Sei sulla pagina 1di 46

BMC Remedy IT Service Management Suite 7.6.

00

Guide to Multi-Tenancy

October 2009

www.bmc.com

Contacting BMC Software


You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities.

United States and Canada


Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX 77042-2827 USA Telephone 713 918 8800 or 800 841 2031 Fax 713 918 8000

Outside United States and Canada


Telephone (01) 713 918 8800 Fax (01) 713 918 8000

If you have comments or suggestions about this documentation, contact Information Design and Development by email at doc_feedback@bmc.com.

Copyright 2007, 2009 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation.

Restricted rights legend


U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX 77042-2827, USA. Any contract notices should be sent to this address.

Customer Support
You can obtain technical support by using the Support page on the BMC Software website or by contacting Customer Support by telephone or email. To expedite your inquiry, please see Before Contacting BMC Software.

Support website
You can obtain technical support from BMC Software 24 hours a day, 7 days a week at http://www.bmc.com/support. From this website, you can:
s s s s s s s

Read overviews about support services and programs that BMC Software offers. Find the most current information about BMC Software products. Search a database for problems similar to yours and possible solutions. Order or download product documentation. Report a problem or ask a question. Subscribe to receive email notices when new product versions are released. Find worldwide BMC Software support center locations and contact information, including email addresses, fax numbers, and telephone numbers.

Support by telephone or email


In the United States and Canada, if you need technical support and do not have access to the Web, call 800 537 1813 or send an email message to customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) Outside the United States and Canada, contact your local support center for assistance.

Before contacting BMC Software


Have the following information available so that Customer Support can begin working on your issue immediately:
s

Product information Product name Product version (release number) License number and password (trial or permanent)

Operating system and environment information Machine type Operating system type, version, and service pack System hardware configuration Serial numbers Related software (database, application, and communication) including type, version, and service pack or maintenance level

s s s

Sequence of events leading to the problem Commands and options that you used Messages received (and the time and date that you received them) Product error messages Messages from the operating system, such as file system full Messages from related software

License key and password information


If you have a question about your license key or password, contact Customer Support through one of the following methods:
s

E-mail customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) In the United States and Canada, call 800 537 1813. Outside the United States and Canada, contact your local support center for assistance. Submit a new issue at http://www.bmc.com/support.

Contents
Preface 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Best Practice icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Additional documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 1 Chapter 2 Introduction Using multi-tenancy to segregate companies 9 11 12 13 14 16 16 17 18 18 18 19 19 21 23 24 24 25 27 28 28 31 32 33 33 34 35

Multi-tenancy scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting the Tenancy Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring companies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring access for people . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Granting a person access to a single company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Granting a person access to multiple companies . . . . . . . . . . . . . . . . . . . . . . . . . . . Granting a person unrestricted access to all companies . . . . . . . . . . . . . . . . . . . . . Understanding other configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working in the application consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with configuration items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing incident records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with software license management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 3 Using restricted access for support companies

Configuring restricted access for support companies . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring vendor companies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring access to the vendor company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring support company access to create tickets . . . . . . . . . . . . . . . . . . . . . . Assigning tickets to support personnel in other companies . . . . . . . . . . . . . . . . . . . . . Working with tickets for other companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 4 Using multi-tenancy to segregate business units

Configuring companies to represent business units. . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring access for people . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Granting a person access to specific business units . . . . . . . . . . . . . . . . . . . . . . . . . Granting a person access to all business units and companies. . . . . . . . . . . . . . . . Working in the application consoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents

Chapter 5

Technical details

37

The role of field 112 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 The role of field 60900 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Extending access to additional CI people organization relationships . . . . . . . . . . . . . 40 Row-level security in BMC Atrium CMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Index 43

Guide to Multi-Tenancy

Preface
This guide describes scenarios for implementing multi-tenancy. It also describes how multi-tenancy is implemented in the BMC Atrium Configuration Management Database (BMC Atrium CMDB) product and how that implementation relates to multi-tenancy as implemented in the BMC Remedy IT Service Management Suite (BMC Remedy ITSM Suite) applications.

Audience
This document is intended for the following IT professionals: Application administrators BMC Remedy Action Request System (BMC Remedy AR System) administrators

Best Practice icon


Documentation for the BMC Remedy ITSM Suite contains the following icon:
Icon Description The Best Practice icon highlights processes or approaches that BMC has identified as the most effective way to leverage certain features.

Additional documentation
This guide assumes that you are familiar with the BMC Remedy ITSM Suite applications and with BMC Atrium CMDB. For additional information about the procedures and concepts in this guide, see the documents listed in the following table.

