Management of users, permissions, groups

One of the most important features of Pandora ITSM is the possibility of working with different groups of users and that it allows access and display of separate elements, so that each group only sees its information and items, the content being invisible for the other groups. These user groups may be different departments, customers, or companies. This feature is generally known as a Multitenant environment.

The permissions structure is based on three concepts:

• Group: Set of users with visibility between them. A group may be translated as “department”, “client” or “company”, depending on the context of use of Pandora ITSM and the desired way of working.
• Profile: Permission level. Define a series of privileges, such as: access to the agenda, having access to create tickets, or being a project manager.
• User ID: Unique name or keyword to log in to Web Console.

Users will have one or more combinations of profile plus group associated, defining the level of privileges they will have and for which group, being able to be, for example, project manager in one group and ticket operator in another. To edit users, a user with permissions may access the user manager through the menu People → User management.

• To edit, click on the corresponding User ID.
• To delete, use the selection column in each item and then click Delete selected (or with Delete user at column Actions)
• To add a new user (Create user).

Some user features are, for example, activation (whether the user is enabled or not) or whether the user has login (interactive access to the console). Some users only have e-mail access for incident management.

In Custom screen, you may choose the dashboard that the user will see when logging in. See “Dashboard Management” for more information.

Optionally, you may assign a Company, which is important from the profile point of view, since in certain sections of the application the level of access will also take into account which company users belong to. Pandora ITSM brings default data for testing, you must first create your own companies in the customer management section (“CRM customer management”).

Once a user has been registered, the user himself can modify his own data through the menu People → Edit my user (or through the shortcut located in the header, right next to the logout button) and also know his API 1.0 key by means of a QR code (which also contains name, phone number, et cetera) or generate a token for the API 2.0 (version 101 or later).

Closely related to the groups and profiles, are the types of user. In Pandora ITSM, there are four types of users:

• Grouped only by company: This is like a normal grouped user, but may only see tickets from users in the same company and group.
• Grouped user: Privilege level based on their groups and profiles. They may only access, view and/or modify the information of each assigned group according to the profile they have defined.
• Standalone user: They may only access sections: Tickets and Wiki. In the Tickets section, they may only see their own tickets. They are often used to offer support services to potentially large customer groups.
• Super administrator (superadmin): Full access and privileges over all sections and tool groups.

User administrators are the only ones that may create or delete users within the system. For that they should have UM permissions in the assigned profile or either be superadmin.

Pandora ITSM keeps tabs on the number of user administrators, since it must be equal or lower to the one set by the license. If at any time the number were exceeded, a warning message will appear and a notification in the system inbox:

In the user list you may see which user admins have Web Console login disabled:

In this kind of situation you may of course extend Pandora ITSM license.

This system allows specifying what access privileges are given to each user in the different sections of Pandora ITSM.

In user definition, at the end, there is the group and profile association:

In each section or function (tickets, base-knowledge, downloads, CRM, inventory, Wiki …) these access bits are used differently combined with elements, such as groups, or with access definitions specific to each tool. For example, in downloads, the access definition associates groups with something called categories, while in CRM, access management does not use groups but companies, and which companies are linked to each other.

Profiles can be managed from the People → Profile management menu. Each profile has a set of access bits and is identified with a name and a 2 or 3 letter abbreviation. Profiles are configured using access flags.

The Project Manager Role may perform any operation on projects to which they are assigned that role, as well as on project tasks. Additionally, users with this role will be able to delete projects.

Project Owner: They have the same permissions as the project manager.

Administrator User: You may perform all the above actions in any project or task without restrictions (according to their availability in the interface).

In the project ACL system, subtasks inherit the permissions of the parent tasks. That is, if a user may modify the parent task, they may also modify the child task.

See also Wiki ACL read and write permissions.

CRM (Customer relationship management) has a particular way of working: only the company to which the user belongs and the profiles he/she has in any of the groups (regardless of the groups themselves) are taken into account.

