You are here:

Role Administration

Introduction to Role Administration

Roles provide access rights and views, they specify what an engineer is allowed to do or to see. Without a role, an engineer can log in to the system but cannot perform any actions. Only by being assigned one or more role(s) does an engineer obtain system permissions. For each task in a company using the system there should be a role which defines its permissions. Engineers fulfilling the task should have this role.

When engineers log in to the system, they will have all permissions from all roles they have been assigned. So all permissions are added! There is no way of explicitly preventing access to objects in ConSol CM - access can only be granted! The sum of all granted permissions defines the final permissions for the engineer.

Roles define:

Access permissions for one or more queue(s)
E.g. read, write, and append rights are granted. The permissions are valid for all tickets in the queue(s).
Global permissions
Several system-wide permissions are managed here, e.g., the rights concerning template management, workflow design, and system administration. Using the option Administrate access and roles, it is possible to define an administrator "light" who can manage CM engineers with their system access permissions but who cannot modify technical system-wide settings. This is explained in section Defining an Administrator for Role and Engineer Administration Only.
Access permissions for customer data
Read, write, modify, and delete permissions for each distinct customer group.
Access permissions for resource data
Read, write, modify, create permissions, assigned on the basis of resource types.
Views
To do lists of tickets which are displayed in the ticket list in the Web Client.
Engineer functions
Additional engineer functions which can be assigned to members of this role, e.g., approver.

Role Administration Using the Admin Tool

To open the Role Administration, open the navigation group Access and Roles in the Admin Tool and click the navigation item Roles. In the Role Administration, you see the list of all available roles on the left-hand side and the permissions which can be granted on the right-hand side. In the list of roles, all roles which have been set as main role for at least one engineer are marked with a red dot. You always work on the access permissions of the role which has been selected in the list of roles. Only one role can be selected at a time. On the right-hand side, several tabs are available. During role management you can switch between these tabs:

Tab Queue Permissions
Tab Global Permissions
Tab Customer Group Permissions
Tab Resource Types Permissions
Tab Views
Tab Engineer Functions

Figure 13: ConSol CM Admin Tool - Role administration: Queue permissions

All changes in the Role Management tabs take effect immediately or after clicking the OK button. You do not have to click the Synchronize button in the icon bar.

In the Web Client, engineers have to log in again to use their new roles. Views become effective after pressing F5 (page refresh).

Create a Role

Click the Add button below the role list to create a new role. A pop-up window appears where you can enter the role name. Since the role name is used only for admin purposes and not displayed in the Web Client, no localization is required here. Afterwards you have to set the permissions of this role using the tabs on the right side of the page (see also the preceding picture).

Tab Queue Permissions

The permissions set in this tab apply to the selected role (left part of page) and the selected queue (center part of page). Without an entry here, an engineer with this role is not able to see tickets nor to perform any actions in the system.

Figure 14: ConSol CM Admin Tool - Role administration: Setting queue permissions

The following permissions can be set:

Read
Read tickets.
Write
Edit data fields (default fields, Custom Fields, etc.) of a ticket. The fields might be located in the ticket header section or in the group section.
Append
Add information to a ticket (comments, e-mails, attachments, time booking entries), i.e. add content in the ticket history.
Act
Execute workflow activities, i.e. move the ticket forward in the workflow.
Assign
Assign tickets to another engineer. The permission to assign a ticket to oneself and to accept a ticket is not relevant in this context.
The engineer who should receive the ticket has to have at least one role with the Get assigned permission!
Refer
Assign an additional engineer (with engineer function, see Tab Engineer Functions) for a ticket.
Change queue
Move a ticket from this queue to another queue.
An engineer who has at least one role with this permission can see the drop-down menu Queue (in the ticket head) and can select a new queue. (For other engineers, this is a read-only field.) To change the queue, no further permissions in the target queue are required. Only if the engineer should have access to the ticket in the target queue, the respective permissions have to be granted (i.e., a suitable role has to be assigned to this engineer).
Figure 15: ConSol CM Web Client - Drop-down menu for queue change
It depends on the workflow of the target queue where the processing of the ticket will continue:
- If the source queue and the target queue have the same workflow, the ticket will start its processing in the target queue at the original position (i.e., its last position in the source queue).
- If the source queue and the target queue have different workflows, the ticket will start the process in the target queue at the START node.
Be very careful when granting the Change queue permission!!! Usually it is not required. On the contrary, it can destroy your process chain definition where tickets are passed from one process to another using process/workflow components, namely the Jump-in and Jump-out nodes.
This permission should only be granted if it is absolutely necessary and when all side-effects have been considered thoroughly!