Preface

BMC Remedy IT Service Management Suite 7.6.00

Unless otherwise noted, online documentation in Adobe Acrobat (PDF) format is available on product installation CDs, on the Support website (http://www.bmc.com/support), or both.
Title BMC Remedy ITSM Suite 7.6.00 BMC Remedy Asset Management Users Guide BMC Remedy IT Service Management Concepts Guide BMC Remedy Change Management Users Guide BMC Remedy IT Service Management Configuration Guide Procedures for using the BMC Remedy Asset Management application; includes new features and overview. Conceptual overview of the applications that make up the BMC Remedy ITSM Suite of applications. Procedures for using the BMC Remedy Change Management application; includes new features and overview. Everyone Document provides Audience

Everyone Everyone

Procedures for configuring the BMC Remedy IT Service Administrators Management applications. Everyone

BMC Remedy Service Desk: Incident Procedures for using the BMC Remedy Service Desk: Management Users Guide Incident Management application; includes new features and overview. BMC Remedy Service Desk: Problem Procedures for using the BMC Remedy Service Desk: Management Users Guide Problem Management application; includes new features and overview. BMC Atrium Core 7.6.00 BMC Atrium CMDB Users Guide

Everyone

Information about using BMC Atrium CMDB, including Users how to search for configuration items (CIs) and relationships, launch federated data, generate reports, and run reconciliation jobs.

BMC Remedy Action Request System 7.5.00 BMC Remedy Action Request System: BMC Remedy Distributed Server Option Guide BMC Remedy Action Request System: Form and Application Objects Guide Server administration and procedures for implementing Administrators a distributed BMC Remedy AR System server environment with the BMC Remedy Distributed Server Option (BMC Remedy DSO). Description of components necessary to build applications in BMC Remedy AR System, including applications, fields, forms, and views. Developers

BMC Remedy Service Level Management 7.5.00 BMC Service Level Management Users Guide Procedures for using the BMC Service Level Management application. Everyone

Guide to Multi-Tenancy

Chapter

Introduction

Multi-tenancy is a feature in BMC Remedy IT Service Management Suite (BMC Remedy ITSM Suite) that enables you to control which records and configuration data are exposed to a user, based on the users permissions. User access is controlled through the Company field, which can represent a company, business unit, or other group. You can use multi-tenancy to control access in a hosted environment. For example, in a service provider environment, BMC Remedy ITSM Suite multiple companies might use a single application, with the data for each company hidden from the other companies using the application. Multi-tenancy controls access to configuration items, incidents, known errors, broadcast messages, categorization, and so on. In the Requester Console, it also controls access to summary definitions. You can use both support company access and multi-tenancy to give support companies (vendor companies or operational companies) limited access to data in another company. This guide includes the following chapters: Chapter 2, Using multi-tenancy to segregate companies, describes configuration and use of multi-tenancy, using a scenario to segregate companies. Chapter 3, Using restricted access for support companies, describes how to configure BMC Remedy ITSM Suite so that tickets (such as incident requests and change requests) can be assigned to support staff in a support company without giving members of the support company access to other tickets for the customer or contact company. Chapter 4, Using multi-tenancy to segregate business units, provides additional tips and caveats for using multi-tenancy to segregate business units. Chapter 5, Technical details, describes the underlying technical details of multi-tenancy, including the use of field 112, the use of field 60900, and implementation within the BMC Atrium Configuration Management Database product.

Chapter 1

Introduction

BMC Remedy IT Service Management Suite 7.6.00

10

Guide to Multi-Tenancy

Chapter

Using multi-tenancy to segregate companies


You can use multi-tenancy to segregate data and restrict access by the Company field. Access restrictions are performed primarily on ticketing forms, such as incidents, problem investigations, change requests, and asset records. As a result, a user with access to only one company (such as Calbro) cannot see incidents for another company (such as ABC Corp). This chapter describes using multi-tenancy with the Company field representing companies. Even if you plan to segregate data by business unit, review the information in this chapter to gain a general understanding of how multi-tenancy works and is configured. For additional information about configuration, see the BMC Remedy IT Service Management Configuration Guide. The following topics are provided: Multi-tenancy scenario (page 12) Selecting the Tenancy Mode (page 13) Configuring companies (page 14) Configuring access for people (page 16) Understanding other configuration options (page 18) Working in the application consoles (page 18) Working with software license management (page 21)

Chapter 2

Using multi-tenancy to segregate companies

11

BMC Remedy IT Service Management Suite 7.6.00

Multi-tenancy scenario
The examples in this chapter use a scenario in which a Managed Service Provider (MSP) provides support for two companies, Calbro and ABC Corp. Figure 2-1 illustrates the access in this scenario.
Figure 2-1: Example of access to multiple companies

Calbro Support

Global Support (Mary Frontline)

ABC Support (Fanny Frontline John Support)

Joe Customer Helpdesk Manager

Clara Contact

Calbro

Unrestricted Access

ABC Corp

In this scenario, some people have access to Calbro information, some people have access to ABC Corp information, and other people have unrestricted access to all information. This scenario includes the following support groups: Calbro SupportPeople in this support group can access information only for Calbro. ABC SupportPeople in this support group can access information only for ABC Corp. Global SupportPeople in this support group provide support for all supported companies and can access information for both Calbro and ABC Corp. Joe Customer works for Calbro and Clara Contact works for ABC Corp.

