Documentation forSolarWinds Service Desk

Roles & permissions

On this page

Introduction

Each individual using SolarWinds Service Desk is assigned a role to identify their specific access within the application. Depending on the role assigned to them, users can navigate to specific areas within SWSD, in addition to being assigned permissions and/or restrictions. The permissions/restrictions provide an added level of control for administrators to manage users within your organization.

Navigation

Setup > Account > Roles & Permissions.

Before you begin

Before beginning any work in the Roles & Permissions module, it is important to understand the different types of roles available and the permissions granted those roles.

Role types

The Roles screen displays and outlines the permissions and restrictions for each role, the action the role can perform, the areas of SWSD where the actions can be performed, and the scope for each.

There are four main role types in SWSD:

  • Administrator (license required)
  • Service Agent User (license required)
  • Service Task User (license NOT required)
  • Requester (license NOT required)

While each role's out-of-the-box visibility is beneficial, administrators can leverage permissions and restrictions to build custom roles to align with your organizational needs. This can be accomplished using click-drag-drop actions, and by scoping based on your organizational attributes (for example, site, department, and category). Leveraging permissions and restrictions, you can scope roles on a granular level to silo user accessibility and visibility to data.

Administrator role

The Administrator role exhibits the highest level of access to the application. All users assigned as administrators have complete access to all areas of the setup. They can delete items (for example, assets, knowledge articles, service requests, and incidents) unless restrictions have been placed on the specific user.

Administrators can grant Agent roles specific permissions to:

  • Objects: audits, incidents, problems, reports, etc.

  • Setup areas (defined by menu blocks): Account, Users & Groups, Integrations, Global Settings, Service Desk settings, CMDB, Discovery & Assets, and Labs.

By granting permissions to Agent Roles, an administrator can delegate ongoing setup activities such as workflows, automations, and notification setup for specific agents.

The Administrator role is a licensed role and counts toward the number of licenses your organization purchased.

By clicking the View Users button in the upper right, you can see a list of the users who are assigned the Administrator role.

The Administrator role is the only role that can enable APIs within workflow processes on your SWSD(backend and frontend). Each administrator who needs to enable APIs must use token based authentication. See Token authentication for API integration for more information.

Service Agent User role

The Service Agent User role is one level below an administrator. This role is allocated for technicians, giving them access to the system in order to work on incidents or manage assets. Service Agent Users cannot access the setup menu. They also cannot delete anything, and they cannot manage benchmarks.

Using the buttons in the upper right, you can:

  • View Users. View All Users index page with the ability to edit and filter the roles you wish to include in your view.
  • Clone Role. Allows you to create new roles while maintaining the same description and user license type of existing roles.
  • Restore to Default. IMPORTANT: when you elect to restore to default, the action CANNOT be undone.
  • Add Permissions.
    • Define the Action allowed such as: Manage, Read, or Create.
    • Define the Subject within objects and setup. This allows the Service Task User to have access to some or all the setup actions in the setup menu.
    • Define the scope (who can perform the action).

By hovering over a row, you can use the three buttons to the right of that row to:

  • Add Restriction. Define a new restriction.
  • Edit. Click the pencil icon to edit the existing restriction.
  • Delete. Click the trash can icon to delete the selected restriction.

The Service Agent User role is a licensed role and count toward the number of licenses you purchased.

Service Task User role

Users in this role have access to the service portal, allowing them to submit incident and requests and view knowledge base articles. The Service Task User role is considered an elevated requester, and therefore can be assigned tasks and provide approvals. From the service portal, service task users can manage their pending tasks and approvals from the My Tasks Menu or from their email.

Using the buttons in the upper right, you can:

  • View Users. View All Users index page with the ability to edit and filter the roles you wish to include in your view.
  • Clone Role. Allows you to create new roles while maintaining the same description and user license type of existing roles.
  • Restore to Default. IMPORTANT: when you elect to restore to default, the action CANNOT be undone.
  • Add Permissions.
    • Define the Action allowed such as: Manage, Read, or Create.
    • Define the Subject within objects and setup. This allows the Service Task User to have access to some or all the setup actions in the setup menu.

By hovering over a row, you can use the three buttons to the right of that row to:

  • Add Restriction. Define a new restriction.
  • Edit. Click the pencil icon to edit the existing restriction.
  • Delete. Click the trash can icon to delete the selected restriction.
If the Service Task User role (STU) has Changes - Create permission and not Changes - Read permission, STUs might be able to create but not see the change ticket, even if it is a ticket they submitted.

The Service Task User role is a non licensed role.

Requester

The Requester role is for service portal access only. Users in this role can use the portal to submit incidents, and service requests and view knowledge base articles. Requesters can also carry on ongoing correspondence using My Requests from the portal.

