Separate Assignment Groups and Security Groups?

Michael Miller · ‎12-07-2016

I was wondering how other did this. Do most people separate out the Groups that can get assigned tickets and have designated security groups, or do most people have groups that are available to be assigned a ticket and have the roles for that group combined into one group? We have them combined right now, but was thinking of separating them out so the security portion is more defined. Any thoughts on this would be very helpful. Thanks!

darius_koohmare · ‎12-07-2016

Both are valid cases. When you assign the roles to the assignment group, it consolidates the number of points to manage user membership. I've also seen single groups dedicated to a given role; for example an ITIL group that you would add all the technicians to. Then for your smaller assignment groups such as software, hardware, etc. these do not grant any roles.

Just make sure you remember to use reference qualifiers to restrict assignment group references to exclude any of these new 'security' groups you would make. The group type works great for this.

Finally, many users decision is driven off their AD which they are syncing group memberships from. Most likely AD has a 'software' group, 'hardware' group, etc. but may not have a 'ITIL' group. Although you can just set conditions for proper OU queries, it's another consideration point for managing membership.

View solution in original post

darius_koohmare · ‎12-07-2016

Both are valid cases. When you assign the roles to the assignment group, it consolidates the number of points to manage user membership. I've also seen single groups dedicated to a given role; for example an ITIL group that you would add all the technicians to. Then for your smaller assignment groups such as software, hardware, etc. these do not grant any roles.

Just make sure you remember to use reference qualifiers to restrict assignment group references to exclude any of these new 'security' groups you would make. The group type works great for this.

Finally, many users decision is driven off their AD which they are syncing group memberships from. Most likely AD has a 'software' group, 'hardware' group, etc. but may not have a 'ITIL' group. Although you can just set conditions for proper OU queries, it's another consideration point for managing membership.

Michael Miller · ‎12-07-2016

Would you Parent the IT Group over the Smaller Assignment Groups, or would you add the IT Group and the Assignment Group individually to the users?

darius_koohmare · ‎12-07-2016

If you parent the IT group to all the smaller assignment groups, and you give the IT group the itil role, be aware that the system will auto grant that same role to all the child groups. So, if you have common roles that are shared by multiple groups (like an hr role with many hr groups, or a itil role with many it groups), then yes, this is a simple strategy as you only need to manage the roles at the parent group, and they will cascade to the children.

Edit: it also appears removing a role from a parent group does remove from the children.

Michael Miller · ‎12-07-2016

Thank you....one more question....what did you mean by "it consolidates the number of points to manage user membership"?