NOTE
Membership in a company is not the same as access to a company. In this scenario, Fanny Frontline and John Support provide support for ABC Corp, but they are not members of ABC Corp. Their company is the MSP, but they are members of ABC Support and also have access to ABC Corp. If Fanny Frontline files a ticket for her own incident, John Support cannot see the ticket because he has access only to ABC Corp. Mary Frontline in Global Support, however, can see the ticket because she has unrestricted access to all companies.

12

Guide to Multi-Tenancy

Selecting the Tenancy Mode

Selecting the Tenancy Mode


The value that you select in the Tenancy Mode field on the System Settings form determines whether the Company field on various forms defaults to a single company or whether users must always select the appropriate company from the field. BMC Remedy ITSM Suite is installed with Tenancy Mode field set to MultiTenancy. If you have changed this field to Single-Tenancy, complete the following steps to change the value back to Multi-Tenancy.

NOTE
In the BMC Remedy IT Service Management Suite (BMC Remedy ITSM Suite) applications, the multi-tenancy feature is always available. Regardless of the Tenancy Mode setting, data is segregated by company and access to data is controlled by a users access to a company. If you have changed this field to single-tenancy mode, complete the following steps to change the value back to Multi-tenancy.

To set Tenancy Mode to multi-tenancy


1 From the Application Administration Console, click the Custom Configuration

tab.
2 From the Application Settings list, choose Foundation > Advanced Options >

System Configuration Settings - System Settings, and then click Open.


Figure 2-2: System Settings form

3 On the Systems Settings form, which is shown in Figure 2-2, in the Tenancy Mode

field, select Multi-Tenancy, and then click Save.


Chapter 2 Using multi-tenancy to segregate companies 13

BMC Remedy IT Service Management Suite 7.6.00

Configuring companies
BMC Remedy ITSM Suite supports different types of companies, described in Table 2-1. You select a company type when you create a company.
Table 2-1: Company types Company type Customer Generic Contact Manufacturer Description External companies for which you provide services. Other companies that you want to reference on the People form. Used by multi-tenancy? Yes Yes

A manufacturer must be specified for No each product identified in the product catalog. Companies for which you provide support. Third-party suppliers of products. Used by BMC Remedy Asset Management. Third-party vendors that provide services for you. Yes No

Operating Supplier

Vendor

Yes

NOTE
The Global company record is part of the core BMC Remedy ITSM Suite installation data and must not be modified. Use the Global company to specify when something, such as a catalog entry, applies to all companies in BMC Remedy ITSM Suite. For example, if you select the Global company in the Product Catalog, you would map a product to all companies instead of one company (or to multiple selected companies). The procedure provided in To create and configure a company on page 15 describes the minimum steps to create a company. For each company that you create, you must configure the following data: Organizational structure Locations Support groups People Optionally, for each company, you can configure other data, such as: Product categories Operational categories Assignment routing Approval processes

14

Guide to Multi-Tenancy

Configuring companies

Incident scripts, templates, and decision trees Change templates Each of these areas use global data, unless company-specific data overrides it.

To create and configure a company


1 From the Standard Configuration tab of the Application Administration Console,

click the Click here to create and configure a new company link. The Company dialog box appears, as shown in Figure 2-3.
Figure 2-3: Company dialog box

2 Enter the company name in the Company field. 3 Select the Company Type.

If support staff are members of this company, select Operating Company.


4 Click Add.

A message appears that the company has been created. After you click OK, the company is selected on the Standard Configuration tab of the Application Administration Console.
5 Continue to configure the company, as described in the BMC Remedy IT Service

Management Configuration Guide.

Chapter 2

Using multi-tenancy to segregate companies

15

BMC Remedy IT Service Management Suite 7.6.00

Configuring access for people


You grant people access to companies on the People form. You can grant someone access to one company, access to multiple companies, or unrestricted access to all companies. You cannot restrict access to companies that are offline. Offline companies are not available from selection lists, but those companies and their records are available from searches. To grant a support group access to a company, you must provide access to each person who is a member of the support group. If a single support group supports multiple companies, you might give members of the support group unrestricted access or specify the multiple companies that those members support.

NOTE
To grant access to a company, you must log in to an account that has access to that company.

Granting a person access to a single company


Some people require access to a single company.

To configure access to a single company


1 On the Standard Configuration tab of the Application Administration Console,

click the View link next to People.


2 Search for and select the appropriate person. 3 Click the Login/Access Details tab. 4 In the Access Restrictions Area, click Update Access Restrictions.

16

Guide to Multi-Tenancy

Configuring access for people

Figure 2-4: Access Restrictions window

Select the type of company and then the company.

5 In the Access Restrictions dialog box, shown in Figure 2-4, in the Access Restriction

field, select the type of company for which you are granting access (customer, generic contact, operating company, or vendor), and then select the company.
6 Click Add/Modify. 7 Click Close. 8 On the People form, click Save.

Granting a person access to multiple companies


Some people require access to more than one company, but not to all companies.

To grant access to multiple companies


1 On the Standard Configuration tab of the Application Administration Console,

click the View link next to People.


2 Search for and select the appropriate person. 3 Click the Login/Access Details tab. 4 In the Access Restrictions area, click Update Access Restrictions. 5 In the Access Restriction field of the Access Restrictions window, select a company

for which you are granting access.