You can define for which range of tickets the permissions are valid:

Mine
Own tickets.
Ref
Tickets to which the engineer is assigned as an additional engineer (with engineer function, see Tab Engineer Functions).
None
Tickets without assigned engineer.
Other
Tickets assigned to other engineers.

Click the corresponding checkbox to assign one or more permissions for the desired ticket range.

Two general permissions can also be set:

Create
An engineer is allowed to create tickets in this queue.
Get assigned
Other engineers can assign tickets to an engineer who has a role with this permission (if the other engineers have the Assign permission!)
An engineer can receive tickets by ticket transfer which is performed using the Admin Tool.

If you want to select all permissions simultaneously just click the Select all button below the list. Clicking Deselect all removes all selections.

Tab Global Permissions

Global permissions are general and queue-independent rights for a role. Setting these permissions is optional.

Figure 16: ConSol CM Admin Tool - Role administration: Global permissions

You can specify the following:

Global Permissions
- Administrate
  Provides administrator access to the system, this applies to the Admin Tool, the Process Designer, and admin access to the Web Client.
Workflow Permissions
Provides permissions concerning workflow design and management. These are
- Read
- Write (modify and store)
- Deploy (install and put in operation).
Template Permissions
- Write Template provides the permission
  - to use the Text Template Manager, which is used to create and edit e-mail and comment templates. See section The ConSol CM Text Template Manager for details.
  - to use the Document Template Manager, which is required to define templates for CM.Doc. Only available if CM.Doc is active in the CM system.
Representation Permissions
- Configure representation
  If this permission is set, engineers with this role can configure themselves as a representation for other engineers, e.g., who are ill and have not defined other engineers to represent them resp. if the defined engineers are not available at the moment. On the Web Client the engineers that can be represented by an engineer with this permission are shown in a list within the engineer profile.
Important information about representation configurations
In case a representation rule has been configured by an engineer (see ConSol CM User Manual for details), all e-mails which are sent by CM are sent to the original recipient and their current representative. Please keep this in mind when you configure the representation permissions in the Admin Tool and inform your CM users (engineers) about this behavior! It might lead to unwanted effects, especially when persons are registered as engineers and as contacts in the ConSol CM system (e.g. for an internal help desk).
Track User Permissions
- Access tickets of the own company
  Users with this permission are allowed to access not only their own tickets in CM.Track, but all tickets of the company they belong to. This permission makes only sense for roles that define access rights of CM.Track users/user profiles, not for single users.

Tab Customer Group Permissions

In order to let engineers work with customer data from one or more customer groups, e.g. to edit reseller data sets or to create new contact data within the customer group, you have to grant access permissions concerning the customer group(s) to one or more roles.

Figure 17: ConSol CM Admin Tool - Assigning permissions for customer groups to a role

A concept which has proven very useful in various customer environments is the set-up of specific roles for customer data management. For example, there could be a role CustomerManager_CustomerGroup1 and another role CustomerManager_CustomerGroup2. You can even differentiate between CustomerManager_CustomerGroup1_full and CustomerManager_CustomerGroup1 _light. In this way, you can use the assignment of the customer manager roles as a toggle and you do not mix up queue access permissions and customer management permissions. This can be very helpful in case you have a heterogeneous team in which not everyone is allowed to edit the complete customer data.

However, do not forget to grant read permissions to customer data of the required customer groups to all engineers of the respective queues! Otherwise, they cannot open their tickets at all!

The access rights which can be granted have been extended in CM version 6.9.1, compared to previous ConSol CM versions. New rights have been added which apply to a new section of the customer page. The contact page, as well as the company page in the Web Client, have a new Additional Details section.

Figure 18: ConSol CM Web Client - Details section of a contact page

The following access permissions can be granted:

Customer type
Refers to the tickets of the customer.
- Own
  All (main or additional) customers of tickets which are currently assigned to the engineer or where the engineer is set as additional engineer.
- All
  All customers.
General sections
- Read
  Read the customer data.
- Write
  Write/modify the customer data, and change the company of a contact on the contact page using the Change link.
- Delete
  - Delete a customer data set.
  - Transfer all tickets associated with a customer of this customer group to another customer.
- Act
  Execute actions for this customer (see section Action Framework - Customer Actions for details about customer actions).
- Deactivate/activate
  - Deactivate and (re-)activate the contact or company. It is not possible to create tickets for a deactivated customer.
  - Transfer all tickets associated with a customer of this customer group to another customer.
Information concerning transfer permissions for tickets and resources
Please note that:
- in CM versions previous to 6.9.4.1, the permission Transfer tickets was not restricted.
- in CM versions 6.9.4.1 up to 6.10.4.3, the permission Transfer tickets was linked to the permission Delete (customer data).
- starting with CM version 6.10.4.4, the permission Transfer tickets is linked to the permission Delete (customer data) as well as to the permission Deactivate/activate (customer data).
Details section
- Details read
  Read customer data in the Additional Details section.
- Details write
  Write/modify customer data in the Additional Details section.
- Details delete
  Delete customer data in the Additional Details section.
General
- Create
  Create a customer data set. In a two-level customer data model this refers to contact as well as to company data sets.

