With multiple teams operating out of the same service desk, data security is of utmost importance and it becomes essential for admins to have a way to provide granular access to data and settings. To facilitate this, roles will now be of two types:
Admin roles - Roles with permissions needed to modify configurations within the admin section
Agent roles - Roles with permissions needed to run everyday service desk operations across modules like tickets, problems, changes, etc.
TABLE OF CONTENTS
To split the existing roles in your service desk that contain both agent and admin permissions checked without affecting an agent/admin's current permissions, we will use the following logic to split and assign roles:
Logic for Default Roles
All the default roles in your Freshservice account will be split into agent and admin roles because they contain a mix of permissions. Except for Account Admin and Admin roles, all the other default roles will be available as agent roles. Since these default roles earlier had specific admin permissions (listed below), new complimenting custom admin roles will be created and assigned along with the default agent roles to retain existing privileges:
Role-wise mapping strategy:
Logic for Custom roles
For roles that only have agent permissions and don't have admin privileges, we’ll retain the roles as agent roles.
For roles that only have admin permissions and don't have agent privileges, we’ll retain the roles as admin roles.
For roles with both agent and admin permissions, we’ll split the role into two parts and append "(Agent)"/"(Admin)" after the name.
E.g., if a user is assigned a role called ‘Team supervisor’ with both admin and agent permissions, we’ll split this role into two - Team supervisor (Agent) and Team supervisor (Admin). Both roles will be assigned to the user to ensure the same levels of permissions are retained after role splitting.
Impact on Agent APIs
In case you are using Freshservice APIs in workflows, custom apps or any custom service/middleware developed using Freshservice APIs to grant roles to agents in your service desk and the role-ids have been hard-coded, the role-ids may have to be updated in your API request(s) if the older role was split into an agent and admin role. This is because the older role-id will no longer be valid as new roles have been created after splitting the old role. You can get the new role-ids via the Agent Roles API after we enable advanced role management in your account.
In case you are using the Okta/Azure AD/One-login SCIM integrations, you do not have to do anything as this is already handled.
The scope for the below privileges will be expanded when the enhancements are released:
Old Privilege = Manage Agents
New Privilege = Manage Workspaces (if applicable), Agents, Agent Groups, and Roles
Old Privilege = Manage Workflow Automations, Business Rules, and Custom Objects
New Privilege = Manage Workflow Automations, Business Rules, Priority Matrix and Custom Objects
The following permissions have been re-categorized as admin permissions (from agent permissions):
View On-call Schedule > Manage On-call Schedules
View User Reports > Edit User Reports > Manage User Reports
View Group Reports >Edit Group Reports > Manage Group Reports
View Department Reports > Edit Department Reports > Manage Department Reports
View Orchestration Transaction Reports > Edit Orchestration Transaction Reports > Manage Orchestration Transaction Reports
View Virtual Agent Reports > Edit Virtual Agent Reports > Manage Virtual Agent Reports
Manage Solution Categories and Folders
New admin permissions are being introduced to ease the delegation of administration
Manage Mailboxes and Email Notification
Manage Fields and Tags
Manage Business Hours, SLA Policies, and OLA Policies
Manage Customer Satisfaction Surveys
View Audit Logs
Configure Alert Management
Configure Asset Depreciation