How To: Asset Management Environment Permissions - Master User Role

Overview

The Cireson Asset Management solution utilizes client information discovered by System Center Configuration Manager (ConfigMgr) to populate, maintain, update and delete Configuration Items (CI’s) and properties of CI’s within SCSM. To ensure that the client information is both available and accurate, there are several items within ConfigMgr that must be configured correctly to operate. 

This section describes each component of ConfigMgr that is required, how it is used, how to enable and\or configure it, and how to verify that valid data is being collected. System Center Service Manager (SCSM) restricts access to features based on a Role Based Access Control method. Within SCSM administrators can create a user role profile based on business requirements and job roles. 

A role is a specific unique collection of access rights that is usually aligned to the business responsibilities of a group of employees. Each user role profile controls access to work items, authoring, administration, and other credentials.

Related Articles

KB2519 - Reference: Asset Management

KB2520 - User Guide: Installing Asset Management

KB2521 - User Guide: Configuring Asset Management

KB2522 - How To: Asset Management Environment Permissions - Master User Role

KB2523 - User Guide: Asset Management Lists

KB2526 - User Guide: Upgrading Asset Management

KB2527 - User Guide: Optimizing Asset Management Intelligence

KB2528 - How To: Configuring Software Metering in Configuration Manager

KB2531 - How To: Configuring User Device Affinity in Configuration Manager

KB19 - Install: Asset Excel

KB2533 - User Guide: Configuring and Using Asset Excel

Determine Required Roles

When determining who within an organization requires access to creating, editing or viewing items within Cireson Asset Management, there are several decisions that must be made about the nature of the users, or group, role(s). 

1. Who is going to be editing and creating assets?
2. How many roles does the organization need?
3. Does the Asset Manager need access to the Asset Management related library lists and Cireson Asset Import Connector? 
   

NOTE: If access to all Asset Management tasks and views are going to be allowed, except the Create task, this can be controlled from the Asset Management setting sand there is no need for custom roles to be created. 

The number of roles required is unique to each organization and their requirements. Most organizations will have at least one role that is responsible for asset management and will therefore only have a single role that will have access to create and edit Asset CI’s. 
Other examples might be an organization that requires two different roles. One for Desktop or end user computer Assets and another for Server or Infrastructure assets. 
To assist in creating user roles, ensure the user roles are sufficiently planned and documented before being created. 

Cireson Best Practice: Create the fewest number of roles required for the organizations requirements. This reduces administration overhead and complexity. 
Restrict access to the Asset Import connector and enumeration lists to a limited number of employees to reduce the likelihood of unwanted updates or system wide mistakes being made. 

Create Master Asset Manager Role

Creating a Master Asset Manager Role enables SCSM administrators create new delegate roles based on this master, removing access to key functions, views, tasks, etc. as appropriate. 

To create a Master Asset Manager Role: 

1. On a SCSM console, navigate to the Administration workspace.
2. Select the User Roles view under the Security view.
3. Click Create User Role in the tasks pane or right click the User Roles node and select Create User Role.
4. Select Incident Resolver from the drop-down list of base user roles to choose from. 
   

   

   
   
5. The Create User Role wizard will display on the screen. Click Next to continue 
6. Enter a name for the Master Asset Management Role and enter a description to assist with future administration then click Next 
7. Select all available management packs by selecting the Select All check box in the bottom right of the screen then click Next 
8. Select the option marked Provide access to only the selected queues, ensure none of the queues are selected and click Next 

   

   
   
9. Ensure the option marked All configuration items can be accessed is selected then click Next 
10. Select the option marked Provide access to only the selected groups, ensure none of the groups are selected and click Next 
11. Select the option marked Provide access to only the selected tasks
    1. Sort the list of tasks by management pack by clicking the heading of the management pack column
    2. Select all the tasks contained in the Cireson Asset Management Pack
    3. Select the Refresh task from the Service Manager Console Management Pack
    4. Select the Edit task from the Service Manager Library Management pack

       

12. Click Next 
13. Select the option marked Provide access to only the selected views
    1. Sort the list of views by management pack by clicking the heading of the management pack column
    2. Select all the views contained in the Cireson Asset Management Pack
    3. From the Service Manager Configuration Management Configuration Library Management Pack select the following views:
       • All Printers
       • All Software
       • All Software Updates
       • All Windows Computers
    4. From the Service Manager Configuration Management Library Management Pack select the Users view
       

       

14. Click Next 
15. Select the option marked Provide access to only the selected forms, ensure none of the forms are selected and click Next 
16. Click the Add button. NOTE: If no users will have access to all Asset Management features, do not add any groups to this role. Roles based on this master role will contain members. 
17. Search for and select each of the user groups that will be a member of this role
18. Click OK to add the groups to the role, then click Next 
19. Verify that all the role selections are correct and click Create to complete the creation of the new master role 
    

    

    
    
20. Once the new role has been successfully created, click Close

Set Permissions for Master Asset Manager Role

Once the Master Asset Manager role has been created the role must be granted permissions over the Asset Management CI’s within the database. If these permissions are not set correctly the users will receive an error when trying to create or edit any asset management related form. 

If Analysts will be creating / editing items within the Asset Management app, and these analysts are not a part of Security Roles based upon the default roles of “Administrators” or “Advance Operators”, you must alter the relevant roles with the Asset Management Set Permissions application.  

As an example, if you add Analysts to the “Incident Resolver” default role or create a new Security Role based upon the “Incident Resolver” default role Analysts in this role will not be able to create / edit items with the Asset Management app.  

If you would like to give permissions for any Analyst that is part of a Security group based upon the “Incident Resolver” role, or any other default role, to create / edit items within the Asset Management app perform the following steps: 

1. Within windows explorer, navigate to the download location of the Cireson Asset Management app. 
2. Execute the application named Cireson.AssetManagement.Permissions.exe with an account that is a member of the SCSM administrators role 
   

Select / populate the following fields within the “Set Asset Management Permissions” settings:

• SQL Server. Server where the Service Manager DB is located
• Username (“SQL Authentication” only). SQL Username for Write access to Service Manager DB.
• Password ( “SQL Authentication” only). SQL Password
• Database. Database name for Service Manager. (Default: ServiceManager)
• Test. Tests authentication to the Server and DB
• Profile. Select the profile you would like to alter and allow for Analysts that are part of a Security Role based upon this profile to create / edit Assets within the Asset Management app
• Remove User and Device shared permissions Select the check box to remove existing permissions on Users and Devices for the selected profile 

Click Set Permissions to set the permissions to the selected profile
OR
Click Remove Permissions to remove the permissions from the selected profile 

Close the Cireson Asset Management Permissions tool.