This article covers the creation, management of user roles, module permissions, and administrative permissions within ESM.

Creation and Management of User Roles

A user role’s permissions for ESM modules and the ESM administrative views are divided into three main categories: 

• Module permissions 
• Administrative permissions 
• Data card permissions 

Within each category, permissions are further categorized, as individual rights to access different program items and to conduct different actions. For example, permissions for using ESM CMDB, Efecte IT Processes, Efecte Visual Workflow, Efecte Contract, and Efecte HR belong under module permissions, and permissions to templates, attributes, and folders belong under data card permissions. 

You can further restrict the data card permissions by granting rights to create, read, update, and delete.

You can copy permissions to folders, templates, and attributes from an existing user role to another user role definition with the Data card permissions -> Copy permissions from role at the bottom of the view. You can also grant permissions to data cards one by one from the Template properties view of each appropriate template.  From the Folder properties view, you can also grant the user role permission to access appropriate folders one by one,.

When you are creating a user role, the New role view appears as you select a folder and click the New role button. If you want to modify the user role’s permissions, select the role and click Edit role.

Module Permissions

When you create a new role, you give it permissions to access ESM modules (i.e. products).

Depending on the product licenses your ESM system has, you can freely select the module(s) you want to give the role rights to access:

• CMBD: Access to Efecte CMDB.
• Contract: Access to Efecte Contract.
• IT Processes: Access to Efecte IT Processes.
• HR Service Management: Access to Efecte HR.
• Organization: Access to Organization; Permission to edit data cards in the folders of the Organization view. 
  • To see the data cards stored in the Organization folders, you must grant the user role rights to the folders, the templates, and the template attributes.
• IGA: Access to IGA.
• Common: Access to Common IT processes.
• Efecte Delivery Management: Access to Efecte Delivery Management.
• Efecte Chat: Access to Efecte Chat.
• Whistleblower: Access to the Efecte Whistleblower functionality.
• Efecte Project Management: Access to Efecte Project Management.
• Risk Management: Access to Efecte Risk Management.
• Finance Service Management: Access to Efecte's Finance Service Management.
• Facility Management: Access to Efecte's Facility Management.

Following licensable functionalities are also also listed:

• Visual Workflow: Access to Efecte Visual Workflow.
• Efecte Web API: Access to Efecte Web API.
• SCCM Integration: Access to Efecte's SCCM Integration.
• Efecte External API: Access to Efecte's External API.

To see the data cards stored in the module folders, you need to give the user role permission to the folders into which the users with this role need an access. In addition, to see the content of the folders, users need at least read permission to the templates stored in the folders. If these permissions are missing, users see neither the folder nor the templates. In addition, if the user role does not have the right to access a folder, users with that role cannot access the data cards stored in the folder.

Administrative Permissions

When you create a new role, you specify its rights to conduct administrative actions.
Depending on the administrative views your ESM system makes available, you can give a role the following administration rights:

• Edit users – Permission to edit ESM users and user roles. For viewing of the data cards stored in the Users folders, you need to grant the user role rights to the folders, the templates, and the template attributes.
• Edit static values – Permission to edit static values for an attribute whose data type is static.
• Edit templates – Permission to edit all templates of your ESM system. This permission also includes rights to modify template classes and attributes. Even if a user role with this permission can edit and see all templates in the ESM system, the user role might not see all of the data cards. 
  • To avoid any unintended loss of data, always make careful plans prior to editing a template that is already in use. For example, deleting an attribute does not erase just the attribute; it also deletes the attribute values from existing data cards. Since permission to edit templates is considerably broad, always grant it cautiously.
• Edit folders – Permission to edit folders includes rights to modify folders and user role permissions in different ESM modules and in the folders of the Client view. The folder permissions for each single folder limit the permission. In other words, a role is allowed to edit folders that it has permission to view.
  • A user with permission to edit folders can create new folders under the visible folders and modify and delete folders visible to said user. 
• Import data cards – Permission to import data cards in XML form into ESM. Allowing data card import enables the Import tab in the Administration UI the user role concerned. For more information about the import functionality, refer to the chapter 13.

