<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><p><strong>In this guide we will cover:</strong></p><p><strong>- What are Departments?</strong></p><p><strong>- What are Teams?</strong></p><p><strong>- What are Roles?</strong></p><p><strong>- Restricting Administrator Access</strong></p><p><strong>- Restricting Reporting on Tickets</strong></p><p><strong>- Build Permissions without Administrator Access</strong></p><p><br></p><p><br></p><p><strong>Admin Guides:</strong></p><ul><li><strong><a href="https://usehalo.com/haloitsm/guides/1409" target="_blank" rel="noopener noreferrer">Agents</a> </strong></li><li><strong><a href="https://usehalo.com/haloitsm/guides/1344" target="_blank" rel="noopener noreferrer">Departments</a></strong></li><li><strong><a href="https://usehalo.com/haloitsm/guides/1408" target="_blank" rel="noopener noreferrer">Roles</a> </strong></li><li><a href="https://usehalo.com/haloitsm/guides/1348" target="_blank" rel="noopener noreferrer"><strong>Teams</strong></a></li></ul><p><br></p><p><strong>Related Guides:</strong></p><ul><li style="font-weight: bold;"><a href="https://usehalo.com/haloitsm/guides/2426" target="_blank" rel="noopener noreferrer"><strong>Access Control</strong></a> </li><li style="font-weight: bold;"><a href="https://usehalo.com/haloitsm/guides/1897" target="_blank" rel="noopener noreferrer">Departments</a></li><li style="font-weight: bold;"><a href="https://usehalo.com/haloitsm/guides/1900" target="_blank" rel="noopener noreferrer">Roles</a></li><li style="font-weight: bold;"><a href="https://usehalo.com/haloitsm/guides/1898" target="_blank" rel="noopener noreferrer">Teams</a></li></ul><p><br></p><p><br></p><p>This guide outlines how Agents, including those with the Administrator Role, can be restricted to allow for separation of sensitive information.</p><p><br></p><p><strong><span style="font-size: 14pt;">What are Departments?</span></strong></p><p>Departments sit underneath an Organisation. They contain Teams, which contain Agents. If an Agent is a member of a Team, they will automatically inherit basic access to any Departments that Team sits underneath.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjI3ZmI5NzgwLTEzNDYtNDJmNy05ZTIxLTg2OTA1ODNjZWI0ZCJ9.Dg1qLiIAzxS44p4fiWHGAJQIDa_kR0MgGUqMuEQ1UMk" class="fr-fic fr-fil fr-dib" width="1218" style="width: 1220px; height: 389.345px;" height="389"></p><p><strong><span style="font-size: 10pt;">Fig 1. Departments in the Organisational structure.</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">What are Teams?</span></strong></p><p>Teams separate Agents within the same Department.</p><p><br></p><p>In this example, Olivia Chen is a part of the "Human Resources" Department as they are a member of a Team within that Department. They cannot view Tickets belonging to other Teams in that Department, unless they are a member of that Team or they have elevated Department access.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg2ZmI0OTJhLWM1NzctNGE2Ny1hMzNlLWRjMDA0N2VjNmJmYSJ9.CD2x9u5Pa3rZmb-qhfOSdq_qpWmU25D2a26q7cx8Ifc" class="fr-fic fr-fil fr-dib" width="1219" style="width: 1221px; height: 389.664px;" height="390"></p><p><strong><span style="font-size: 10pt;">Fig 2. Agent in a Team in a Department.</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">What are Roles?</span></strong></p><p>Roles can be used to give Agents access to Departments and Teams, as well as apply specific permissions using the "Permissions" tab on the Role.</p><p><br></p><p>In this example, an Agent with the "IT Agent" Role is a member of the "IT" Department but only has access to the "1st Line Support" Team's Tickets.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjkxNjI5NTA4LTM0ZDYtNDZjMC04MmE0LTVkYTExZDU5MTFiMyJ9.cUwddK1tcFqfFX7Y_R6FbuX-dJ49AbtM87fvADrr738" class="fr-fic fr-fil fr-dib" width="1216" style="width: 1218px; height: 626.068px;" height="626"></p><p><strong><span style="font-size: 10pt;">Fig 3. Example Role restrictions.</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">Restricting Administrator Access</span></strong></p><p>Using the methods above will allow you to restrict access to certain areas for almost all Agents. When an Agent has the Administrator role, this gives them access to all Tickets and the ability to override permissions and settings.</p><p><br></p><p>To prevent Administrators automatically overriding the permissions they have set, you can disable "Give admins additional privileges" in Configuration > Advanced Settings. This allows you to restrict access to certain Ticket Types against Administrator accounts, preventing Agents searching for Tickets outside of the Areas they have access to.