Role Management

SHOW ALL CONTENT

Table of contents

Related article

Introduction

In the past, the access level of an Octopus user was determined by the selection of permissions from a list of all the permissions available. The modification of the permissions had to be done manually for each Octopus user. 

From version 3.8 and beyond, we are introducing the notion of roles that will facilitate and improve the access management of Octopus and ensure the security level. Each role contains its own permissions and the Octopus users have one or more roles that automatically inherit the sum of the permissions from each role. 

Overview

The license type determines the permissions that will be available at the creation of a role. It is possible to define more then one role with a same license. Each role can have different permissions.

 

A user can only have one license type, but he can be associated to multiple roles. The permissions of a user are cumulative or add up with the addition of roles.

Here is an example: all the technicians have the Technician role, that has predefined permissions. Jack is a technician, but he must also have access to the Statistics module to produce operational reports. This permission is not part of the ones in the Technician role, but it exist in another role: Report. By giving Jack the Report role, he inherits the permissions from both roles. 

 

Role Establishment

The Role Management is done from Tools > Reference data management > General > Role. 

NOTE: You need the following permissions to access it:
  • Administer Octopus
  • Modify a user
  • Create and modify an Octopus user

There are 2 ways to add a role: right click the Role node and select Add or Add from the library



 

Add a role

The add option opens the following window, where you find 3 tabs: General, Permissions and Users.

  • Role name (French and English)
  • The duplicate button....facilitates the creation of a new role from an existing role. What remains is to apply the modifications to the new role (name, license, permissions, etc.)
  • Open the Role Manager link, opens the Role Manager (see the Role Manager section for more details),

General Tab

This tab is mainly use to attribute a license to the role.

 

NOTE:  The selected license type affects the permissions that will be available.
  • License: The license type determines the Octopus user type, based on:
    • Batch: Use to execute recurring tasks such as ADSIReader. This license is free, this account cannot connect directly to Octopus
    • End User (Web Portal): allows users to connect to the Web Portal

    • External Assignee: used for an assignee who is not part of the main team, allows to complete tasks from the Web Portal
    • Tradesman (Building facilities): reserved to the facilities teams who's workers only use Web Tech

    • Standard: used for Octopus users, this gives full access to the application
  • Description:  Description (French and English) of the role

Permissions tab

This tab shows the permissions that can be granted according to the type of license selected in the General tab.

  1. Check the permissions granted for this role

The Check All and Uncheck All buttons add convenience to the selection of permissions.

User tab

The User tab shows the list of the user who have this role.

Add from the library

To make Role Management more user friendly, you can use the roles we have created in the library to inspire the news ones you want to create. We granted the permissions efficiently according to our experience, but from one organization to the next, there can be variations. To add a role from the library: 

  1. Select the required role by checking it in the section from the left. The permissions associated to the role will appear in the section on the right
  2. Click the OK button

Later it is possible to add modifications to the role if you want it.

You will notice that we have created intuitive groupings such as Building Facilities, Information Technology, Biomedical Engineering...


If you select a role that already exist the system will create a duplicate 

Visual Explanation

How to add a role to the library and why do it?

This option is only useful in a context where Octopus is used by multiple teams and there is a need.

But since more and more environments have more than 3 teams, often managed by IT, it is good to be able to reuse a role without having to recreate it in each team.

For example, Octopus users may need the same access in multiple teams. You can create a role from a team, give it a meaningful name and send it to the library. It will then be available at all times for all existing and future teams.

Many companies using the Web Portal that have generic accounts in Octopus will want to either give minimal permissions to these accounts or no access at all to the Web Portal. Creating a role for generic accounts allows you to manage permissions for these accounts in each team.

The creation is very simple:

  1. Create the role in a team
  2. Right click on the role
  3. Choose Send to library

Once available in the library, this role can be used like any other.

Visual Explanation

Role Manager

The Role Manager allows to see and modify all the roles and for each role, all its permissions

Access the Role Management

The link to access the Role Management is available from within a role.

