5.2.3 Designing assignment of access permissions

In JP1/Service Support, you can assign access permissions for each user or role per process work board. Access permissions consists of the permissions for operating on Items (such as New item, Edit item, and Close item) and the detailed edit permissions for each Item status.

The following is an example of assignment of access permissions for those in charge of individual tasks, taking Table 5-1 in 5.2 Deciding the target system and processes and establishing the structure as an example:

For information system administrator:

Assign the role "Work management role" (no access permissions need to be assigned).
For work status manager and target system administrator:

Assign the View item access permission for the process work board in the system they are in charge of.

The following table provides an example of assigning access permissions for individual processes. It uses Table 5-2 in 5.2 Deciding the target system and processes and establishing the structure as an example.

Table 5‒3: Example assignment of access permissions
Process	Person in charge	Target Item	Access permissions
Incident management	Incident specialist	Incident	New item View item Item status (Received, Investigating, Support Requested, Acknowledged, Close) Close item
	Incident specialist	Problem	View item Escalation
	Incident manager	Incident	View item Item status (Discussing) Acknowledge item
	Incident manager	Problem	View item
Problem management	Problem management specialist	Incident	View item
		Problem	New item View item Item status (Received, Investigating, Support Requested, Acknowledged, Close) Close item
		Change	View item Escalation
	Problem manager	Incident	View item
		Problem	View item Item status (Discussing) Acknowledge item
		Change	View item
Change management	Change manager	Problem	View item
		Change	View item New item Item status (Received, Acknowledged, Reviewing, Close) Close item
		Release Item	View item
	CAB member (Change advisory board member)	Change	View item Item status (Received, Planning)
	CAB representative (Change advisory board representative)	Change	View item Acknowledge item Item status (Discussing, Support Requested)
	CAB representative (Change advisory board representative)	Release Item	View item Escalation
Release management	Release manager	Change	View item
	Release manager	Release Item	View item New item Acknowledge item Item status (Received, Discussing, Acknowledged, Close) Close item
	Release specialist (Planning)	Release Item	View item Item status (Received, Planning)
	Release specialist (Procurement)	Release Item	View item Item status (Acknowledged) Acknowledge item
	Release specialist (Implementation)	Release Item	View item Item status (Acknowledged)
	Configuration change specialist	Release Item	View item Item status (Support Requested) Acknowledge item

Access permissions are set for each process work board separately. Therefore, the contents in Table 5-3 must be rearranged for each process work board. The following table is a rearrangement of Table 5-3, which describes only the setting of access permissions for the incident management process.

Table 5‒4: Setting of access permissions for the incident management process
Access permission		Assigned user or role
Process work board manager^#1		JP1 administrator^#2
Item permissions^#3	New item	Incident specialist
	Edit item	--
	View item^#4	Incident specialist, incident manager, problem management specialist, problem manager
	Delete item	--
	Escalation	--
	Acknowledge item	Incident manager
	Close item	Incident specialist
	Item status (Received)	Incident specialist
	Item status (Investigating)	Incident specialist
	Item status (Discussing)	Incident manager
	Item status (Acknowledged)	Incident specialist
	Item status (Support Requested)	Incident specialist
	Item status (Close)	Incident specialist

Legend:: --: No user or role assigned.
#1: For the process work board manager, all access permissions that can be set in the Edit permission window are granted. You can set the process work board manager in the New process work board window or in the Edit the process work board window.
#2: A user who supports the JP1/Service Support system administrator is registered by default.
#3: Set the permissions in the Edit permission window.
#4: When view permissions are enabled for individual Items in the process work board, you can set the users and roles that have permissions to view the Item when you create the Item in the New item window. You can also set this information when you edit an Item in the Edit item window. To set view permissions for individual Items, you need to set up the environment in advance. For details, see 9.13 Setting an environment in which view permissions are set for individual Items.

