Separate Assignment Groups and Security Groups?

Michael Miller · ‎12-07-2016

I was wondering how other did this. Do most people separate out the Groups that can get assigned tickets and have designated security groups, or do most people have groups that are available to be assigned a ticket and have the roles for that group combined into one group? We have them combined right now, but was thinking of separating them out so the security portion is more defined. Any thoughts on this would be very helpful. Thanks!

darius_koohmare · ‎12-07-2016

Both are valid cases. When you assign the roles to the assignment group, it consolidates the number of points to manage user membership. I've also seen single groups dedicated to a given role; for example an ITIL group that you would add all the technicians to. Then for your smaller assignment groups such as software, hardware, etc. these do not grant any roles.

Just make sure you remember to use reference qualifiers to restrict assignment group references to exclude any of these new 'security' groups you would make. The group type works great for this.

Finally, many users decision is driven off their AD which they are syncing group memberships from. Most likely AD has a 'software' group, 'hardware' group, etc. but may not have a 'ITIL' group. Although you can just set conditions for proper OU queries, it's another consideration point for managing membership.

View solution in original post

darius_koohmare · ‎12-07-2016

If you had an IT security group & a software assignment group, as opposed to just a software group with an itil role, you need to manage membership to two different groups.

Pretend that employee was moved to a different group/department, you will need to remember to remove them from both the IT group & the software group.

However: this is not a concern if your using the parent group structure we discussed, and simply using the parent group to assign roles to it, and not to add members into that parent group.