When a user tries to create a service request or incident from a request offering, the user may see an error that looks like this:
The reason that this issue occurs is often because the user does not have permissions to create the request given the data the user provided in the request offering form, the data specified in the template, and the users permissions according to the user roles he is a member of in Service Manager.Â
In order for the service request or incident to be created, the user must have the proper permissions to create the objects defined in the service request or incident template and any of its contained activities, action log comments, reviewers, file attachments, etc. The user must also have permission to create relationships between the objects such as the reviewer -> user relationship. While there are many different possible issues with creating objects and relationships, the reviewer -> user relationship is one of the most common sources of problems.
Unfortunately, out of the box Service Manager does not allow users that are in only a member of a user role based on the end user profile to create the relationship of reviewer -> user. End users can create the service request -> review activity -> reviewer relationship, but they cannot create the reviewer -> user relationship. Thus, if the request offering the user is trying to create a service request or incident from is based on a template that contains a review activity that has reviewer objects that point to users, users that are only in an end user role will not be able to create the incident or service request.
To work around this limitation, you can grant end users this permission by expanding their overall scope of permissions by a little bit. Â
This is done by creating a new user role as follows:
- Open the Service Manager console as a Service Manager administrator.
- Navigate to the Administration\Security\User Roles view.
- Click the Create User Role -> Advanced Operator task in the task pane.
- Click Next on the Before You Begin page in the wizard (if it is shown).
- Enter a name for the user role such as ‘Limited Advanced Operator User Role for End Users’ and optionally enter a description and then click Next.
- Check the Select All checkbox and click Next.
- Select the ‘Provide access only to the selected queues’ radio button and do not check any of the queue checkboxes. This will ensure that the end users do not get access to edit any work items outside of their normal scope as an end user.Â
- Click Next.
- Select the ‘Provide access only to the selected groups’ radio button and check only the ‘Global users instance group’ checkbox. This will ensure that users are able to create reviewer -> user relationships to any user in the Service Manager database, but does not expand their ability to view/edit any configuration items outside of their normal scope as an end user. You can optionally create groups of users and assign them to different end users if you don’t want to use a global group that contains all users. Click Next.
Note: Checking this option will allow the users in this user role to edit any user object in the system, but it is important to note:
- Users in this user role will only be able to edit users through the SDK (using PowerShell for example) but not through the Cireson Portal or the SCSM console.
- Any change to a user object in SCSM will be overwritten by the AD connector the next time the AD connector runs. AD is the authority.
The following steps provide for more granular access to catalog items, configuration items, tasks and forms:
- Select the ‘Provide access to only the selected groups’ and do not check any of the service catalog group checkboxes. This will ensure that the end users do not get access to any request offerings outside of their normal scope as an end user. Click Next.
- Select the ‘Provide access to only the selected tasks’ radio button and click Next.
- Select the ‘Provide access to only the selected views’ radio button and click Next.
- Leave the ‘All forms can be accessed’ radio button selected and click Next.
- Add the appropriate users or groups to this role. For simplicity you can add the ‘Authenticated Users’ system group. Click Next.
- Click Create.
Note: You should continue to either include users in the out of the box End Users user role or create your own Custom End User user roles that are scoped to different catalog groups. The Cireson team will be contacting Microsoft to see if there is a better solution for this problem. The out of the box portal from Microsoft apparently uses an internal connection to the database to create these service requests and incidents which bypasses the normal security model while still creating the work items as the logged in user.