By default, a new role has no permission to e.g. access any of the modules or to conduct administrative actions. When creating the role, you must manually select the rights you want to give to the role. If you want to modify the role permissions after creating them, select the role in the folder tree pane and click Edit role in the display menu.

You can also copy permissions from an existing role into a new role with the Copy permission from role drop-down menu. Copying data card permissions from another role also copies the source role's rights to templates, attributes, and folders. Thus, you do not need to give the new role permissions separately for each template, attribute, and folder. The functionality is useful when you need to create a new role that differs only slightly from an existing one.

Search and User Interface Settings

Efecte Service Management provides a user interface where data cards are accessed using searches, views and/or folders. User interface can be simplified for users who have limited access and/or tasks within the system. Administrator can define which functionalities are available for the user by using Search and user interface settings.

• Background data - When Background data is selected users can access data cards via actual folders where they stored. Only those folders are available which the user has permissions to.
• Search restrictions - There are several search functionalities available for searching data cards. By default users can use all of them. Search restriction options are:
  • No restrictions - Users can use all search functionalities when searching data cards.
  • Global search off - Users don’t have Global search available.
  • Global search and Basic conditions off - Users don’t have Global search nor Basic conditions available.
  • Global search, Basic and Advanced conditions off - Users don’t have Global search nor Basic conditions nor Advanced conditions available.

If user has more than one role, the least restrictive is applied. For example if the goal is to prevent user triggering global searches, all his roles must have “Global search off” –restriction.

Planning of Permissions

It is worthwhile to carefully plan which permission each user role has. Planning your permission policy carefully in the system implementation phase can save a lot of work later. You can use the following approach to plan the various roles’ permissions:

1. You can specify different roles' viewing rights for different ESM objects via the role rights – granting a role rights to use templates, static values, users, and so on. 
   1. It is advisable to create the roles first, because later on they’ll require more modifications in the existing folder and template permissions.
2. You can restrict different roles' viewing rights to certain data cards with folder rights. The folder rights restrict the use of data cards on the basis of the folder structure.
3. Permission to access and modify templates and attributes is the most accurate or specific restriction to data card and template usage. With these permissions, users’ rights to certain type of templates or attributes can be restricted regardless of data card location. 

When a new role is created, it has no rights to any of the existing templates and folders. In such situations, it is advisable to find an existing role with similar rights and copy that role's rights to the new role. After copying the role rights, modify them to meet the demands of the new role.

Permission Overlaps

User can have multiple roles that together augment a user’s rights to certain data (role rights, template rights, folder rights, and so on). In such cases, giving user more roles, increases the amount of rights they receive.

In order to be able to see the data cards stored in folders of different ESM views, user roles need rights to the folders they need to access. In addition, to be able to see the content of the folders, user roles need at least read permission to the templates on which the data cards stored in the folders are based.

The same applies the other way round. A user role with permission to a certain template cannot access any data cards in a folder it does not have rights to access. Accordingly, in order to see an attribute of a template, a user role needs permissions to both the template and the attribute. If the user role permits user to see a template (as well as the data cards based on the template) but doesn't allow user to see any attributes, user sees a data card without any content.

There can be overlaps in rights also if the user belongs to several roles. In this case, the user has the roles’ combined rights.

Assigning Users to Roles

If you want to see which users belong to a role and possibly edit the user assignation, you should begin from the role view. 

1. Navigate to the role you want to see/edit the user assignation for, using the Permissions menu and tree.
2. On the left side of the role view there’s a list of current users of the role. A user can be removed from the role by clicking on the corresponding icon.
3. On the right side there’s an input field you can use to search for users. 
   1. Users which are already assigned to the role are grayed out on the list. You can assign more users to the role by selecting a user with a mouse click and then using the left arrow icon between the lists. Double-clicking on a user acts as a shortcut.
   2. A user’s role assignation can be viewed and edited in the user view as well. The interface is very similar: a list of current roles on the left and a way to search for roles on the right.