Introduction
This article describes a variety of techniques that can be used to troubleshoot user access to objects in the Cireson Portal.
Checking Access to Objects in the ServiceManagement Database
Work items, configuration items, and service catalog content are cached in the ServiceManagement database. User's permissions to these objects are calculated by Cache Builder continuously so that the ServiceManagement database closely mirrors the permission the user has to these objects in Service Manager.
In the v3+ version of the Cireson Portal there are two stored procedures which can be used to check a user's access to an object:
- spCheck_UserWorkItemPermissions - used to check if a user has permissions to a given request offering. This stored procedure takes two parameters: username and work item ID (e.g. IR1234).
- spCheck_UserRequestOfferingPermissions - used to check if a user has permissions to a given work item. This stored procedure takes two parameters: username and request offering GUID.m
Usage examples:
EXEC spCheck_UserWorkItemPermissions'travis','SR33'
EXEC spCheck_UserRequestOfferingPermissions'travis','92D18C8A-0239-8C28-CFD6-913852D08B54'
To look up a request offering ID you can use a query like this:
SELECT Id FROM RequestOffering WHERE Title='Backup Database'
These stored procedures will test whether or not a user has access to a given object in the ServiceManagement database (not Service Manager!). The output will look like this:
spCheck_UserRequestOfferingPermissions
spCheck_UserWorkItemPermissions
If the user doesn't have access to an object, the stored procedure will suggest groups which the user could be added to in order to get permissions to that object.
If a user is a member of an "unscoped" user role in SCSM the user will have unscoped (i.e. access to all) access to objects in ServiceManagement too. For example, if a user is a member of a user role that has 'all queues' in their scope this is considered an unscoped work item user role and the user will have access to all work items in ServiceManagement. The same logic applies to a user that is a member of a user role that has access to "all configuration item groups' or 'all service catalog groups'.
The following query will show whether or not a user is scoped or unscoped for each type of object:
SELECT U.UserName, SU.IsConfigItemScoped, SU.IsWorkItemScoped, SU.IsServiceCatalogScoped
FROM ScopedUser SU
INNER JOIN CI$User U ON SU.UserId=U.Id
WHERE U.UserName='travis'
Example results:
0 means that the user is not scoped. 1 means that the user is scoped by something - a queue for work items, a group for configuration items, or a service catalog group for service catalog content.
Querying for User Permissions in Service Manager
This PowerShell script can be used to determine the permissions that a user has in Service Manager:
https://onedrive.live.com/redir?resid=CD87B5B2A67643B!521&authkey=!AHfp1BAcw0w2K6c&ithint=file%2czip
Prerequisites:
- SMLets must be installed. It is installed on all servers running the Cireson Portal web site/cache builder by default from v3 and up. If you are not sure it is installed run Import-Module SMLets from a PowerShell prompt.
- The Active Directory PowerShell module must be installed. If you are not sure it is installed run Import-Module ActiveDirectory from a PowerShell prompt.
To use the script:
- Copy the .zip to a SCSM management server and unzip it
- Open a PowerShell window as an elevated administrator
- Navigate to the folder that you unzipped the Get-UserPermissions.ps1 file to
- Run the command Start-Transcript -Path . Example: Start-Transcript -Path C:\Logs
- Run the command Get-UserPermissions.ps1 username . Example: .\Get-UserPermissions.ps1 travis
- When running the scripts you will be prompted with: Do you want to see the permissions of this user role ? Enter 'Y' or 'N' Please always select Y
- Run the command Stop-Transcript
The output will be captured in the log file at the -Path location passed to Start-Transcript.
Enumerating User Roles, Permissions, and User/Group Assignments in Service Manager
This PowerShell script can be used to enumerate user roles, permissions those user roles have, and which users/groups are assigned to those user roles.
https://onedrive.live.com/redir?resid=CD87B5B2A67643B!581&authkey=!AO62wybd9dgxn2g&ithint=file%2czip
Prerequisites
SMLets must be installed. It is installed on all servers running the Cireson Portal web site/cache builder by default from v3 and up. If you are not sure it is installed run Import-Module SMLets from a PowerShell prompt.
To use the script
- Copy the .zip to a SCSM management server and unzip it
- Open a PowerShell window as an elevated administrator
- Navigate to the folder that you unzipped the Get-UserRolesReport.ps1 file to
- Run the command Start-Transcript -Path . Example: Start-Transcript -Path C:\Logs
- Run the command Get-UserRolesReport.ps1 username. Example: .\UserRolesReport.ps1 travis
- When running the scripts you will be prompted with: Do you want to see the permissions of this user role ? Enter 'Y' or 'N' Please always select Y
- Run the command Stop-Transcript
The output will be captured in the log file at the -Path location passed to Start-Transcript.