance article to learn more.
End-users
End-users have no specific role in the system. They can raise tickets via the Self-Service Portal, track them, add comments, read published articles and external Known Error records. However, the end-users cannot use the agent interface and perform any actions. The actions require specific roles.
Users without a role, such as end-users, have no access to any interfaces except the Self-Service Portal. If such a user tries to follow the link that leads to the agent interface, they will be redirected, for example, to the Service Portal main page.
A user granted with the user role can log in to the agent interface, but they cannot work on tasks. This operation is available to employees with ITSM, ITAM, admin, or special administrative roles.
See the Users article to learn how to grant roles.
Agents
Agents are the employees handling daily tasks in the system, for example, processing incidents, change requests, or configuring CMDB. One or more roles should be assigned to the agent to perform these duties based on the tasks and responsibilities.
In SimpleOne, the following roles are provided:
Service tools roles
| Role | Description |
|---|---|
| catalog_manager | Catalog managers can create, edit and delete records of the Service Catalog they are responsible for. |
| cmdb_agent | CMDB agents can read CI records and update them if they are owners of CIs or members of responsible groups. The role contains the cmdb_read role. |
| cmdb_manager | CMDB managers can create, update, and delete CI records. The role contains the cmdb_read role. |
| cmdb_read | CMDB readers can only read CMDB records of classes, attributes, models and CIs. |
| model_manager | Model managers can create, update, and delete CI model records. They can also choose classes when creating new CI models. The role contains the cmdb_read role. |
| service_catalog_manager | Service catalog managers can update the article records related to services. |
| service_level_manager | Service level managers can update SLM-related records. |
| service_owner | Service owners can change the state of any article related to the service they own. |
| service_portfolio_manager | Service portfolio manager can create and edit service and service provider records. |
| product_manager | A product manager can create, read, edit, and delete the product records. |
| product_agent | A product agent can edit the products for which they are the Product owner. |
| process_manager | A process manager has access to create, read, edit, and delete process records. The role contains the cmdb_read role. |
| budget_agent | A budget agent can view records of the Budgets section, excluding the actual cost items. The cost_center_agent, fiscal_period_agent, and cmdb_read roles are inherited by this role. |
| budget_manager | A budget manager can create, view, and edit records of the Budgets section, excluding the actual cost items. The budget_agent role is inherited by this role. |
| finance_agent | A finance agent can view Actual Cost Items. The budget_agent and purchase_agent roles are inherited by this role. |
| finance_manager | A finance manager can create, view, and edit Actual Cost Items. The finance_agent role is inherited by this role. |
| cost_center_agent | A cost center agent can view cost centers. |
| cost_center_manager | A cost center manager can create, view, and edit cost centers. The cost_center_agent role is inherited by this role. |
| fiscal_period_agent | A fiscal agent can view fiscal periods. |
| fiscal_period_manager | A fiscal manager can create, view, and edit fiscal periods. The fiscal_period_agent role is inherited by this role. |
| demand_agent | A demand agent can view demands and demand tasks. The cost_center_agent and fiscal_period_agent roles are inherited by this role. |
| demand_manager | A demand manager can create, view, and edit demands and demand tasks. The demand_agent role is inherited by this role. |
| purchase_agent | A purchase agent can view purchase requests and purchase request tasks. The demand_agent, cost_center_agent, and fiscal_period_agent roles are inherited by this role. |
| purchase_manager | A purchase manager can create, view, and edit purchase requests and purchase request tasks. The purchase_agent role is inherited by this role. |
Administrators
There are two groups of administrative roles:
- Administrative roles
- Special administrative roles
Administrative roles
Specialists with administrative roles have access to all system features and data and pass all security checks.
SimpleOne offers two administrative roles:
| Role | Description |
|---|---|
| admin | The system administrator role. Admin users have extended privileges and can use nearly all system functions (except assigning User Roles, working with Access Control List (ACL), and User Criteria). Admin users have access to all data unavailable to regular users. |
| security_admin | Security administrators can modify the ACL and access highly secured objects and operations. A session in the security_admin role lasts 1 hour. After that, you need to elevate the role once again. |
When debugging scripts exception appears, or any other system error occurs. Only users with the admin role can see the error message.
Special administrative roles
Special administrative roles are assigned with specific administrative rights without the full privileges of the administrative role. For example, a notification admin can create notification rules but not assignment rules.
In SimpleOne, the following special administrative roles exist:
| Role | Description |
|---|---|
| announcement_manager | Announcement managers can create, update, delete, and publish Announcements. |
| approval_admin | Approval administrators can update approval records. |
| catalog_admin | Catalog admins can create, edit and delete records of the Service Catalog module. |
| cmdb_admin | CMDB administrators can create, update and delete CI records, classes, models and their attributes. |
| delegation_admin | Delegation administrators can create, update, and delete delegation records. They can update the only available fields on the delegation rule form. |
| import_admin | Import admins can manage all aspects of imports. |
| impersonator | Impersonators can interact with the system on behalf of other users. The role does not allow users to impersonate admin users. Only admins can impersonate admins. |
| knowledge_admin | Knowledge admins can create and update records related to the Knowledge Base. Users cannot update Article records in the Published state – only reading is available. This role contains the knowledge_agent role. |
| knowledge_agent | Knowledge agents can update records related to the Knowledge Base in the following cases:
|
| notification_admin | Notification admins can create and update notification rules. |
| queue_admin | Queue admins can create, read, update and delete records of the External Queues module. |
| sso_admin | SSO administrators can create, read, update, and delete records of the OIDC Settings (oidc_setting) and SAML2 Settings (sys_saml2_connection) tables, and also read and delete records in the IdP Certificate (idp_certificate) table. |
| user_manager | User managers can create, update, and delete records in the User (user) and Employee (employee) tables. They can also add users into groups. |
| wf_admin | Workflow admins can create and update workflows in the Workflow Editor. |
| wtm_admin | WTM admins can create, update and delete records within the Work and Time Management application. The users with the admin role have the same access. |
Roles in SimpleOne applications
In the articles below, you can find the role models created for the SimpleOne applications, including their access rights and operation restrictions: