Creating Separate Approver and Configuration Roles
Some system-defined roles have permissions to modify (create/open/discard) and review (approve/reject) tickets:
-
To both modify and review tickets:
-
Admin
-
Network Admin
-
-
To modify tickets only:
-
Access Admin
-
Intrusion Admin
-
-
To review tickets only:
-
Security Approver
-
-
To both modify and review tickets:
-
Admin
-
-
To modify tickets only:
-
Edit Only
-
-
To review tickets only:
-
Deploy Only
NoteA Read Only user cannot use the Change Management feature.
-
If you need more granular roles to separate these activities due to your organizational requirements, you can create separate roles to ensure that ticket approval is assigned only to those users who have the organizational authority to approve changes. To create new user roles, go to , and select the User Roles tab.To create a new user, navigate back to CDO and from the CDO navigation bar, choose .
Following are the permissions, in the folder, relevant to ticket usage and approval. Note that these permissions are available only after you enable Change Management.
-
Modify Tickets—To create tickets (for yourself), to use tickets for configuration changes, and to discard tickets.
-
Review Tickets—To approve or reject tickets.
-
Both Modify and Review Tickets—To create tickets for yourself and others, use tickets, and approve/reject tickets.
The approach you take depends on your precise requirements. For example:
-
If your approvers should also be allowed to make configuration changes, you can simply assign them the system-defined roles, such as Administrator. Then, create custom configuration-only roles that include the same permissions but not the Review Tickets permission.
-
If you need complete separation between approvers and those who make configuration changes, create custom roles for both, limiting the roles to either the Modify Tickets or the Review Tickets permission plus all other needed permissions for viewing or changing the supported policies and objects.