  1. Field that allows to filter the list of permissions available in Octopus
  2. List of available permissions in Octopus
  3. Role defined in Octopus
  4. Permissions of the role
  5. Add a role; allows to add a role from the manager
  6. Export the list of the roles and permissions to Excel; allows to send all the roles present to Excel to facilitate reading of roles with respect to their permissions. It can also be used to keep a history of the changes applied to the different roles.

Modify roles from within the user's file

From within the user module you can modify the roles for one of more Octopus user at a time. 

NOTE: To modify a role, an Octopus user needs to have the following permissions
  • Modify a user
  • Create and modify an Octopus user

Modify one Octopus user at a time

To change the roles of only one Octopus user:

  1. Access the Octopus tab from the user's file
  2. Click the Change the roles button
  3. Select or deselect the roles
  4. Confirm with OK

To see the complete list of an Octopus user's permissions, click the See permissions link from within the user's file.

 

Visual Explanation

 

 

Modify multiple Octopus users at once

If you need to add a new role to many users at once, you can do it form the User module.  

Note: you must select users with the same type of license, otherwise the number of permissions will be diminished. Select the users from a list. The Shift and Ctrl keys can be used.
  1. Select the users from a list. You can use the Shift or Ctrl keys to help

  2. Click on Change roles from the action menu on the left of the screen. When the window opens you can see:
    1. In dark, the roles common to all - that could be removed
    2. In gray, the roles that some have, but that are not common to all
    3. Empty, the available roles
  3. Select or deselect the roles
  4. Confirm with OK

 

Visual Explanation

 

 

Permissions

Download the following document to see the list of Octopus permissions, a brief description and a template to assist in the preparation of roles:

Octopus Permissions Reference

What you need to know : 

When an Octopus user does not have the permission Consult data of all sites from the Users section. He will be able to see all the data of the sites to which he belongs, starting from his root site.
Example: 
The Octopus user belongs to B site.
Without the permission, he will see all the data of the following sites :
  • A
  • B
  • C
  • D
  • E

Customize permissions for a CI type

To allow the modification of certain types of CI, while protecting the data of other types, it is possible to make specific CI types read-only.

This is done through custom permissions set in relation to the types of CI to restrict.

Here are the steps to make a CI type read-only:

Creation of custom permission

  1. From Reference data management, go to General Permissions
  2. To create a new permission, right click on Permissions and then on Add
  3. As this permission will be in the list of all Octopus permissions, choose under what category it will be classified
  4. Enter a permission name in French and English long description fields
     

    Restriction of CI type

  5. From Reference data management, go to CI > Types
  6. Choose the CI type to be restricted
  7. In the field Permission formodification, select the custom permission previously created
  8. Save (if more than one CI must be restricted, repeat the previous steps)
     

    Manage the new permission in roles

  9. From Reference data management, go to General > Roles
  10. Add the custom permission previously created to one or many roles that will be assigned to Octopus users
Visual explanation











 

Customizing the required permissions to add or remove a request relationship

It is possible de create relationships between different request types in Octopus; by default, request relationship establisment is not restricted. You may want to allow specific Octopus user to make a relationship between one or many incidents and a change, by example. This is done with a custom permission associated to the relationship type to be restricted.

Follow the steps below to restrict the use of a relationship: 

Creation of custom permission

  1. From Reference data management, go to General Permissions
  2. To create a new permission, right click on Permissions and then on Add
  3. As this permission will be in the list of all Octopus permissions, choose under what category it will be classified
  4. nter a permission name in French and English long description fields
     

    Restriction of one or several relationship types

  5. From Reference data management, go to General > Request Relationship Types
  6. Open the relationship type and choose the request types to restrict
  7. In Permission field, select the custom permission previously created
  8. Save (if you need to restrict more than one relationship, repeat the previous steps)
     

    Manage the new permission in roles

  9. From Reference data management, go to General > Roles
  10. Add the custom permission previously created to one or many roles that will be assigned to Octopus users
Visual explanation









 
X
Help us improve our articles