The main access restriction method will be the parent/child relationship between companies. So if a user has access to one company, he/she has access to all “child” companies (except the external user, who only sees what belongs to him/her).

Pandora ITSM allows sales lead management (business lead or people in charge of business with companies).

Special access flags that refer to application management.

Through this section, to which only system administrators have access, new users can be massively incorporated into the system.

This process is based on importing a CSV file with a specific format. A CSV file stores tabular data (numbers and text) in plain text format. Columns are separated by commas:

• id_user
• password
• real_name
• email
• telephone
• description
• avatar
• disabled
• id_company
• num_employee
• enable_login
• Custom fields.

Custom fields must previously exist in Pandora ITSM system and must be indicated in order, being able to choose a value, or if you do not want to give them a value, a blank space.

Other fields will be automatically associated according to the values of the creation form:

• Group.
• Profiles.
• Global profile (standard user or external user).
• Enable policy password (policy to force password according to security level).
• Avatar (profile image).

An unlimited number of custom user fields may be defined to tailor the application to the organization. Only an administrator may define custom fields.

You may define yes/no fields (ON /OFF), descriptions, values to choose from a selector and others.

• If Show in search is enabled, the custom field will be displayed in the user filter with a text box (in this field, the search is case sensitive).
• If Show in list is enabled the field value will be shown in the user list as an additional column.

Group management is only visible to users with user management profile. With this profile you can manage the group or groups to which you belong, but you can always view the All group.

Tickets will always be associated to a group. It is possible to define a default user in the groups to whom the tickets will be assigned when a new ticket is added to that group. The user can then transfer (“escalate”) the tickets to anyone within the group, although the user must be configured with the necessary permissions to do so.

By clicking on the name of any group you will access its editing form. In the group list, by clicking on the corresponding icon in the first column of users, you will be able to view the users that belong to that group. From there you can delete users from the group, always bearing in mind that the profile associated with that group will also be deleted, which may limit the work of that user (insufficient rights).

By clicking on the Create button you can add new groups whose fields are similar to the edit fields.

• Forced email: Enables or disables the sending of tickets to the group of users entered in the email group.
• Parent: Group in which you are included as a child.
• Default user: This user will be the default user for tickets created in this group. At least two letters must be typed in the search field to be able to choose from a list of matching users.
• Icon: Image of the group, by selecting one from the list you will get a preview of the group.
• Send customer satisfaction email: Option to send an e-mail to know the level of customer satisfaction.
• Open ticket limit: For grouped users, it is the maximum number of simultaneous tickets opened by a group in the last year. For external users, it is the maximum number of simultaneous tickets opened by that user.
• Enforced open tickets limit: It will prevent the creation of new tickets when the limit of open tickets is reached. If not forced, only an information window that the limit has been exceeded is displayed.
• Total ticket limit: For grouped users it is the maximum number of tickets in a group in the last year, regardless of their status (both open and closed tickets will be counted). For external users they will be counted individually, having their own limit for each external user and group. In both cases it is restrictive, so no new tickets can be created for this group or user once the corresponding limit has been reached.
• Ticket SLA: Follow-up on the level of compliance used in this group's tickets.
• Default inventory object: Object associated by default to the new tickets of this group (optional).
• Email from: Email address that will appear as the source of the notification. If you need the users to be able to reply to this email, this address must be an alias of the address configured in Pandora ITSM to receive the messages.
• Group email: Email addresses associated with the group. Notifications will be sent to these addresses when there are changes to the tickets in the group (if there are several, you must separate them by commas ,).

They are used for ticket creation and management by email. To be able to use this feature, it is necessary to have an email account configured in the Mail settings section, in the general configuration of the console (Setup → Setup → Email setup). Pandora ITSM will use this account to download mail from a mailbox and to be able to work with new tickets sent to the support email account.

Since Pandora ITSM can only use one email account to download (POP3 or IMAP technologies), you will have to use ALIAS on your mail server to be able to differentiate who created the ticket.

Back to Pandora ITSM documentation index