Organization of this subsection

(1) Considerations about operation
(2) Operation example (managing operation status of service support)
(3) Operation example (deciding an escalation route (escalation path))
(4) Operation example (processing an Item)
(5) Operation example (setting view permissions for individual Items)

(1) Considerations about operation

Decide the rules for assigning access permissions, referring to the following examples:

If you want to show the inquirer the status of the inquiry, grant him the View item permission for the relevant process work board.

You can also separately create and manage process work boards for external disclosure of information and for internal investigation.

Access permissions for the process work board for external disclosure of information:

For inquirer: Grant the View item permission.

For the person in charge of inquiries: Grant the View item, New item, Edit item, and Close item permissions.

For the approver for the person in charge of inquiries: Grant the View item and Acknowledge item permissions.

Access permissions for the process work board for internal investigation:

Grant appropriate access permissions to workers for individual processes according to their work assignments.

Also, grant the Escalation permission for the relevant process work board to the person in charge of inquiries so that Items can be escalated to the process work board for investigation.
Grant the View item permission for the relevant process work board to the persons in charge of other processes so that they can view Items for reference.
Grant the New item and Escalation permissions to only specified users or roles to prevent unspecified users or roles from registering Items.
Grant the Acknowledge item permission for the relevant process work board to special persons so that only persons in special positions can acknowledge Items.
Grant the Close item permission only to the process work board manager or to special users or roles to strictly control the closing of Items. This makes sure that Items are closed only after confirmation that they can really be closed.
If you want to manage all the registered Items even if some of them were registered by mistake, grant the Delete item permission only to the process work board manager or those in special positions.
If you want to temporarily grant access permissions for a specified process work board, add users corresponding to those access permissions. If you want to grant access permissions based on work assignments or departments, add roles corresponding to those access permissions.
When you create a base system to process Items that are relevant to several systems, users are able to see Items with which they have no direct involvement. By assigning view permissions for individual Items, you can prevent users from seeing these Items. For details on how to set access permissions when view permissions are set for individual Items, see (5) Operation example (setting view permissions for individual Items).
Specify an initial person in charge of status for individual process work boards. Assume that you have set the initial persons in charge of status. Then, when you enter a status while creating or editing an Item in the New item window or Edit item window, the Person in charge combo box automatically displays the initial person in charge of the entered status. Use the Edit permissions window to set the initial persons in charge of status.

To Page Top

(2) Operation example (managing operation status of service support)

You need to assign appropriate permissions to the key personnel (and their managers) who are in charge of incident management, problem management, change management, and release management of an in-house system in the information management department. This will enable them to manage the operation status of service support.

The following example illustrates a case in which the target system administrator (the person in charge of an in-house system in the information management department) and the information system administrator (a higher level administrator) check the operation status separately.

Figure 5‒3: Operation example of an in-house system in the information management department and its higher level organization

The information system administrator views the Item status of the entire in-house system, and checks whether there are any problematic systems. If there seems to be a problem (for example, there are too many Items held for a long time in a certain system), he or she directs the system administrator of the relevant system to take actions.

The target system administrator views the Item status of the system in his charge, and checks whether there are any problematic processes. The target system administrator checks the processes that have too many Items in the Discussing status or that have an Item for which the deadline for taking measures is approaching, and follows up with the manager of the process.

The following table describes the permissions required for individual administrators when the above operation is performed.

Table 5‒5: Permissions required for managing the work status
Administrator name	Required permissions	Description
Information system administrator	Permission for viewing all systems	Belonging to the work management role enables the administrator to check the work status of the target system and processes managed by JP1/Service Support.
Target system administrator	Permission for viewing all processes in system N	The View item access permission is required for all process work boards in system N.
Manager for the relevant process	Permission for viewing the processes in his or her charge	The View item access permission is required for the relevant process work board in system N.

To Page Top

(3) Operation example (deciding an escalation route (escalation path))

You must consider an escalation route for each process (escalation path) separately from the consideration of the processing of each process. You can decide an escalation route by granting the Escalation permission to the persons in charge of the individual processes. Decide escalation routes and configure corresponding permission settings before starting operations.

