Security Overview
ChangeGear uses a combination of users, roles, and teams to allow for a wide variety of administrative control options. A series of selections based primarily in the roles’ privilege area controls the confidentiality, integrity, and availability of the data. Optionally, information can be either restricted or shared by utilizing teams. ChangeGear also employs multiple authentication methods for users in both your organization and individuals who work closely enough with your organization to need access to your Change or Service Desk management solution. This allows you to maintain confidential information while protecting the information's integrity and allowing access to those who need to know the information gathered from ChangeGear.
Users are imported from Active Directory (AD) or created within ChangeGear while Roles and Teams are administrator-defined entities. Each user is assigned to a specific role within ChangeGear. Teams are optional but afford a more flexible security model in which users have privileges beyond, (or further restricted from), their defined role.
There are two different varieties of teams: security teams and notification teams. Security teams provide additional security mechanisms and users within the same team can assume different roles. Notification teams allow notifications or assignments to groups of users with potentially disparate ChangeGear roles, similar to group e-mail addresses.
Maintaining Confidentiality
ChangeGear is capable of preventing unauthorized access to information by employing various levels of security based on user role or the sensitivity of the data involved.
Part of ensuring that information in your ChangeGear database is only shared with approved members of your organization or approved external partners is user authentication. Administrators can select universal or group-based authentication. Universal authentication automatically registers new users to a specific role of your choosing. Group-based auto-registration uses security groups within your Windows domain directory to dynamically assign a user to a role. For external users, such as trusted partners or contractors, or for those users who are not part of your internal directory, you can use ChangeGear specific authentication. You must create the user account and set up the password and user name. After the initial set up, the ChangeGear authenticated user can control their password.
After users are entered into ChangeGear, the most basic aspect of security is differentiation between end users (Requesters) and staff. Users are automatically placed into roles which determine their available privileges. The Requesters (Change Requesters, Incident Requesters, or Problem Requesters) use restricted versions of ticket forms and can only view certain parts of ChangeGear. Requesters can view certain fields and cannot edit other fields after the ticket has been submitted.
Staff have wider access to ChangeGear and can view or edit most forms. You can restrict both the list of modules a staff user can view and which tickets staff users have access to change. Staff users are assigned to roles within ChangeGear, and these roles control the visibility and confidentiality of the information within the system by controlling the privileges assigned to roles and the field-level security on the forms.
ChangeGear also employs security teams to further restrict who views information. Security teams are generally implemented when you feel that a heightened level of security is necessary for items in ChangeGear. Users are assigned specific roles within the security team that will take precedence if a work item is owned by the team. For example, assume a user has the Incident Manager role in ChangeGear, but only the Change Requester role in the security team. The user would be assigned the role of "Change Requester" if the work item was assigned to or owned by the security team, and therefore can only perform those actions permitted by the role of Change Requester.
Maintaining Integrity
ChangeGear restricts how and who modifies information within the forms to preserve the integrity of the data.
Edit the role privileges to control who can view modules and who can edit the information within the modules. Privileges can also include what fields are visible and which fields can be edited by that role.
Security teams can also be employed to restrict who can modify or enter data. If a security team with a restricted guest role owns the ticket, only members of the security team can interact with the information in any meaningful manner.
In addition to controlling who can view or edit data in the system, ChangeGear employs techniques to record who made a change and when the change was made. The Description field records who entered a description and when the description was entered. A description, once entered, cannot be changed; it can only be appended by another description entry. This works in conjunction with the History tab to record who made what changes to the ticket.
Maintaining Availability
Information within ChangeGear is fully available to those who need to access it or who need to be notified of upcoming changes.
Outside vendors or users without an entry in your corporate directory can access ChangeGear by being declared a ChangeGear authenticated user by the administrator. The ChangeGear administrator must create the account first and assign it to a role. The role can be restricted to “view only” or the administrator can enable the user to have more access to the system.
Roles also control which fields are editable. The field-level security available in ChangeGear controls what fields are visible on a per-module and per-state basis. For example, a Requester is able to see to whom their ticket is assigned, but will not be able to change that assignment.
ChangeGear can also employ notification teams, which allow the system to send notifications to members of your organization who are part of multiple roles or other organizational divisions. Notification teams can also include groups from your Active Directory. Notification teams have no specific privileges or restrictions associated with them. However, one’s ability to view the information sent to the team is dependent on their role in ChangeGear.
Use the following table to help you setup your ChangeGear security.
How do I …
|
Grant access to users without entries in your corporate directory? |
Create a ChangeGear authenticated user and assign the user to an appropriate role. |
|
Control the user privileges? |
Create or modify roles with appropriate users and assign the users to them. |
|
Allow only specific users to view or edit tickets? |
Use the Security Team functionality in conjunction with the Owner field. |
|
Allow users to view tickets assigned to their team? |
Create team specific views in the Administration module. |
|
Restrict the data that users can view? |
Use the field-level security in the Roles dialog to hide fields. |
|
Remove access to a module? |
Use the roles privileges to disable access to that module. |
|
Protect the anonymity of a requester when a ticket is being reviewed? |
Use field-level security to hide the information during the approval state, or those states that encompass your review process. |
|
Consistently notify multiple members of your organization regardless of individual role? |
Create Notification Teams, which can also include Active Directory groups. |