6 Click Add/Modify. 7 Select and add other companies for which you are granting access. 8 Click Close. 9 On the People form, click Save.

Chapter 2

Using multi-tenancy to segregate companies

17

BMC Remedy IT Service Management Suite 7.6.00

Granting a person unrestricted access to all companies


Some people require access to all companies. For example, someone working in Global Support or a Help Desk manager might require access to all companies. Granting unrestricted access to all companies does not grant access to all areas of the application. Application permissions determine whether the person can access incidents or problem investigations.

To grant unrestricted access to all companies


1 On the Standard Configuration tab of the Application Administration Console,

click the View link next to People.


2 Search for and select the appropriate person, and then click the Login/Access

Details tab.
3 In the Access Restrictions area, select the Yes check box next to Unrestricted

Access.
4 Click Save.

Understanding other configuration options


You can use different prefixes to identify tickets for different companies. For example, an AHD prefix identifies incident tickets for ABC Corp , and an XHD prefix identifies incident tickets for XYZ Company. To do this, you must: Set up a BMC Remedy Distributed Server Option (BMC Remedy DSO) environment. For information about BMC Remedy DSO, see BMC Remedy Action Request System: BMC Remedy Distributed Server Option Guide. Set the value of the Enable User Defined Prefix field to Yes. For information about enabling the user defined prefix, see the section on System Settings in the BMC Remedy ITSM Configuration Guide.

Working in the application consoles


If the user is restricted to one company, that company is the default value on certain forms. Otherwise, the user must select the appropriate company.

18

Guide to Multi-Tenancy

Working in the application consoles

Working with configuration items


In a multi-tenancy environment: If the configuration item (CI) specifies the company, only support staff with access to that company can access the CI. Figure 2-5 shows a CI restricted to one company. If the CI does not specified for the company, only support staff with unrestricted access can access the CI.
Figure 2-5: Example of a CI restricted to ABC Corp

The company for a CI is specified in: The Company field Companies for people organizations on the People tab, for Used by and Supported by relationships. To access a CI, in addition to the relevant company access, support staff require Asset permission.

Accessing incident records


In a multi-tenancy environment, only the customer or support staff with access to the customers company can record an incident. For example, if Fanny Frontline provides support only for ABC Corp, and Joe Customer calls from Calbro, Fanny cannot select Joe Customer as the customer on the incident form. Fanny can, however, see incidents with the customer company set to ABC Corp, as shown in Figure 2-6. Fanny Frontline cannot see Joe Customers incidents, except in the following situations: A member of ABC Corp was recorded as the contact, as shown in Figure 2-7. ABC Corp was selected for the categorization company on the Incident Categorizations dialog box, as shown in Figure 2-8 on page 20. Fanny Frontlines support group is assigned the incident.

Chapter 2

Using multi-tenancy to segregate companies

19

BMC Remedy IT Service Management Suite 7.6.00

Figure 2-6: Incident with customer company set to ABC Corp

Figure 2-7: Incident with contact company set to ABC Corp

Figure 2-8: Incident with categorization company set to ABC Corp

Users can access incidents only when a company that they access is designated as: The customers company. The contacts company. The company for the incident service type.

20

Guide to Multi-Tenancy

Working with software license management

Working with software license management


The software license management feature of BMC Remedy Asset Management always uses the Company field to segregate data. If you are using software license management, you must specify the Company field for: Product CIs Software license contracts Software license certificates License types can be either global or for a specified company. For more information about software license management, see the BMC Remedy Asset Management Users Guide and the BMC Remedy ITSM Configuration Guide.

Chapter 2

Using multi-tenancy to segregate companies

21

BMC Remedy IT Service Management Suite 7.6.00

22

Guide to Multi-Tenancy

Chapter

Using restricted access for support companies


Any operating company or vendor company can provide support for customers in any other company. Support staff at the company providing support can be assigned tickets, such as incident requests and change requests. The support companys staff can work on assigned tickets without being given access permission to the customer company or the contact company. As a result, the support companys staff can access only tickets that they have been assigned. Optionally, you can grant the support company access to create tickets for a customer company. This chapter follows the example of setting up the vendor company Vendorco to provide support for Calbro and ABC Corp. Both Calbro and ABC Corp purchase Microsoft products and support from Vendorco. Support staff at Calbro sometimes assign tickets, such as incidents and problem investigations, to Vendorco. Sometimes Vendorco must create a related incident or change request. Support staff at ABC Corp also assign incidents to Vendorco. However, ABC Corp policies do not allow Vendorco to create new incidents on behalf of ABC Corp customers. For additional information about configuration, see the BMC Remedy IT Service Management Configuration Guide. The following topics are provided: Configuring restricted access for support companies (page 24) Assigning tickets to support personnel in other companies (page 28) Working with tickets for other companies (page 28)

Chapter 3

Using restricted access for support companies

23

BMC Remedy IT Service Management Suite 7.6.00

Configuring restricted access for support companies


Table 3-1 lists tasks that you must perform to configure restricted access for operating and vendor companies that provide support for other companies.
Table 3-1: Tasks to configure restricted access for support companies To allow Assignment of tickets to an operating company providing support Perform task Configure the operating company Configure access for people Described in Configuring companies on page 14 Configuring access for people on page 16 Configuring vendor companies on page 24 Configuring access to the vendor company on page 25 Configuring support company access to create tickets on page 27

Assignment of tickets to a Configure the vendor company vendor company providing support Configure access for people The company providing support to create tickets for the customer company Configure support company access to create tickets

Configuring vendor companies


Vendor companies are third-party vendors that provide services for you. For information about configuring an operating company, see Configuring companies on page 14.