The following description assumes the escalation route shown in the following figure.

Figure 5‒4: Example of an escalation route

In this example, an escalation route is set in the order of incident management, problem management, change management, and release management. Escalation is allowed for those in charge of the individual processes. In this case, set permissions in the following procedure.

Create a role for each process, and configure the setting so that those in charge of each process have the role for the corresponding process.

If the persons in charge of the same process can have the same permissions, we recommend that you create a role and assign them to that role.
For each process, set whose escalation will be allowed.

The escalation route will be fixed after the access permissions (which define who can escalate at which processes) are set.

If the escalation route is changed, as shown in the following figure, you must review the settings of who can initiate escalations and of the escalation-destination processes.

Figure 5‒5: Change of the escalation route

To Page Top

(4) Operation example (processing an Item)

If you put different people in charge of different processes based on an Item's processing flow, you must assign permissions appropriately so that the Item can be smoothly transferred between processes on JP1/Service Support. The following describes four operation examples that can be assumed according to the operational structure that processes an Item. Refer these examples for your design.

Tip

If the processing for an Item is transferred from a person in charge of a process to another person in charge of another process, assign to the person in charge of the transfer-destination process the access permissions for the Item before its status changes.

For example, assign the Close item permission and the Edit item permission or the Acknowledged^# status permission to the person who changes the Item status from Acknowledged to Close. After the person in charge of the transfer-source process finishes editing the Item and changes the status to Acknowledged, they must be able to specify the person in charge at the transfer-destination process.

You can also use email notification for smooth transfer of an Item.

#: Users who are granted the Edit item permission can edit Items in any status. Users who are granted a status permission can edit Items only in the corresponding status. If you want to strictly manage users who can handle Items according to the status of the Items, set status permissions.

(a) If the person in charge of investigation covers from reception to close of an Item

If only the person in charge of investigation processes an Item, assign access permissions as shown in the figure below. This example assumes an operational structure in which individuals self-manage the contents of tasks.

Figure 5‒6: Operation example where only the person in charge of investigation performs all the processing operations for an Item

The following table describes the correspondence between the status of an Item after the Item is processed and the person in charge of for individual processes shown in Figure 5-6.

Processing order	Contents	Item status	Person in charge of the Item
1	The person in charge of investigation receives an inquiry, and creates an Item.	Received	Person in charge of investigation
2	The person in charge of investigation updates the Item according to the investigation status of the Item.	Investigating	Person in charge of investigation
3	The person in charge of investigation answers to the inquirer.	Investigating	Person in charge of investigation
4	The person in charge of investigation closes the Item after answering to the inquirer.	Close	Person in charge of investigation

(b) If the person in charge of investigation processes an Item and the manager acknowledges the Item

If the person in charge of investigation processes an Item and the manager acknowledges the Item, assign access permissions as shown in the figure below. This example assumes that an Item is processed in an operational structure in which the contents of tasks for individual persons are acknowledged by other persons.

Figure 5‒7: Operation example where the person in charge of investigation processes an Item and the manager acknowledges the Item

The following table describes the correspondence between the Item status after the Item is processed and the persons in charge of the individual processes shown in Figure 5-7.

Processing order	Contents	Item status	Person in charge of the Item
1	The person in charge of investigation receives an inquiry, and creates an Item.	Received	Person in charge of investigation
2	The person in charge of investigation updates the Item according to the investigation status of the Item.	Investigating	Person in charge of investigation
3	The person in charge of investigation requests the manager for acknowledgement.	Discussing	Manager
4	The manager acknowledges the Item. If rejecting the Item, the manager changes the status of the Item to `Investigating`.	Acknowledged or Investigating	Person in charge of investigation
5	The person in charge of investigation answers to the inquirer.	Acknowledged	Person in charge of investigation
6	If escalation is required, the person in charge of investigation escalates the Item.	Support Requested	Person in charge of investigation
7	The person in charge of investigation closes the Item after answering to the inquirer.	Close	Person in charge of investigation

(c) If reception, investigation, and acknowledgement of an Item are all processed by different persons

If reception, investigation, and acknowledgement of an Item are all processed by different persons, assign access permissions as shown in the figure below. This example assumes that an Item is processed in an operational structure in which persons in charge of individual tasks are separately assigned.

