Previous Topic: Predefined RoleNext Topic: Assign a Role to a User

Maintaining SecurityUser RolesDefine a User Role

Define a User Role

Important! Verify that the user completing this task belongs to a role in which role management access is enabled.

You can define customized user roles to meet your site-specific business requirements. For example, you can define one role with access to reconciliation management, and another with access to asset fulfillment.

To define a user role

  1. Click Administration, User/Role Management.
  2. On the left, expand the Role Management menu.
  3. Click New Role.
  4. Enter the information for the role.
    User Management Access

    Select this check box so a user assigned to the role can access the user management functionality (Administration, User/Role Management, User Management). The User/Role Management subtab is available only when the role has access to the user management functionality, the role management functionality, or both.

    Role Management Access

    Select this check box so a user assigned to the role can access the role management functionality (Administration, User/Role Management, Role Management). The User/Role Management subtab is available only when the role has access to the user management functionality, the role management functionality, or both.

    System Configuration Access

    Select this check box so a user assigned to the role can access the system configuration functionality (Administration, System Configuration).

    Web Services Access

    Select this check box so a user assigned to the role can access the CA APM web services documentation and WSDL (Administration, Web Services). If this check box is not selected and a user in the role attempts to access the web services from an external client application, the user receives a login error.

    Filter Management Access

    Select this check box so a user assigned to the role can access the filter management functionality (Administration, Filter Management).

    Other Information Configuration Access

    Select this check box so a user assigned to the role can access the Other Information Configuration functionality. This function allows the user to access additional related information for selected objects. The user can access this additional information by selecting menu items under Relationships on the left side of the page.

    Data Importer User Access

    Select this check box so a user assigned to the role can access the Data Importer functionality (Administration, Data Importer) with user permissions. Users can create imports and can modify or delete their own imports. Users can also view any import that was created by another user.

    Data Importer Admin Access

    Select this check box so a user assigned to the role can access the Data Importer functionality (Administration, Data Importer) with administrator permissions. Administrators can create imports and can modify or delete any import that was created by any user.

    Reconciliation Management Access

    Select this check box so a user assigned to the role can access the reconciliation rules management functionality (Administration, Reconciliation Management).

    Asset Fulfillment Access

    Select this check box so a CA Service Catalog user assigned to the role can perform asset fulfillment using CA Service Catalog.

    Note: For more information about asset fulfillment using CA Service Catalog, see the CA Service Catalog documentation.

    Tenancy Admin Access

    Select this check box so a user assigned to the role can access the multi-tenancy administration functionality to enable multi-tenancy, define tenants, define subtenants, and define tenant groups (Administration, Tenancy Management).

    Normalization Access

    Select this check box so a user assigned to the role can access the normalization rules management functionality (Directory, List Management, Normalization).

  5. (Optional) Specify the read/write permissions for tenants. Multi-tenancy expands the purpose of the role to control the tenant or tenant group that a user within the role can access. When multi-tenancy is enabled, the Tenant Information section includes Tenant Access Read and Tenant Access Write drop-down lists.

    Note: The Tenant Information section is visible only when multi-tenancy is enabled. For information about how to enable multi-tenancy, see the Implementation Guide. In addition, users associated with a tenant other than the service provider can only create or update objects associated with their own tenant. Only users associated with the service provider are permitted to create or update objects belonging to tenants other than their own.

    All Tenants

    Contains no tenant restrictions. A user in a role with this access can view any object in the database (including public objects). In addition, a user associated with the service provider can update or create objects associated with any tenant. When a service provider user with this access creates an object, the product requires the user to select the tenant of the new object.

    Contact's Tenant

    (Default value) Associates the role with the tenant of the contact. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with their own tenant (and to view public objects). When a user with this access creates an object, the user cannot select a tenant. The tenant is automatically set to the tenant for the contact.

    Contact's Tenant Group

    Associates the role with the tenant group of the contact. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with the tenants in their tenant group (and to view public objects). When a user with this access creates an object, the user can select any tenant belonging to the tenant group.

    Single Tenant

    Associates the role with a named tenant. When you select this option, select a specific tenant in either the Tenant Write or Tenant Read field. The product restricts a user in a role with this access to viewing, creating, and updating only those objects associated with the tenant you select (and to viewing public objects). When a user with this access creates an object, the user cannot select a tenant. The tenant is automatically set to the tenant you select.

    Note: Only a service provider user can create or update data for a tenant other than their own. A tenant user in a role with single tenant access to another tenant is restricted to read access.

    Tenant Group

    Associates the role with a named tenant group. When you select this option, select a specific tenant group in either the Tenant Group Write or Tenant Group Read field. The product restricts a user in a role with this access to viewing only those objects that belong to any tenant in the tenant group. In addition, a user associated with the service provider can update or create objects associated with any tenant in the group. When a service provider user with this access creates an object, the product requires the user to select the tenant for the new object.

    Update Public (check box)

    Available only when you select All Tenants. Select this check box to authorize a user in the role to create or delete tenanted public data.

  6. Click Save.

    The role is defined and you can assign users to the role.