To configure a vendor company


1 From the Application Administration Console, click the Custom Configuration

tab.
2 From the Application Settings list, choose Foundation > Organizational Structures

> Companies and Organizations, then click Open.


3 On the Company form in the Company field, type the companys name.

In this example, we type Vendorco.


4 For the Type, select Vendor. 5 Click Save. 6 Continue to configure the company, as described in the BMC Remedy IT Service

Management Configuration Guide.

24

Guide to Multi-Tenancy

Configuring restricted access for support companies

Configuring access to the vendor company


So that support staff in the vendor company can access the vendor companys records, including tickets that are assigned to them, you must grant them access to the vendor company. In addition, this access gives the support staff access to CIs that are supported by the vendor company, and also gives support staff access to processes that are set up for the vendor company, such as templates and scripts.

NOTE
Support staff in the vendor company can create tickets only for the vendor company. To enable them to create tickets for other companies, follow the procedure described in Configuring support company access to create tickets on page 27.

To grant access to a vendor company


1 From the Application Administration Console, click the Custom Configuration

tab.
2 From the Application Settings list, choose Foundation > People and click Open. 3 Search for and select the appropriate person. 4 Click the Login/Access Details tab. 5 In the Access Restrictions area, click Update Access Restrictions. 6 In the Access Restriction field, select the type of company and then the company

for which you are granting access.


7 Click Add/Modify.

Chapter 3

Using restricted access for support companies

25

BMC Remedy IT Service Management Suite 7.6.00

Figure 3-1: Example of a person being given access to the company in which he works

On the People form, click Update Access Restrictions. Then add access to the appropriate company or companies.

8 Select and add other companies for which you are granting access. 9 Click Close. 10 On the People form, click Add.

26

Guide to Multi-Tenancy

Configuring restricted access for support companies

Configuring support company access to create tickets


Use this feature to set up one company as a support company for another company. This feature enables members of the support company to create tickets for customers in the other company. In this example, we set Vendorco as a support company for Calbro. Support staff in Vendorco can then create tickets for customers in Calbro. Vendorco support staff cannot, however, create tickets for customers in ABC Corp.

To configure support company access to create tickets


1 From the Custom Configuration tab of the Application Administration Console,

choose Foundation > People > Support Company Access Configuration, and then click Open.

TIP
If you are not sure whether the mapping exists, you can search for it. In the Company field, select the company that is being supported and click Search.
2 If the mapping you need does not exist, click Create. 3 In the Add Support Company dialog box, in the Company field, select the

company being supported. In this example, we select Calbro.


4 In the Support Company field, select the company that is providing support.

In this example, we select Vendorco.


5 Click Save. 6 To update permissions on current People records for the support company, select

the same customer company from the list next to the Update button, and then click Update. In this example, we select Calbro in the Company field, and then click Update.

NOTE
You must perform this step to activate these settings for current people records. The People records are updated with the company access permissions. When you create new people for the support company, this company access permission is automatically created. For example, if you create William Wenda as a member of Vendorco, the support company access is set for William.

Chapter 3

Using restricted access for support companies

27

BMC Remedy IT Service Management Suite 7.6.00

Assigning tickets to support personnel in other companies


Table 3-2 lists the types of tickets that you can assign to support staff in other companies, depending on the BMC Remedy ITSM Suite applications that you have.
Table 3-2: Tickets that can be assigned to support staff in other companies Application BMC Remedy Asset Management BMC Remedy Change Management Type of ticket CI unavailability Purchase requisitions Change requestsYou can assign the vendor as the change manager, change assignee, change implementor, or any combination. TasksYou can assign a task to the vendor without assigning the change request. Release requests Activities BMC Remedy Service Desk Incident requests Problem investigationsYou can assign the vendor as the problem manager, problem assignee, or both. TasksYou can assign a task to the vendor without assigning the incident request or problem investigation. Known errors Solution entries

Working with tickets for other companies


When support staff are assigned tickets from other companies, they see the tickets in the applicable consoles and can work on the tickets. For example, Mary Frontline works at the Service Desk and has access to Calbro. Joe Customer, a customer at Calbro, calls and says that he cannot access his email in Microsoft Outlook. Mary cannot resolve the incident request and assigns it to William Wenda at Vendorco. When William Wenda opens the Incident Management Console, he sees Joe Customers incident request assigned to him; William opens the incident request and works to resolve the issue.