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQxNjc0M2E2LWQwZjItNDA4MC1iMzhhLTNkOTBhYTk4MWE4YyJ9._66kEnAgGAn7renF5qbupvNPDB2C9gL2pI2HoM4iyDU" class="fr-fic fr-fil fr-dib" width="492" height="53"></p><p><strong><span style="font-size: 10pt;">Fig 4. Disabling additional Administrator privileges. </span></strong></p><p><br></p><p>Administrators could also override the setting above, which is where configuration tracking comes in. We can report on when this setting has been changed, and by which Agent, to audit any instances of Administrators trying to override their allowed permissions.</p><p><br></p><p>The table "configcommit" details all configuration changes, and can be filtered to display only instances where this setting has been adjusted, which can then be added to a Scheduled Report to send if results are present.</p><p><br></p><p><strong><span style="font-size: 14pt;">Restricting Reporting Access</span></strong></p><p>Even if restricted from certain Areas, Agents can still make Reports which pull this information from the database using custom SQL. To restrict this, you can prevent Agents from creating custom SQL Reports and limit them to the Query Builder.</p><p><br></p><p>In Configuration > Teams & Agents > Roles, select a Role and go to the "Permissions" tab. Here, set "Can Create SQL Data Sources" to "No".</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQxMWIzYmM4LTZhYjMtNDAyOC1hNjNiLWFhMTQ3MTUzMDlmYyJ9.jMpvC1T0z-w_B1kJSCsNQQ9xLmcHfTk_Tl7oDeHDsB8" class="fr-fic fr-fil fr-dib" width="608" height="175"></p><p><strong><span style="font-size: 10pt;">Fig 5. Restricting SQL access.</span></strong></p><p><br></p><p>Then, enable "Default for apply Agent's permissions to Ticket, Action, and Asset query builder queries" in Configuration > Reporting > General Settings.</p><p><br></p><p>The combination of these settings restricts Agents from reporting on Tickets they would not have access to in the UI.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImM5OWM0NzA1LWE3YzAtNDk4NS1iODA2LTZhMTEwYmRmYzRlYSJ9.Syf_71wT1phpd0hHS7hah2LRDvuiZuneNwBfyheegjU" class="fr-fic fr-fil fr-dib" width="547" height="37"></p><p><strong><span style="font-size: 10pt;">Fig 6. Restricting Reporting by Agent permissions.</span></strong></p><p><br></p><p>For those that will need access to custom SQL, or have access to the restricted Department as Administrators, we can audit when Reports are run on certain topics by enabling "Audit when reports are run" in Configuration > Advanced Settings.</p><p><br></p><p>This feature will add to the "reportevent" table for each Report that is run, allowing us to audit where Reports are being run on Tickets related to the restricted Department. For example, you can run a Report to audit where a Report is being run by querying the "reportevent" table and filtering on the "RESQL" column to identify instances of reporting on sensitive Tickets and Departments.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjI5M2JlNTk5LTQ2ZjgtNDg1MC1iNWFhLTBjZDhlNTkzMzRjOSJ9.unh6VDu90pXzGPO_-HSzNreIYSf89ROVhn_Xngjcstk" class="fr-fic fr-fil fr-dib" width="191" height="34"></p><p><strong><span style="font-size: 10pt;">Fig 7. Reporting auditing enabled.</span></strong></p><div id="isPasted"><p><br></p></div><p><strong><span style="font-size: 14pt;">Build Permissions without Administrator Access</span></strong></p><p>If an Agent needs permission to configure Areas without the need to be an Administrator, this can be allowed by enabling the relevant Agent permissions. In Configuration > Teams & Agents > Roles > Permissions tab, set the permissions under the "Configuration" section.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg0MTM5ZjA2LTEzOGQtNGM1YS1hNGJlLTFkN2NkMjY4ODNhOSJ9.n47lolHOOsn_MZRo6enK-dsK03Pu2pg65_rRevdfjw8" class="fr-fic fr-fil fr-dib" width="611" height="813"></p><p><strong><span style="font-size: 10pt;">Fig 8. Build permissions on a Role.</span></strong></p><p><br></p><p>Access Control can also link into these permissions, as if one Agent creates the configuration for a certain entity, they can then grant access to other Agents with permissions to be able to edit this. </p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImIxN2FkODAwLWMyZjMtNGQzMC04ZGUxLWMxN2RiNWU4YjNmNSJ9.ESlRMi4PiRWfTspWF1D9VX-j8bPL05Xr-ecsXD14aCA" class="fr-fic fr-fil fr-dib" width="586" height="177"></p><p><strong><span style="font-size: 10pt;">Fig 9. Access Control button on a Ticket Type.</span></strong></p>
