The role model in Service Manager is quite complex and contains many levels: a scopes, a user roles and a user role profiles. Although scope and user roles are well documented and available in UI, the user scope profile is very hidden part of the role model, but one of the most powerful feature if you working with custom classes and custom relationships.
If you are new in the role model in SCSM then I recommend first read several articles to understand what we talking about:
As you may know, you can choose how to setup a scope (group, queue, task etc.) and the user role (from available profiles). But number of profiles very limited, and there is no way to configure it from UI. Fortunately, configuration of the user role profile can be possible using SCSM SDK. You may read Stefan’s post Customize Service Manager User Profiles by using SCSM SDK (and follow to Marcel’s post to see same in PowerShell) to learn how it works internally, but to actually use it you will need some dev skill.
Long time ago we’ve created the SCSM console extension to be able to configure user role profile in UI, and until today I was pretty sure that it was published. But I was wrong, so better late than never. Let me introduce the User Profile Editor.
User Profile Editor
This tool is the single MPB add-on for Service Manager and support all SCSM versions, from 2012 to 2019 (and I hope it will support any new versions). When installed, you will see a new User Profiles folder in the Administration –> Security section and view for each profile:
You can change any user profile, but you can’t create a new user profile, this is just not supported by the SCSM SDK. Also you can’t change (remove or edit) OOB profiles (empty value in Is Customized column).
So, what can you do with this tool? You can view existing OOB scopes and “just” create a new user profile scope (yes, I know, a bit confusing, but this is not the same as user role’s scope). Sounds not much, but actually this is very powerful, because with the user profile scope you can define permissions to create or edit for:
- Classes
- Property of the class (yes, you can allow only changes for some properties of the class)
- Relationship (including direction)
When you create a new user profile scope you see following dialog:
Below you will find explanation of each configuration parameter.
Operation
You can use following operations: Object_Add (means create a new) and Object_Set (means update) and Object_Delete (means delete :) ). The End User profile has limitation on the SDK level: it can’t use Object_Delete operation, i.e. End User can’t delete any instance or relationship.
Note: you must use Object_Set operation for a relationship, because any change of the relationship is the update on the SDK level.
Class
Class is required, you must define the class even if you want to set permission just for a relationship.
Property
Property is optional. If not set, then this scope’s operation will work for all properties, if set then only for given property.
Relationship
If set, then this scope will define only operation for relationship, not for the class.
Relationship Endpoint
You can restrict direction (Source –> Target or Target->Source) for the operation. For example, you may allow to add configuration item as affected CI to work item, but not vice verse.
Examples
Now let’s take some real samples.
Custom class
You have custom class Company.SuperClass derived from System.Entity, so no any existing profiles are cover this class (except Administrator for sure, who can change everything). You want to give permissions for Analyst to create and change instances of this class and for End User to change this class. To implement this configuration you must use following parameters:
Analyst profile, two scope:
Scope to give permission to create instances:
- Operation: Object_Add
- Class: Company.SuperClass
- Property: Empty
- Relationship: Empty
- Relationship Endpoint: Any (untouched)
Scope to give permission to update instances:
- Operation: Object_Set
- Class: Company.SuperClass
- Property: Empty
- Relationship: Empty
- Relationship Endpoint: Any (untouched)
End User profile, one scope to give permission to update instances:
- Operation: Object_Set
- Class: Company.SuperClass
- Property: Empty
- Relationship: Empty
- Relationship Endpoint: Any (untouched)
Custom relationship
This is much more common case, because usually you creating custom classes based on existing low level classes (Work item, Config Item etc.) and they already covered by the default user profiles, but relationships are always new.
You have custom class Company.PhoneDevice derived from System.ConfigItem and relationship Company.UserOwnsPhoneDevice. You (usually) no need to configure user profile scope for Company.PhoneDevice because it covered by scope for the System.ConfigItem. You want to give permissions for new relationship to End User, so they will able to use some custom portal to attach phone device to they own account in SCSM. To implement this configuration you must create scope for End User Profile:
- Operation: Object_Set
- Class: Company.PhoneDevice
- Property: Empty
- Relationship: Company.UserOwnsPhoneDevice
- Relationship Endpoint: Any (untouched)
itnetX PowerShell Activity
This is the real life example for itnetX PowerShell Activity (part of the Productivity Pack). This solution use custom class SCSMSolutions.PowerShellActivity.Script to store PowerShell Script text. This class derived from System.Entity to be sure that only Administrator can create or change a script. The SCSMSolutions.PowerShellActivity.Script linked to the activity using the relationship SCSMSolutions.PowerShellActivityToScript. Activity with the linked script instance used in the work item (SR or CR) template. If regular user will try to create request based on this template then he will get the error. To solve this problem we must create the custom user profile scope for End User:
- Operation: Object_Set
- Class: SCSMSolutions.PowerShellActivity.Script
- Property: Empty
- Relationship: SCSMSolutions.PowerShellActivityToScript
- Relationship Endpoint: Any (untouched)
Note: You no need to do it manually for the solution, because PowerShell Activtiy bundle contains script that will do the same.
Download
Now most interesting part – download link :) Please import itnetX.ProfileEditor.2016.mpb for SCSM 2016 or above, or itnetX.ProfileEditor.mpb to SCSM 2012 (but better upgrade your SCSM installation, to be honest).