Using the buttons in the upper right, you can:

  • View Users. View All Users index page with the ability to edit and filter the roles you wish to include in your view.
  • Clone Role. Allows you to create new roles while maintaining the same description and user license type of existing roles.
  • Restore to Default. IMPORTANT: when you elect to restore to default, the action CANNOT be undone.
  • Add Permissions.
    • Define the Action allowed such as: Manage, Read, or Create.
    • Define the Subject within objects and setup. This allows the Service Task User to have access to some or all the setup actions in the setup menu.

By hovering over a row, you can use the three buttons to the right of that row to:

  • Add Restriction. Define a new restriction.
  • Edit. Click the pencil icon to edit the existing restriction.
  • Delete. Click the trash can icon to delete the selected restriction.

The Requester role is a non licensed role.

Individuals with a Requester role cannot be assigned tasks or approvals.  If someone with the Requester role needs to attend to tasks or approvals, their role must first be changed to Service Task User.

Permissions and restrictions

In SWSD, permissions and restrictions allocated to a role denote and differentiate user groups and their access within the application.

To help you better understand, see Permissions in change management. It provides some best practice information around assigning permissions for individuals involved in the Change Management Lifecycle.

Roles should always be built from the top down with permissions granted and then, by way of restrictions, taken away per subject or scope.  Keep in mind, permissions and restrictions are dynamic and can be changed as necessary. 

Several articles listed below will guide you in the setup of roles and permissions. In addition, there are some examples for building roles for departments other than IT, such as Facilities, Human Resources, and Marketing.

Understand terminology related to roles and permissions

It is important to understand the following terms so you can better define the roles in your organization:

  • Users. Users can only be linked to a single Role at a time.

  • Roles. Describes license type and can include 1 or more permissions and restrictions.

  • Permissions and Restrictions:

    • Permissions determine the scope of what data users can access, how they can interact with the data and what actions they can take in the platform.

    • Restrictions help to silo and remove visibility to data while helping to limit actions for users.

  • Actions. All the available actions that can be given or restricted to users. The baseline actions include:

    • Create. Allows user to create content.

    • Read. Allows user to consume data.

    • Update. Allows user to make changes to existing content.

    • Delete - Allows user to remove data from the system.

    • Manage. Allows user to perform all actions.

      When Read or Manage restrictions are assigned to a role, selecting certain restrictions, will remove visibility of specific sections. For example, removal of the Asset modules from view of specific users.
  • Subject. Encompasses the module of the platform that a permission or restriction is allocated to. Subject includes:

    • Areas in the service desk (ex: incidents, problems, changes)
    • Inventory (ex: computers, other assets)
    • Procurement
  • Scopes. Where granular visibility can be allotted or removed.

    You can have multiple scopes for each permission and restriction.
    Subject matter includes, but is not limited to:
    • Site
    • Department
    • Requester
    • Assignee
    • CC’d On
    • @mentioned in
    • Category
    • Subcategory
    • Buyer (Purchase Order)
    • Supervisor (Users)
    • State (Service Catalog/Solution).

User visibility and access

As an administrator, you control and configure each user’s visibility, access, and restrictions to data as it is relevant to their day-to-day operations.

In the image below you can see the Permission/Restriction List on the right.  It describes the layers of permissions and restrictions that determine each user's access.

For example:

  • A user in New York has access to the HR files however the user in the London office does not.

  • The New York and Netanya offices cannot access the IT data however the London office does have this access.

The creation or alteration of roles in SWSD is dynamic, and can be adjusted as necessary. In addition to allocating permissions and restrictions, further actions can be taken from the Roles section:

  • Create additional role types (for example, a facilities service agent user or an asset manager)
  • View users
  • Clone roles
  • Restore to default

New roles

Below are some examples of roles that can be created to suit a variety of organizational needs. Notice the different types and actions used in each role.

When defining the scope of any role, notice the difference between creating multiple rows for permission and restrictions (referred to as OR logic) as opposed to placing multiple permissions and restrictions in the same row (AND logic).

Read Only access

Human Resource Service Desk User access

Facilities Service Desk User access

Asset Management Agent access

Vendor access

Each role type is listed separately in an informational table

Options

From the Roles screen, using the buttons to the right of each role you can see the number of users assigned to the role and view a list of those users. You can also clone a role, restore the settings to default, and add permissions.

By hovering over a specific permission or restriction type for a role, you can add restrictions, edit restrictions, or delete restrictions.

Create a new role

  1. Navigate to Setup > Account > Roles & Permissions.

  2. Click New Role in the upper right.

  3. In the Create Role dialog, add the name of the new role and a short description, then select the user license type from the dropdown menu.

  4. Click Create Role to save.

Related topics