This section provides an overview of user roles in the Process Pack for IT GRC and includes procedures that you can use to work with user roles.

In This Section

About Process Pack for IT GRC User Roles

  • Provides an overview of the user roles in the Process Pack for IT GRC.

Overview of Managing Process Pack for IT GRC User Roles

  • Describes the high-level process for managing Process Pack for IT GRC user roles.

How to Create a Process Pack for IT GRC User Role

  • Describes how to create a Process Pack for IT GRC user role from one of the Process Pack for IT GRC user role profiles.

How to Add a Member to a Process Pack for IT GRC User Role

  • Describes how to add a member to an existing Process Pack for IT GRC user role.

How to Configure the Objects that Can Be Managed by a User Role Using Windows PowerShell®

  • Describes how to configure the objects that can be managed by an existing Process Pack for IT GRC user role using the AddTypeToRoleScope.ps1 Windows PowerShell script.

About Process Pack for IT GRC User Roles

In System Center Service Manager, the security rights that allow users to access or update information are defined in a user role profile. A user role profile is a named collection of access rights and usually corresponds to employees’ business responsibilities. Each user role profile controls access to entities stored in and managed through System Center Service Manager, including programs, control objectives, control activities, and risks.

The Process Pack for IT GRC includes user role profiles that build on and extend the existing System Center Service Manager user profiles. These Process Pack for IT GRC user role profiles are specific to the Process Pack for IT GRC.

Users who perform specific user roles are assigned to a user role profile. Some of the user roles for the Process Pack for IT GRC are members of the user role profiles that are specific to the Process Pack for IT GRC. Other user roles for the Process Pack for IT GRC are members of the System Center Service Manager user role profiles.

The following table lists the Process Pack for IT GRC user roles, the user role profile to which the user role is assigned, and a brief description of the user role.

User role

User role profile

Description

Administrator

Administrators

Responsible for installation of the Process Pack for IT GRC, IT Compliance Management Libraries, and the ongoing management of system wide configuration settings.

Compliance Program Manager

Compliance Program Manager

Responsible for the management of IT GRC programs within their organization and helps ensure that the organization is in compliance with authority document citations.

Compliance Program Implementer

Compliance Program Implementer

Responsible for the management of control objectives, control activities, and risks. Also responsible for managing the day-to-day tasks, such as performing control activity compliance tests or updating risk information.

Compliance Program Read Only Users

Read-Only Operators

Responsible for viewing IT GRC entities, such as programs, control objectives, control activities, and risks. Also responsible for creating compliance incidents.

Library Author

Authors

Responsible for customizing the Process Pack for IT GRC or the IT Compliance Management Libraries. Also responsible for creating new management packs that work with the Process Pack for IT GRC. These users are also typically members of the Administrator user role profile in their authoring environment.

For more information about user roles in System Center Service Manager, see About User Roles.

Overview of Managing Process Pack for IT GRC User Roles

Use the following high-level process for managing Process Pack for IT GRC user roles:

  1. Create groups of objects for an existing program as described in How to Create a Group in Service Manager using the information from the following table.

    Group name

    Dynamic member class

    Dynamic member criteria

    <program name> scope group

    Program

    <policy item> title equals <Program title>

    Shared control objectives

    Control objective

    <compliance policy item> shared equals Yes

    Shared control activities

    Control activity

    <compliance work item> shared equals Yes

    Shared risks

    Risk

    <compliance policy item> shared equals Yes

    For more information about groups, queues, and lists in Service Manager, see Using Groups, Queues, and Lists in Service Manager.

  2. Specify the groups of objects that can be managed by user roles by using one of the following methods:

    • Select the four groups that were created in Step 1 and all groups that begin with ApplicabilityInstanceGroup when you create the user role. The groups are selected on the Groups page in the User Role Wizard in the Service Manager Console as described in How to Create a User Role.

      Note: Depending on the number of objects selected in the groups, this process can affect the performance of Service Manager. Instead, consider using the AddTypeToRoleScope.ps1 Windows PowerShell script as described in the “How to Configure the Scope for a Process Pack for IT GRC User Role” section in this guide.

    • Configuring the groups after the user role is created by editing the user role. You can update the groups that are selected for the user role in the Groups section on the properties form of the user role.