28

Guide to Multi-Tenancy

Working with tickets for other companies

Because William does not have access to Calbro, he has the following restrictions when working on Joe Customers incident request (or any ticket from a company for which he does not have access): He is limited in how he can reassign the ticket, because he cannot see data for other companies. He can reassign the ticket within Vendorco using any method. However, to reassign the ticket to someone at Calbro, he must use the Auto Assign quick action, as shown in Figure 3-2. For foundation data, such as product categorization and incident templates, William can select only data that is for his company (Vendorco) or that is global. William can access CIs only if his company (Vendorco) is specified as the company: In the Company field On the People tab, for Used by and Supported by relationships. When you create a Supported by or Used by relationship to a people organization, access to that CI is granted to people who have access to the people organizations company.
Figure 3-2: Example of part of the Incident Request form

The Auto Assign quick action can assign an incident to the appropriate support group, even if the user does not have access to the support groups company.

Because Vendorco is configured as a support company for Calbro, William can create new tickets for Calbro customers. However, because Vendorco is not configured as a support company for ABC Corp, William cannot create new tickets for ABC Corp customers. When William is assigned a task, he can only see the parent change request, incident request, or problem investigation if the parent request or investigation is also assigned to someone at Vendorco. William can access assigned tasks from the Overview Console.

Chapter 3

Using restricted access for support companies

29

BMC Remedy IT Service Management Suite 7.6.00

30

Guide to Multi-Tenancy

Chapter

Using multi-tenancy to segregate business units


Multi-tenancy is used to segregate data and restrict access by the Company field. To segregate data by business unit, you must record each business unit as a separate company. This chapter provides configuration tips and caveats for using multi-tenancy with the Company field representing business units. It builds on the general information provided in Chapter 2, Using multi-tenancy to segregate companies. For additional information about configuration, see the BMC Remedy IT Service Management Configuration Guide. The following topics are provided: Configuring companies to represent business units (page 32) Configuring access for people (page 33) Working in the application consoles (page 35)

Chapter 4

Using multi-tenancy to segregate business units

31

BMC Remedy IT Service Management Suite 7.6.00

Configuring companies to represent business units


To segregate data by business unit, you must create companies to represent the business units.

TIP
If you must segregate data by both company and business unit, create a business unit company for each company-business unit combination. For example, if you have companies ABC and XYZ, each with a North American and European business unit, you might create the companies ABC-North America and XYZNorth America.

To configure a company to represent a business unit


1 From the Application Administration Console, click the Custom Configuration

tab.
2 From the Applications Settings list, choose Foundation > Organization Structures

> Companies and Organizations, and then click Open. The Company form appears, as shown in Figure 4-1.
Figure 4-1: Example of the Company form completed for a business unit

3 Enter the company business unit in the Company field.

This name appears on reports and on forms where the company field is displayed.

NOTE
The steps 4, 5, and 6 are optional. If you do not complete the Company Multi-tiered Menu Structure, on forms, users select the company with the name that you entered in the Company field. If you complete the fields as described in steps 5 and 6, on applicable forms, users select the company by selecting the company and then select the business unit from a multi-tiered menu structure.
4 Click the Advanced Configuration tab. 32 Guide to Multi-Tenancy

Configuring access for people

5 In the Menu Structure Tier 1 field, enter the name of the company. 6 In the Menu Structure Tier 2 field, enter the name of the business unit.

The menu structure does not have to be the same as the company name. In the example in Figure 4-1 on page 32, users would select the company by choosing XYZ > North America, but XYZ Corp - North America would be displayed in the Company field.
7 Click Save.

Configuring access for people


You grant people access to business units on the People form. To grant someone access to a business unit, you grant that person access to the company that you configured as a business unit. You can also grant that person access to companies that do not correspond to business units. You can grant someone access to one business unit or company, access to multiple business units and companies, or unrestricted access to all business units and companies.

Granting a person access to specific business units


Some people require access to only one business unit or to multiple specified business units.

To grant access to specific business units


1 On the Standard Configuration tab of the Application Administration Console,

click the View link next to People.


2 Search for and select the appropriate person. 3 Click the Login/Access Details tab. 4 In the Access Restrictions area, click Update Access Restrictions. 5 In the Access Restriction field, select the business unit for which you are granting

access.

Chapter 4

Using multi-tenancy to segregate business units

33

BMC Remedy IT Service Management Suite 7.6.00

Figure 4-2: Access Restrictions window

Company name

Menu Tier 2 (Business unit)

Menu Tier 1 (Company)

In the example shown in Figure 4-2, companies have been configured with multitiered menus to represent company and business unit. To set the business unit, from the Access Restriction field, choose the company type, the company, and then the business unit, as in Operating Company > XYZ > North America.
6 Click Add/Modify. 7 Select and add other business units for which you are granting access. 8 Click Close. 9 On the People form, click Save.

Granting a person access to all business units and companies


Some people require access to all business units and companies. For example, someone working in Global Support or a Help Desk manager might require access to all business units and companies.

NOTE
If someone requires access to all business units in one company, but not to all companies, follow the procedure described in Granting a person access to specific business units on page 33. Granting unrestricted access to all companies does not grant access to all areas of the application. Application permissions determine whether the person can access incidents or problem investigations.

