Skip to content
CA Service Management - 17.1
Documentation powered by DocOps

Step 2 - Assign Roles

Last update September 27, 2018

This article contains the following topics:

Relationship Between Users, Roles, and Login

Users, roles, and login have the following relationship:

  • A user typically belongs to one business unit, but can optionally belong to multiple business units. A user can have only one role in a business unit.
  • A user can optionally have different roles in different business units.
    Example: User A can have a catalog user role in the Finance business unit. The same user can have a catalog administrator role in the IT business unit.
  • If the user does not specify a business unit at login, CA Service Catalog logs the user in to the default business unit defined for the user. The user has the role that is assigned to the user in that business unit.
  • If an integrating product created the user, then the user is not assigned to a role or business unit. Instead, after the user logs in, the user receives the default role for all users. Examples of integrating products include CA Service Desk Manager, CA APM, and CA Business Service Insight.

Roles and Default Access Rights

Users can have one role in each business unit in which they are defined. Users can have different roles in different business units.

  • Service Delivery administrators can change some default access rights for the entire Catalog system as follows:
    Log in to the root (highest level) business unit, select Administration, Configuration, and change the Access Control configuration settings.
  • Service Delivery administrators and business unit administrators can change several default access rights for specific business units as follows:
    Log in to the business unit, select Catalog, Configuration, and change the Access Control configuration settings.
  • All users can also delegate the use of their catalogs to other users to create requests on their behalf.
  • The Catalog system creates only one user at installation time. This user, named spadmin, has the Service Delivery Administrator role.

Request-related functionality is available when CA Service Catalog is installed. Subscription and invoice-related functionality is available when Accounting Component is installed.

  • Catalog User
    Is the user role for requesting services without subscriptions. These users can manage their own requests, such as approve, reject, fulfill, and other actions to handle requests pending action.
    Most users in the organization use this role only.
    This role is predefined as the default role for new users. However, administrators can optionally change the default role for new users from the catalog user to another role.
    This role is most suitable when you are not using subscriptions or billing in your implementation.
  • End User
    Is the end user for all functions available through the catalog. This user includes all the same access rights as the catalog user. The end user can subscribe to services and view invoices. This role can also view and add news messages, documents, and reports.
  • Request Manager
    Is the administrator role for managing requests, such as viewing and handling all requests in the business unit and applicable subbusiness units. Request managers handle both their own requests pending action and the requests pending action of other users. Request managers can search all requests in the Catalog system. But catalog users can search only their own requests.
  • Services Manager
    Creates, defines, and manages services (not requests) for a specific tenant or business unit. This user also has administrative access to configure reports, dashboards, documents, and message alerts.
    This role is most suitable when you want a user to create and maintain services. This user cannot request or subscribe to services.
    This user can also handle requests pending actions, for example, by approving and rejecting requests.
  • Administrator
    The Administrator uses Service Catalog to create a request for themselves and for other users.
    This user can subscribe offering but cannot create them.
    This user can also create user roles like Administrator/ Catalog User/ End User.
  • Catalog Administrator
    Creates, defines, and manages services for a specific tenant or business unit.
    This user also has the same access rights as the request manager role.
    This user can request services but cannot subscribe to them.
  • Super Business Unit Administrator
    Is the "root" user in a specific super tenant (super business unit). A super business unit is a business unit that contains one or more child business units. This administrator has almost complete access to the super business unit and all its sub business units. For example, anywhere in the super business unit, this administrator can create business units, create new users, and assign roles.
  • Service Delivery Administrator
    Is the "root" (highest level) user in the Service Provider (highest level) business unit. This user has complete system access to all business units. For example, this user can specify default settings that apply to all users by logging in to the root business and accessing the Administration, Configuration, User Default tab. This role is available only for the Service Provider business unit, the default business unit that is created during installation.
    Only this administrator has access to data mediation, system configuration, events, rules, and actions.
    By default, at installation time, the Catalog system creates a user ID named spadmin with this role.

  • Default Role Specification
    Service Delivery administrators can specify a default role for all users.

Tasks that Each Role Can Perform

The roles provide default access rights to various functions. Administrators use configuration settings to add default access rights to a role or remove default access rights from a role.

The following table lists the tasks that each role can perform. The letter X indicates that the role can perform the task. The dash (-) indicates that the user cannot perform the task.


Roles
Tasks Cat Usr Req Mgr Cat Adm End Usr Adm Svc Mgr SBU Adm SD Adm
Shopping







By default, all users have all shopping functions, except as noted in Roles and Default Access Rights. However, administrators can configure the access rights of each role to create proxy requests, edit requests, and so forth.
All users can also delegate the use of their catalogs to create requests on their behalf.
X X X X X - X X
Managing Requests







View, edit, delete, and cancel requests X X X X X X X X
Act on assigned requests pending action X X X X X X X X
Search for requests X X X X X X X X
View all items in a request X X X X X X X X
View request tracking and audit trail information - X X - X - X X
General







View dashboards X X X X X X X X
Add personal dashboards X X X X X X X X
Create shared dashboards - - X - X - X X
Print dashboard reports - - - - X X X X
View subscriptions and invoices - - - X X - X X
During checkout, change the Requested For user from the current setting to another account or user. That account or user requires a role in the business unit scope of the logged in user. - X X - X - X X
View and add News Messages - - - X X X X X
View Documents (if enabled) and View Reports - - - - - X X X
Managing the Catalog







View and alter catalog services and service option groups - - X - - X X X
View and alter CA Service Catalog configuration settings - - X - - - X X
Manage catalog entries or configuration - - - - - X X X
Manage subscriptions or invoices - - - - X - X X
Managing other elements







Manage accounts within your business unit scope - - - - X - X X
Manage users with roles in your business unit scope - - - - X - X X
Manage the dashboard library for the business unit - - - - X - X X
Manage scheduled tasks - - - - X - X X
Manage reports - - - - X X X X
Manage Change Events and Alerts - - - - X - X X

Roles Key

Code Role
Adm Administrator
Cat Adm Catalog Administrator
Cat Usr Catalog User (none)
End Usr end user
Req Mgr request manager
Svc Mgr service manager
SB Adm Super Business Unit administrator
SD Adm Service Delivery administrator

Tasks that Each Role Can Perform for Other Users

The following table displays the roles that can perform authorized tasks for themselves and for other accounts and users.


Roles
Can Perform Tasks for Themselves and Cat Usr Req Mgr Cat Adm End Usr Adm Svc Mgr SBU Adm SD Adm
Other accounts and users with roles in their business unit - X X - X X X X
Other accounts and users with roles in their business unit and any of its child business units. - X X - - X X X
Other accounts and users with roles in all business units, including all child business units - - - - - X - X

Default Role for All Users

The default role for all users applies to every user in the entire Catalog system. This default role applies to all users in all business units, including all child business units.

Only the Service Delivery administrators can set this default role. To set the role, the administrator logs in to the root business unit and selects Administration, Configuration, User Default Role.

The Catalog system automatically assigns this default role to every new user. However, administrators can optionally specify a different role for a user when they add or edit the user.

Was this helpful?

Please log in to post comments.