Please keep in mind that an engineer must have at least read permissions for a customer group to open and/or create tickets for customers in this group!

Tab Resource Types Permissions

Resource Types permissions control an engineer's access to resources, i.e., objects which are stored in the Resource Pool.

Figure 19: ConSol CM Admin Tool - Resource types permissions

The following permissions can be granted:

Read
Load and display resources of the selected type in the Web Client.
Write
Change Custom Field data of this type of resources.
Delete
Delete resources of the respective type from CM.
Act
Execute resource actions defined for this type of resources.
Deactivate/Activate
(De-) Activate resources of the selected type.
Details read
Load and display comments/attachments for resources of this type.
Details write
Add and change comments/attachments for resources of this type.
Details delete
Remove comments and attachments for resources of this type.
Create
Create new resource entries for the type of resources.

Tab Views

Views define which tickets engineers will see in the ticket list of the Web Client. This tab shows the assigned views on the left and the available views on the right (see also View Administration). The displayed views can be filtered by name and queue. Assigning views is optional.

We recommend to assign at least one view to a role. Otherwise an engineer with this role will see no tickets in the Web Client's ticket list.

Figure 20: ConSol CM Admin Tool - Role administration: Views

Select a role on the left side of the page first and then the desired view(s) in the list of available views. Click the Assign button to move the selected view(s) to the list of role views. If you want to remove views from this list, select the respective views and click the Unassign button.

For regular roles, you cannot define the order of the views here. In the drop-down menu of the Web Client, the views will always be displayed in the order they have in the list of the view administration. Please see also section View Administration. When a role has been marked as main role for at least one engineer (and is thus marked with a red dot), the views can be sorted using the Move upwards and Move downwards buttons.

Tab Engineer Functions

On this tab you can assign engineer functions to a role. Engineer functions are used if you need an additional engineer for a ticket, e.g., a supervisor who has to decide what to do before the ticket can be moved on in the workflow. Thus you have to assign a role with the respective engineer function to this supervisor. In the Web Client engineer functions and associated engineers are shown when assigning an additional engineer.

Figure 21: ConSol CM Admin Tool - Role administration: Engineer functions

Select a role on the left side of the page and then the desired engineer function(s) in the list of available functions. Click the Assign button to move the selected function(s) to the list of role functions. If you want to remove functions from this list, select the respective function(s) and click the Unassign button.

After you have defined the new role by setting permissions, views, and engineer functions in the tabs you can assign the role to the desired engineer accounts. Engineers obtain the rights of a role immediately after assignment (without an additional update of the system).

Delete a Role

Select the role you want to delete and click the Delete button below the role list. If you choose Yes in the following confirmation dialog, the role is removed from the list and the system.

If you delete a role, please consider that engineers with only this role will immediately lose all permissions in the system.

In case tickets, e.g., from a certain queue, are not covered by any role permission, engineers and/or administrators could get the impression that tickets are missing.

Copy a Role

If you want to create a new role and use an existing role as a template you can copy it. Select the existing role and click the Copy button below the role list. A pop-up window appears in which you can enter the name for the copy. Afterwards you can modify the copy according to your wishes.

Edit a Role

Select the role you want to edit in the list and modify the permissions in the respective tabs as desired. The changes are immediately effective for engineers with this role. The engineer just has to login again.

Defining an Administrator for Role and Engineer Administration Only

Sometimes it can be necessary to define an administrator who does not have full system access but who is only allowed to manage engineers and roles. This can be used, for example, for a team manager who is allowed to create new CM engineers for new employees in his team or for a key user in a team who should be able to grant or retrieve permissions of CM engineers in a certain department.

In order to define this Administrator "light", create a new role with the global permission Administrate access and roles. Create a new engineer (admin_light in our example) and assign this role.

Figure 22: ConSol CM Admin Tool - Definition of an administrator role for Access and Roles

For the "Administrator light", the navigation item Access and Roles is available. However, the tab Global Permissions of this item is not available (so the admin_light cannot extend his own permissions!).

Figure 23: ConSol CM Admin Tool - View for an administrator "light"