34

Guide to Multi-Tenancy

Working in the application consoles

To grant unrestricted access to all business units and companies


1 On the Standard Configuration tab of the Application Administration Console,

click the View link next to People.


2 Search for and select the appropriate person, then click the Login/Access Details

tab.
3 In the Access Restrictions area, select the Yes check box next to Unrestricted

Access, as shown in Figure 4-3.


Figure 4-3: Access Restrictions area

4 Click Save.

Working in the application consoles


If the user is restricted to one business unit, that business unit is the default value on certain forms. Otherwise, the user must select the appropriate business unit, which is a selection in the Company field, as shown in Figure 4-4.
Figure 4-4: Incident Management console, displaying Company field selections

Chapter 4

Using multi-tenancy to segregate business units

35

BMC Remedy IT Service Management Suite 7.6.00

36

Guide to Multi-Tenancy

Chapter

Technical details

This section provides the technical details of multi-tenancy. The following topics are provided: The role of field 112 (page 38) The role of field 60900 (page 39) Extending access to additional CI people organization relationships (page 40) Row-level security in BMC Atrium CMDB (page 41)

Chapter 5 Technical details

37

BMC Remedy IT Service Management Suite 7.6.00

The role of field 112


The BMC Remedy IT Service Management Suite (BMC Remedy ITSM Suite) writes company IDs to a special field (field ID 112). Each data record contains this field, which is normally hidden. This special field is populated on application forms based on the companies that are picked to access that record. For example, when you select the contact and classification companies on the Incident form, workflow updates field 112 values with the group IDs that have been assigned to those companies. For child records, such as the tasks or costs associated to an incident, the tenancy information is passed down from the parent. After field 112 is populated, any query to the BMC Remedy Action Request System (BMC Remedy AR System) product displays only rows of data that a user has access to, based on their permissions and the permissions in field 112. Incident records The following example illustrates a specific instance. In this example, 1000000006 is the company ID for Calbro. A customer calls the Service Desk to report an incident. Because the customers company is Calbro, field 112 on the incident record is set to 1000000006. For any staff member to view the incident, that staff member must have access to Calbro or must have unrestricted access. If Mary Frontline has access to both Calbro and ABC Corp, she can view this incident. If John Support, however, has access only to ABC Corp, he cannot view this incident. For incident records, field 112 is populated by: The customer company specified on the Customer tab The contact company specified on the Contact tab The classification company specified on the Classification tab

NOTE
If vendor-restricted access is configured, the assignee support company and the incident owner are used to populate field 60900 to grant access, as described in The role of field 60900 on page 39. If vendor-restricted access is not configured, in this example, even if John Support were assigned the incident, he could not view it. This security feature is designed to prevent accidentally granting view access if a request is accidentally assigned to someone who supports the wrong company. Child records of a parent request, such as Work Info records attached to an incident, inherit the field 112 value from the parent.

38

Guide to Multi-Tenancy

The role of field 60900

Configuration item records

Configuration item (CI) access also depends on company access. For a CI, field 112 reflects: The company field Companies for people organizations on the People tab, for Used by and Supported by relationships. When you create a Supported by or Used by relationship to a people organization, access to that CI is granted to people who have access to the people organizations company. For more information about field 112, see BMC Remedy Action Request System: Form and Application Objects Guide.

The role of field 60900


While field 112 is populated based on the customer and contact companies of a record, field 60900 is populated based on the company of the staff assigned to a ticket. BMC Remedy ITSM Suite writes assigned company IDs to a special field (field ID 60900). Each data record that can be assigned to a company contains this field, which is normally hidden. The special field 60900 is populated on application forms based on the company that is assigned to that record. For example, on the Incident form, when you assign the incident to a company, workflow updates field 60900 values with the group ID of the assigned company. For child records, such as the tasks or costs associated to an incident, field 60900 is passed down from the parent. After field 60900 is populated, any query to the BMC Remedy Action Request System (BMC Remedy AR System) product displays only rows of data that a user has access to. If the users permissions match the permissions in field 112, in field 60900, or in both fields, the product displays the row of data to the user. Incident records The following example illustrates a specific instance. In this example, 1000000006 is the company ID for Calbro and 1000000007 is the company ID for Vendorco. A customer calls the Service Desk to report an incident request. Because the customers company is Calbro, field 112 on the incident request record is set to 1000000006. This incident request is about a product that is supported by Vendorco. The Service Desk assigns the incident request to Vendorco, and field 60900 on the incident request record is set to 1000000007. For any staff member to view the incident, that staff member must have access to Calbro, must have access to Vendorco, or must have unrestricted access. If Mary Frontline has access to both Calbro and ABC Corp, she can view this incident. If John Support, however, has access only to ABC Corp, he cannot view this incident. If Valerie Vendor has access to Vendorco, she can view this incident requesteven though she does not have access to Calbro.

