In a multi-tenanted CA Service Desk Manger environment, a non-service-provider tenanted analyst with Analyst grant level is unable to update the access type of another same-tenanted contact from an Employee role to the Level 2 Analyst role. The error that is received in the Service Desk Manager web browser interface is:
AHD04796:You are not authorized to assign an access type that allows role(s) Level 1 Analyst, Level 2 Analyst, Customer Service Representative.
All roles in the access type need to have Tenant Access as 'Contact's ...' in order for a tenanted user to be able to assign it out.
Example#1 with Explanation:
To illustrate, an example using the Service Desk Staff access type follows.
Suppose an analyst user/contact is defined with the out-of-the-box Service Desk Staff access type and with a non-service provider tenant such as TenantA. This analyst user would like to grant the Service Desk Staff access type to another contact also belonging to TenantA. Out of the box, the Service Desk Staff access type contains five roles: Configuration Viewer, Customer Service Representative, Employee, Level 1 Analyst and Level 2 Analyst. So the analyst user would be granting the second contact these 5 roles. However, the analyst user would not be able to do this out of the box, because some of these roles (for example, Level 2 Analyst) have their Tenant Access set to "All Tenants". If it was possible for the analyst to make the assignment, it would have granted the second contact access to all tenants. Service Desk Manager does not allow the analyst user to assign access to all tenants unless the analyst user belongs to the Service Provider tenant.
Here are the steps needed to allow the analyst user belonging to TenantA to assign the out-of-the-box Service Desk Staff access type:
- Log in to Service Desk as a Service Provider tenanted user running under the Administrator role.
- Open the details of the Level 2 Analyst role.
- Update the Tenant Access to one of the values beginning with "Contact's ". This could be "Contact's Tenant", "Contact's Tenant Group", "'Contact's Subtenant Group", etc. according to your business needs.
- Make sure the Tenant Write Access is set to "Same as Tenant Access" or to one of the values beginning with "Contact's ".
- Save the Level 2 Analyst role.
- Make the same changes from steps 2-5 for the Level 1 Analyst role and the Customer Service Representative role.
- At this point, all the five roles in the out of the box Service Desk Staff access type have their Tenant Access set to "Contact's .....".
Important Note: If you have added any new roles to the Service Desk Staff access type, please also follow steps 2-5 for those new roles as well.
- Now the tenanted analyst user from TenantA should be able to assign the Service Desk Staff access type to the second contact from TenantA.
Additionally, the tenant access cannot be set to Tenant Group is because on the Role's detail page, the tenant group can have an arbitrary value. So in effect, the tenanted Analyst user would be giving the other user access to all the tenants specified in the Tenant Group. There is no guarantee that the list of tenants is something that this other user can already or should be allowed to access or not. That is a decision left to a Service Provider administrator.
Since access types are untenanted, a tenant administrator or even an analyst with contact update ability could potentially create or update a contact with the ability to access other tenants. For this, Service Desk specifically:
- Does not allow a user other than a Service Provider Administrator to assign an access type allowing a role with a tenant access other than "Contact's xxxx". In other words, no one but an Service Provide Administrator can assign an access type with all tenant access or specific tenant access.
- Does not allow a user other than a Service Provider Administrator to assign an access type with a grant level higher than the user's own (enforced only when multi-tenancy is active).
- Does not allow any user to set the Analyst's Group to any group that is not a subset of the user's own tenant read access.
- Does not allow a user other than a service provider administrator to assign a contact role with a tenant access other than "Contact's xxxx."
Example#2 with Explanation:
Here is another example whereby a non-service-provider-tenanted analyst with Admin grant level tries to create a new user. Note that the basis of the example are the "out-of-the-box" definitions of access types and roles.
Suppose you create a new access type that is a copy of the Service Desk Management access type. For the new access type, assign only one role that is the Administrator role. By default, the Administrator role has the Grant Level set to "Admin", the Tenant Access set to "All Tenants", and the Tenant Write Access set to "Same as Tenant Access". Create a new user (we will refer to this as the "admin" user) and specify its access type as the new access type, and specify its tenant as a tenant that is not the service provider tenant. Login as the new user and try to create a user that has a lower access type, such as Service Desk Staff - The AHD04796 error occurs. Next, try to create a new user with the access type set to either Employee or Customer - There is no error and the user is created successfully.
The reason for the AHD04796 error is that only a service-provider-tenanted administrator can assign an access type that has any of the attached roles defined with All Tenant access or specific tenant access. In the error case, the "admin" user that was created does not have the Tenant set to the service provider tenant and the roles attached to the access type selected for the new user have the tenant access set to something other than "Contact's xxxx". When you create a contact choosing 'Employee" or "Customer', the contact gets created because each of the roles attached to those access types have Tenant Access set to "Contact's Supertenant Group" and Tenant Write Access set to "Contact's Tenant".