Figure 5‒8: Operation example where reception, investigation, and acknowledgement of an Item are all processed by different persons

The following table describes the correspondence between the Item status after the Item is processed and the persons in charge of the individual processes shown in Figure 5-8.

Processing order	Contents	Item status	Person in charge of the Item
1	The Item manager receives an inquiry, and creates an Item.	Received	Item manager
2	The Item manager requests the person in charge of investigation for an investigation. Upon receiving a request, the person in charge of investigation updates the Item according to the investigation status of the Item.	Investigating	Person in charge of investigation
3	The person in charge of investigation requests the approver for acknowledgement.	Discussing	Approver
4	The approver acknowledges the Item. If rejecting the Item, the approver changes the status of the Item to `Investigating`.	Acknowledged or Investigating	Person in charge of investigation
5	The person in charge of investigation answers to the inquirer.	Acknowledged	Item manager
6	If escalation is required, the person in charge of investigation escalates the Item.	Support Requested	Person in charge of investigation
7	The person in charge of investigation closes the Item after answering the inquirer.	Close	Item manager

(d) If reception, investigation, acknowledgement, and closing of an Item are all processed by different persons

If reception, investigation, acknowledgement, and closing of an Item are all processed by different persons, assign access permissions as shown in the figure below. This example assumes that an Item is processed in an operational structure in which tasks are further broken down than the structure in (c) If reception, investigation, and acknowledgement of an Item are all processed by different persons.

Figure 5‒9: Operation example where reception, investigation, acknowledgement, and closing of an Item are all processed by different persons

The following table describes the correspondence between the Item status after the Item is processed and the persons in charge of the individual processes shown in Figure 5-9.

Processing order	Contents	Item status	Person in charge of the Item
1	The person in charge of reception receives an inquiry, and creates an Item.	Received	Person in charge of reception
2	The person in charge of reception requests the person in charge of investigation for an investigation. Upon receiving a request, the person in charge of investigation updates the Item according to the investigation status of the Item.	Investigating	Person in charge of investigation
3	The person in charge of investigation requests the approver for acknowledgement.	Discussing	Approver
4	The approver acknowledges the Item. If rejecting the Item, the approver changes the Item status to `Investigating`.	Acknowledged or Investigating	Person in charge of investigation
5	The person in charge of investigation answers to the inquirer.	Acknowledged	Item manager
6	If escalation is required, the person in charge of investigation requests the person in charge of contacting other processes for escalation.	Acknowledged	Person in charge of contacting another process
7	The person in charge of contacting other processes escalates the Item.	Support Requested	Person in charge of contacting other processes
8	The person in charge of investigation closes the Item after answering to the inquirer.	Close	Item manager

To Page Top

(5) Operation example (setting view permissions for individual Items)

Some environments incorporate a base system to process Items that are relevant to several systems. In such an environment, you can hide irrelevant Items from a subset of users by enabling view permissions for individual Items in the process work board of the base system. To achieve this, you need to plan access permissions for the process work boards in each system, and decide which users and roles should be assigned view permissions for individual Items.

The following describes how to plan access permissions for process work boards when view permissions are set for individual Items. This example involves designing the roles and access permissions required to process Items in the Incident management process work boards in systems A, B, and C, and base system D.

Plan the access permissions required to process Items in the Incident management process work boards in systems A, B, and C.

