Here is an explanation of how admin and agent permissions work in single and multiple workspaces

TABLE OF CONTENTS

• Single workspace mode
  • Admin permissions
  • Agent permissions
• Multiple workspaces mode
  • Admin permissions 
  • Agent Permissions

SINGLE WORKSPACE MODE

Admin permissions

• Admin permissions control access to all the administrative settings present in the 'Admin' section on the left navigation bar. 
• A module's admin permission will grant an agent the mentioned access ('View', 'Edit', 'Delete' or 'Manage') to all the settings within that module. For example: 'View On-call Schedule' grants view access to all the on-call schedules created.
• Canned Responses and Scenario Automation have 'Personal' folders for agents, the contents of which are accessible only to those respective agents.
• The scope for admin permissions is always "across the entire service desk" as they cannot be managed for specific agent groups or assigned entities. 

Agent permissions

• Agent permissions grant access to work on data in the service desk.
• There are four available scopes:
  1. Across all groups in the service desk: The agent will be able to view all the data that is unassigned or assigned to non-restricted agent groups in the service desk. Only members of restricted groups will be able to see restricted data.
  2. In member and observer groups: The agent will be able to view only the data that is assigned to agent groups they are a member/observer of.
  3. In specific groups: The agent will be able to view only the data that is assigned to the agent groups specified while granting this permission.
  4. Assigned items: The agent will be able to view only the data/item that is assigned to them.
• A role can be a combination of multiple permissions. However, certain permissions cannot be tied to all the available scopes. For example: 'Creating Announcements' for 'member groups' or 'items assigned to the agent' is an invalid scope. In such cases, all such permissions are elevated to "Across the service desk" scope as that is the only permissible scope. The other permissions in the role will follow the scope that has been specified while granting the role.
• Any permission that is auto-elevated to 'across the service desk' continues to grant access only to data that is accessible to the agent. For example: 'Manage ticket reports' for 'items assigned to the agent' will be auto-elevated to ''Manage ticket reports across the service desk' and will show that agent only those tickets that are already accessible in the tickets module.

MULTIPLE WORKSPACE MODE

Admin permissions 

Admin permissions can be granted 'Account Wide' or 'Workspace Wide'.

Account Wide:

• If the admin module is present in global settings only, agent will be able to access and manage it. Example: Configure Asset Management.
• If the admin module is present in workspace settings only, agent will be auto-added to all non-restricted workspaces and manage those settings. Example: Manage Custom Objects.
• If the admin module is present in both global and workspace settings, agent will be able to access and manage it globally as well as get auto-added to all non-restricted workspaces and manage it.

Workspace Wide:

• If an admin permission is granted within a workspace, it will be applicable to the entire workspace.
• Access to any global setting, if granted from within a workspace, will be blocked except if the permission is:
  • View Agents ("Manage Workspaces, Agents, Agent Groups and Roles' permission within a workspace grants view access to agents and roles)
  • View Roles ("Manage Workspaces, Agents, Agent Groups and Roles' permission within a workspace grants view access to agents and roles)
  • View Requesters (Granted via the "View Requesters' permission)
  • View Departments (Granted via the "View Departments' permission)
  • View Requester Groups (Granted via the "View Requesters' permission)

Agent Permissions 

Agent permissions can only granted within a workspace. There are four available scopes: 

• Across the workspace: The agent will be able to view all the data that is unassigned to assigned to non-restricted agent groups in the workspace.
• In member groups: The agent will be able to view only the data that is assigned to agent groups they are a member of.
• In specific groups: The agent will be able to view only the data that is assigned to the agent groups specified while granting this permission.
• Assigned items: The agent will be able to view only the data that is assigned to them.

Similar to single workspace accounts, certain permissions such as 'Creating Announcements' for 'member groups' or 'items assigned to the agent' continue to be invalid scopes. In such cases, all such permissions are elevated to "Across the service desk" scope as that is the only permissible scope. The other permissions in the role will follow the scope that has been specified while granting the role.