Security and troubleshooting for the Co-managed Help Desk
Security
Sharing your business management software with external users presents some unique challenges. You want to give co-managing users access to all the tools they need to work on their assigned tickets, but you also want to control exactly what data they have access to in your Autotask instance.
Autotask has implemented a layered security model that allows you to configure the following:
Since it is likely that only some of your customers will opt for a co-managed business model, co-management must be specifically enabled for each individual co-managed organization. This process can be initiated from the Organization page, or from the Co-managed Setup page. Refer to Co-managed setup.
Co-managing users will never have access to organizations that are not co-managed.
Co-managing users can only be assigned a security level that is based on the Co-managed Help Desk license type. This license type provides limited access to only the features that are required for external users.
EXAMPLE You will not need to set up payroll functions for co-managing users.
Autotask provides a Co-managed Help Desk (system) system security level called that is pre-configured for its intended use. Like other system security levels, it cannot be edited, but you can make a copies and edit those. Refer to Co-managed security levels and Security settings and object permissions.
When you have finalized your co-managed security levels (or decided that you are satisfied with the system setting), you can either manually create co-managing users or import them as internal resources into Autotask and then convert them to co-managing users. Refer to Adding or editing a co-managing user and Populating the Resources import template.
Optionally, you can create teams of co-managing users. If a team is selected to co-manage an organization, all team members have access. This simplifies setup when multiple customer IT resources become co-managing users for one or several organizations (for example sub-organizations). Refer to The By Team tab.
After you have set up co-managing users and teams, you must still associate them with the specific organizations they will have permission to access. All other organizations will be hidden from them. Refer to Co-managed setup.
By default, all users view a ticket using its assigned category, the Ticket's Ticket Category. But not all user groups need to see the same information. You may want to hide certain fields that are visible to accountants from co-managing users and technicians. This can be configured at the security level. The Render all Tickets as Ticket Category setting allows you to present tickets to users with the selected security level using a different ticket category, without changing the actual ticket category for other users.
NOTE In addition to using this category to reduce which fields are visible on the ticket, you should also make sure the fields that do appear have the appropriate selections available. Review all visible fields where users select a value from a list (queues, work types, issues, etc.) to make sure the Available List Values do not include more selections than the original ticket category would have.
If a category other than the Ticket's Ticket Category is selected here, the following happens:
- Users with this security level will only be able to view the tickets in the assigned category.
- They will be prevented from assigning a different category on the Forward/Modify Ticket page.
- The Available Ticket Categories when Creating or Editing Tickets will be disabled. No other categories will be available.
IMPORTANT If you are creating a ticket category exclusively for co-managing users, set the Visibility to Co-managing to Visible and hide the field.
Even the Render as... ticket category can be overridden. If you need more or less access for specific co-managing users, you can override the ticket category. Refer to Ticket Category Override.
Tickets have a Co-managed Visibility field that sets the ticket as either Visible or Not Visible to co-managing users. Even if all other settings would allow a co-managing user to access the ticket, a Not Visible setting would prevent it.
You can set the default to Not Visible at the category level. The ticket becomes visible when a co-managing user is assigned as the primary or a secondary resource, the ticket is saved and transferred to co-managing user, or it is manually set as visible.
NOTE If the default is set to Not Visible at the category level, co-managing users set as default resources are cleared.
NOTE If a workflow rule is setting a ticket where a co-managing user is a secondary resource to Not Visible, the secondary resource is removed.
With the configuration steps above, you have configured which co-managed organizations, and which tickets and projects for those organizations, can be accessed by the co-managing users and co-managing teams assigned to them. But even if entities are visible to co-managing users, it does not necessarily mean that they can view, add, edit or delete associated objects like
- Notes
- Attachments
- Charges
- Expenses
When internal resources create a note, quick note, attachment or internal time entry note, they can control whether it will be published to Internal Only or to Internal & Co-managing. The Publish To property can even be set on workflow rule notes, and the default can be set by the note type. Refer to Note types.
The visibility of charges and expenses is controlled by the object permissions of the co-managed help desk security level. Refer to Service Desk security settings and Project security settings. They can be completely hidden, or you can expose the charges or expenses, but hide sensitive financial information like Unit Price, Vendor, or Gross Amount. Refer to Can view sensitive Charge data .
The visibility of non-billable time entries and of billing data in the ticket activity feed can also be controlled by separate security settings. Refer to Can view non-billable time entries (Resources can see their own time entries) and Can view billing data in activity feed.
Troubleshooting: cannot assign a ticket to a co-managing user
If you believe you have set up everything correctly, but are unable to assign the ticket to a co-managing user, check the following:
- Did the customer log in using the co-managing user account?
- Is co-management enabled for the ticket organization?
- Is the co-managing user, or a co-managing team he or she is a part of, associated with this organization?
- Is the ticket associated with a ticket category where the Co-managed Visibility field is displayed? Only tickets with ticket categories where this field is available can be assigned to co-managing users.
- If the field is displayed, is it set to Visible?
NOTE Best practice: you may want to create a Visible to Co-managing Users ticket category that defaults this setting to Visible, and workflow rules that run when a co-managing user is assigned to the ticket and that change the ticket category to the Visible to Co-managing Users category.