The following table shows an example of access permissions required to process Items in the Incident management process work boards of systems A, B, and C:

System name: Process work board name	Role	Users who belong to the role	Access permission for process work board
System A: Incident management	Role A1 (standard role)	User A1, User A2	View item Edit item Escalation
System A: Incident management	Role A2 (manager role)	User A3, User A4	View item Edit item Escalation Acknowledge item
System B: Incident management	Role B1 (standard role)	User B1, User B2	View item Edit item Escalation
System B: Incident management	Role B2 (manager role)	User B3, User B4	View item Edit item Escalation Acknowledge item
System C: Incident management	Role C1 (standard role)	User C1, User C2	View item Edit item Escalation
System C: Incident management	Role C2 (manager role)	User C3, User C4	View item Edit item Escalation Acknowledge item

Design the access permissions required to process Items in the Incident management process work board of base system D.

At this point, you do not need to consider the processing of Items escalated from each of the other systems.

The following table shows an example of access permissions required to process Items in the Incident management process work board of base system D:

System name: Process work board name	Role	Users who belong to the role	Access permission for process work board
Base system D: Incident management	Role D1 (standard role)	User D1, User D2	View item Edit item Escalation
Role D2 (manager role)	User D3, User D4	View item Edit item Escalation Acknowledge item

System name: Process work board name

Role

Users who belong to the role

Access permission for process work board

Base system D: Incident management

Role D1

(standard role)

User D1, User D2

View item
Edit item
Escalation

Role D2

(manager role)

User D3, User D4

View item
Edit item
Escalation
Acknowledge item

Design the roles and members required for incident management in base system D.

You now need to design the roles that will be used to process the Items escalated from the other systems. In designing the roles required for incident management in base system D, you need to consider the members of the roles assigned to the process work boards of systems A, B, and C and base system D as an integrated whole.

The following table shows an example of designing the roles and members required to process Items in the Incident management process work board of base system D.

Role	Users who belong to the role	Description
Role AD (integrated role)	User A1, User A2, User A3, User A4, User D1, User D2, User D3, User D4	A role that combines the users of system A and base system D.
Role BD (integrated role)	User B1, User B2, User B3, User B4, User D1, User D2, User D3, User D4	A role that combines the users of system B and base system D.
Role CD (integrated role)	User C1, User C2, User C3, User C4, User D1, User D2, User D3, User D4	A role that combines the users of system C and base system D.

Role

Users who belong to the role

Description

Role AD

(integrated role)

User A1, User A2,

User A3, User A4,

User D1, User D2,

User D3, User D4

A role that combines the users of system A and base system D.

Role BD

(integrated role)

User B1, User B2,

User B3, User B4,

User D1, User D2,

User D3, User D4

A role that combines the users of system B and base system D.

Role CD

(integrated role)

User C1, User C2,

User C3, User C4,

User D1, User D2,

User D3, User D4

A role that combines the users of system C and base system D.

Assign view permissions to the roles required for incident management in base system D that you designed in step 3.

Redesign the roles, members, and access permissions required for incident management in base system D based on the roles, members, and access permissions you planned for each system in steps 1 to 3. The following table shows an example of the redesigned roles, members, and access permissions required for the Incident management process work board in base system D:

System name: Process work board name	Role	Users who belong to the role	Access permission for process work board
Base system D: Incident management	Role D1	User D1, User D2	View item Edit item Escalation
	Role D2	User D3, User D4	View item Edit item Escalation Acknowledge item
	Role AD (integrated role)	User A1, User A2, User A3, User A4, User D1, User D2, User D3, User D4	View item
	Role BD (integrated role)	User B1, User B2, User B3, User B4, User D1, User D2, User D3, User D4	View item
	Role CD (integrated role)	User C1, User C2, User C3, User C4, User D1, User D2, User D3, User D4	View item

The figure below shows an operation example of a system that uses the access permissions designed using the above steps. In this example, when escalating Item A1 of the Incident management process work board of system A to base system D, the operator sets Role AD as the Item view permission owner for Item A1. Although User B1 to User B4 and User C1 to User C4 have view permissions for Items registered in the Incident management process work board in base system D, they do not have view permissions for Item A1. Consequently, these users cannot view Item A1 registered in the Incident management process work board of base system D.

Figure 5‒10: Operation example in which view permissions are set for individual Items

To Page Top