Last updated: 2023-08-07

Source: https://support.freshservice.com/support/solutions/articles/50000006096-enabling-advanced-role-management-in-freshservice-accounts

With multiple teams operating out of the same service desk, data security is of utmost importance and it becomes essential for admins to have a way to provide granular access to data and settings. To facilitate this, roles will now be of two types:

  • Admin roles \- Roles with permissions needed to modify configurations within the admin section
  • Agent roles \- Roles with permissions needed to run everyday service desk operations across modules like tickets, problems, changes, etc.

    • To split the existing roles in your service desk that contain both agent and admin permissions checked without affecting an agent/admin's current permissions, we will use the following logic to split and assign roles:

    Logic for Default Roles

    All the default roles in your Freshservice account will be split into agent and admin roles because they contain a mix of permissions. Except for Account Admin and Admin roles, all the other default roles will be available as agent roles. Since these default roles earlier had specific admin permissions (listed below), new complimenting custom admin roles will be created and assigned along with the default agent roles to retain existing privileges:

    Users assigned a default role that contains this permissionWill be assigned this custom role
    View Requester/ContactRequester Details Viewer (Employee Support Mode)/ Contact Details Viewer (MSP mode)
    View, Edit, and Delete Requesters/ContactsRequester Manager (Employee support mode)/ Contact Manager (MSP mode)
    Manage Solution Categories and FoldersKnowledge Base Manager
    Configure Asset Management and Asset DepreciationAsset Administrator
    Manage Change Templates, Lifecyle and Calendar WindowsChange Administrator
    Administer all projectsProject Administrator

    Role-wise mapping strategy:

    Current roleFuture roles
    Account AdminAccount Admin (default admin role) +<br>IT Supervisor  (default agent role)
    Admin roleAdmin (custom admin role) +<br>IT Supervisor (default agent role)
    SD supervisor and SD agentThese roles are not listed under default roles in advanced role management and hence will be created as custom roles if they are assigned to at least one agent.<br>The new roles assigned will be:<br>SD Supervisor/SD Agent (custom agent role) + <br>Requester/Contact Details Manager (custom admin role) + <br>Knowledge Base Manager (custom admin role)
    IT Ops AgentIT Ops Agent (default agent role) + <br>Requester/Contact Details Manager (custom admin role) + <br>Knowledge Base Manager (custom admin role)
    Problem Manager<br>Release ManagerProblem/Release Manager (default agent role) + <br>Requester/Contact Details Viewer (custom admin role)
    Change ManagerChange Manager (default agent role) + <br>Change Administrator  (custom admin role) + <br>Requester/Contact Details Viewer  (custom admin role)
    Project ManagerProject Manager (default agent role) + <br>Project Administrator  (custom admin role)
    Configuration Manager<br>Contract ManagerConfiguration/Contract Manager (default agent role) + <br>Requester/Contact Details Viewer (custom admin role)+ <br>Asset Administrator (custom admin role)
    Procurement managerProcurement manager (default agent role) + <br>Asset Administrator (custom admin role)
    Project MemberProject Member (default agent role)

    Logic for Custom roles

  • For roles that only have agent permissions and don't have admin privileges, we’ll retain the roles as agent roles.
  • For roles that only have admin permissions and don't have agent privileges, we’ll retain the roles as admin roles.
  • For roles with both agent and admin permissions, we’ll split the role into two parts and append "(Agent)"/"(Admin)" after the name.

    • E.g., if a user is assigned a role called ‘Team supervisor’ with both admin and agent permissions, we’ll split this role into two - Team supervisor (Agent) and Team supervisor (Admin). Both roles will be assigned to the user to ensure the same levels of permissions are retained after role splitting.

    Impact on Agent APIs

    In case you are using Freshservice APIs in workflows, custom apps or any custom service/middleware developed using Freshservice APIs to grant roles to agents in your service desk and the role-ids have been hard-coded, the role-ids may have to be updated in your API request(s) if the older role was split into an agent and admin role. This is because the older role-id will no longer be valid as new roles have been created after splitting the old role. You can get the new role-ids via the Agent Roles API after we enable advanced role management in your account.

    In case you are using the Okta/Azure AD/One-login SCIM integrations, you do not have to do anything as this is already handled.

    dd

    Important Notes

  • The scope for the below privileges will be expanded when the enhancements are released:

    • - Old Privilege = Manage Agents

    New Privilege = Manage Workspaces (if applicable), Agents, Agent Groups, and Roles

  • Old Privilege = Manage Workflow Automations, Business Rules, and Custom Objects

    • New Privilege = Manage Workflow Automations, Business Rules, Priority Matrix and Custom Objects

  • The following permissions have been re-categorized as admin permissions (from agent permissions):
  • View On-call Schedule > Manage On-call Schedules
  • View User Reports > Edit User Reports > Manage User Reports
  • View Group Reports >Edit Group Reports > Manage Group Reports
  • View Department Reports > Edit Department Reports > Manage Department Reports
  • View Orchestration Transaction Reports > Edit Orchestration Transaction Reports > Manage Orchestration Transaction Reports
  • View Virtual Agent Reports > Edit Virtual Agent Reports > Manage Virtual Agent Reports
  • Manage Solution Categories and Folders
  • New admin permissions are being introduced to ease the delegation of administration

    • - Manage Mailboxes and Email Notification

    - Manage Fields and Tags

    - Manage Business Hours, SLA Policies, and OLA Policies

    - Manage Customer Satisfaction Surveys

    - Manage Credentials

    - View Audit Logs

    - Configure Alert Management

    - Configure Asset Depreciation