      Note: Depending on the number of objects selected in the groups, this process can affect the performance of Service Manager. Instead, consider using the AddTypeToRoleScope.ps1 Windows PowerShell script as described in the “How to Configure the Scope for a Process Pack for IT GRC User Role” section in this guide.

    • Configuring the groups after the user role is created by running the AddTypeToRoleScope.ps1 Windows PowerShell script. The advantage to this method is described in the “How to Configure the Scope for a Process Pack for IT GRC User Role” section in this guide.

How to Create a Process Pack for IT GRC User Role

The process for creating a Process Pack for IT GRC user role is the same as creating a System Center Service Manager user role. Create the user role based on the list of user role profiles listed in the “About Process Pack for IT GRC User Roles” section. The Compliance Program Manager or Compliance Program Implementer user role profiles are the user role profiles that are unique to the Process Pack for IT GRC.

For more information about how to create a user role in System Center Service Manager, see How to Create a User Role.

How to Add a Member to a Process Pack for IT GRC User Role

The process for adding users as a member of a Process Pack for IT GRC user role profile is the same as adding users as members of a System Center Service Manager user role profile. For more information about how to add a member to a user role in System Center Service Manager, see How to Add a Member to a User Role.

How to Configure the Objects that Can Be Managed by a User Role Using Windows PowerShell

After you create a Process Pack for IT GRC user role based on the Compliance Program Manager or the Compliance Program Implementer user role profiles, you need to configure the object groups (scope) that can be managed by the newly created user role. You can configure the object groups using the Service Manager Console or by running the AddTypeToRoleScope.ps1 Windows PowerShell script. The AddTypeToRoleScope.ps1 Windows PowerShell script is located in the <service_manager_root>\IT GRC Process Pack folder (where service_manager_root is the root folder where you installed System Center Service Manager).

To configure the objects that can be managed by a user role using Windows PowerShell

  1. Log on to the computer running the Service Manager Console with an account that has the following permissions:

    • Member of the local Administrators group on the computer

    • Administrator in Service Manager

  2. Start Windows PowerShell. For guidance in doing so, see Starting Windows PowerShell.

  3. At a Windows PowerShell command prompt, type the following command, and then press Enter (where service_manager_root is the root folder where you installed System Center Service Manager and server_name is the name of the computer running System Center Service Manager).

      Copy Code 
    cd “<service_manager_root>\IT GRC Process Management Pack”

  4. At the Windows PowerShell command prompt, type the following command, and then press Enter (where user_role is the name of the user role you created).

      Copy Code 
    .\AddTypeToRoleScope.ps1 -server "server_name" -RoleName "<user_role>" -TypeToAdd "Software Updates"
    Note
    The preceding command should be entered on one line. Display limitations might cause it to display on more than one line.

  5. Repeat step 4 for each the following object types, substituting them for “Software Updates” in the command in step 4:

    • "Knowledge Article"

    • "Domain User or Group"

    • "Software Items"

    • "Incident"

    • "Business Service"

  6. Exit the Windows PowerShell command prompt.

  7. Close all open windows and dialog boxes.

    Note
    If you make any changes to the Compliance User Roles using the Service Manager console, you will need to rerun the Windows PowerShell script because the console changes overwrite all changes made by the PowerShell script.

How to Hide Console Tasks that the Program Implementer Cannot Use

Although the Program Implementer role is unable to create controls or risks and add them to a program, by default the “Create Controls from Library Wizard” console task is still viewable. If a person assigned to that role tries to execute the wizard, an error will display.

To remove a console task from the Program Implementer’s view

  1. Log in as Administrator in the Service Manager Console.

  2. Go to Security and then User roles.

  3. Click Create User Role and then click Compliance Program Implementer.

  4. In the User Role Creation wizard, do the following:

    1. Click Next on the Before You Begin page.

    2. Give a name to the Program Implementer role and click Next on the General page.

    3. Click Select All on the Management Packs page and then click Next.

    4. Click Next on the Groups page after making the necessary configuration changes.

    5. Click Next on the Queues page after making the necessary configuration changes.

    6. On the Tasks page, select the Provide Access to only selected tasks radio button. In the list below the button, unselect the Create controls from library task.