Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Need to Deny Technician No Longer w/IT But Still Accessing ServiceDesk

Created: 07 Jun 2013 • Updated: 13 Jun 2013 | 5 comments
This issue has been solved. See solution.

Hello,

We have an employee who is no longer part of our group.  They are still with the company.  They have tickets from the past that they worked and because of that they have permissions to access and comment on them.   We need to remove this employee's ability to access the tickets they have permissions on, but still keep their user account active (because they are still part of the company and may need to have tickets created for them as end users).

Any suggestions on a good way to handlie this situation?

Thank you.

Operating Systems:

Comments 5 CommentsJump to latest comment

Gibson99's picture

can't you just go into security/account mgmt and specifically deny them everything?  or move them to the everyone group instead of IT/helpdesk/etc?  might also depend on how (or if) you linked AD with the SMP accounts/groups - may have to move the user in AD first, then force update in the console. 

If a Connect post helped you out, be sure to click "Mark As Solution" or the "Thumbs Up" button to let other users know about it.

WK01's picture

I did try both of those you mentioned, but it did not work.

I ended up locking the account and setting the password to expired.  This prevents them from logging into the system.

I orginally tried disabling their accout, but that of course took them out the affected user list.

It looks like the problem has to do with the fact that because they were given permissions on some tickets (due to having tasks assigned to them), they were able to continue commenting in tickets (even though they have no business needs to do so).

toomas's picture

You might want to create an Idea around this...

TGiles's picture

You are correct that the issue is caused to old permissions being set when the employee was a ServiceDesk engineer.

The below query will show which incidents the user can edit. You will need to update the CanEdit permission from the ReportProcessPermission table to be 0 to prevent the user from editing the tickets in the future.

DECLARE @User NVARCHAR(200)
 
SET @User = 'user@email.com' --specify e-mail address of user
 
SELECT rp.ReportProcessID, 
CASE rpp.ReferenceType 
WHEN 1 THEN 'User'
WHEN 2 THEN 'Group'
WHEN 3 THEN 'Permission'
WHEN 4 THEN 'Organization'
END AS 'Reference Type',
rpp.CanEdit FROM ReportProcess rp
JOIN ReportProcessPermission rpp ON
rpp.SessionID = rp.SessionID
JOIN [User] u ON
u.UserID = rpp.ReferenceID
LEFT JOIN ReportProcessContact rpc ON 
rpc.ReferenceID = rpp.ReferenceID
WHERE u.PrimaryEmail = @User
AND rpp.CanEdit = 1
AND rpc.SessionID IS NULL
SOLUTION