Chapter 5 Technical details

39

BMC Remedy IT Service Management Suite 7.6.00

For incident records, field 60900 is populated by The assignee company The owner support company Child records of a parent request, such as Work Info records attached to an incident, inherit the field 60900 value from the parent. Configuration item records CI access depends on field 112. This means that vendors can only access CIs for which the vendor company is specified as the company: In the Company field On the People tab, for Used by and Supported by relationships. When you create a Supported by or Used by relationship to a people organization, access to that CI is granted to people who have access to the people organizations company. If a company is providing support for a CI, BMC recommends that you set the Supported by relationship for the CI.

Extending access to additional CI people organization relationships


On the People tab, CIs support the following relationships to people organizations: Approved by Created by Managed by Owned by Supported by Used by The Supported by and Used by relationships add the appropriate company to field 112 to add access to the CI. To add access for companies based on other relationships, such as Managed by, you can perform the customization described in this section. If you make this customization, consider the following caveats: Relationships that were created before you make the customization are not affected. Only relationships that are created after you make the customization are affected. For example, if the CI for a server is already configured as Managed by Calbro Support, when you make the customization, people with access to Calbro do not have access to the CI unless you re-create the relationship.

40

Guide to Multi-Tenancy

Row-level security in BMC Atrium CMDB

This customization might be reset after a patch or upgrade. After a patch or upgrade, you must verify this customization. Removing this customization does not remove access that was granted by use of this customization.

To extend access to additional CI people organization relationships


1 Open the BMC Remedy User tool and log in as an administrator. 2 Open the SYS:Association Types form, as shown in Figure 5-1. Figure 5-1: Example of a SYS:Association Types record

3 Select the appropriate Relationship Type and click Search. 4 Change the values of the Row-Level Access Enabled field to Yes, and click Save.

Row-level security in BMC Atrium CMDB


The BMC Atrium Configuration Management (BMC Atrium CMDB) product supports multi-tenancy in the BMC Remedy ITSM Suite applications by providing the underlying framework. The BMC Remedy ITSM Suite applications leverage this framework. The BMC Atrium CMDB framework to support multi-tenancy includes: CMDBRowLevelSecurity (field 112) to provide row-level access BMC Remedy AR System roles to control read/write access The BMC Atrium CMDB base installation does not include the BMC Remedy ITSM Suite Company field. This is extended when BMC Remedy ITSM Suite is installed. The BMC Remedy ITSM Suite installation updates field 112 with company permission groups for CIs, just like other forms in BMC Remedy ITSM Suite.

Chapter 5 Technical details

41

BMC Remedy IT Service Management Suite 7.6.00

To view or modify a specific instance in BMC Atrium CMDB, a user must have row-level security to that instance. Row-level security and write access are controlled by the following attributes: CMDBRowLevelSecurityOnly users who are members of a group listed in the CMDBRowLevelSecurity attribute have permission to view the instance. CMDBWriteSecurityTo modify the instance, users must be a member of a group listed in the CMDBWriteSecurity attribute, and also have row-level security. The users must also have CMDB Data View or CMDB Data Changes roles, as appropriate, to view or make changes to the instance.

NOTE
If you are working directly with BMC Atrium CMDB, remember that the CMDB Data View All and CMDB Data Change All roles grant permission to view and modify instances regardless of row-level security. Use the CMDB Data View and CMDB Data Change roles with CMDBRowLevelSecurity and CMDBWriteSecurity in a multi-tenancy environment.

42

Guide to Multi-Tenancy

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Index
A
access business units, all 34 business units, specific 33 companies, all 18 companies, multiple 17 company, single 16 configuring 1618 extending for CIs 40 application consoles 18, 35 assigning tickets 28 audience 7 configuration options 18 configuring access to companies 1618 access to vendor company 25 companies 14 companies as business units 32 restricted access 2427 support company 27 vendor companies 24 vendor company access 25 creating tickets, access for support company 27 customer support 3

B
Best Practice icon 7 BMC Atrium CMDB 41 BMC Software, contacting 2 business units access to all 34 access to specific 33 configuring companies as 32 segregating with multi-tenancy 3135

D
documentation, additional 7 DSO environment 18

F
field 112 about 38 CIs 39, 40 incident records 38 field 60900 about 39 incident records 39

C
CIs extending access 40 populating field 112 39, 40 working with 19 companies access to a single company 16 access to all companies 18 access to specified companies 17 configuring 14 configuring as business units 32 global 14 segregating with multi-tenancy 1121 vendor 24 Company field, about 9

G
global company 14

I
icon, documentation 7 incident records accessing 19 populating field 112 38 populating field 60900 39 IT Service Management, documentation list 7

Index

43

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

N
New icon 7

P
people, configuring access for 1618 product support 3

R
restricted access configuring 2427 technical details 39 working with tickets 28

S
scenario 12 segregating business units 3135 segregating companies 1121 selecting Tenancy Mode 13 support companies assigning tickets 28 configuring 27 support, customer 3

T
technical details multi-tenancy 38 restricted access 39 technical support 3 Tenancy Mode 13

U
unrestricted access 18 user-defined prefix 18

V
vendor companies, configuring 24

W
working with tickets 28

44

Guide to Multi-Tenancy

*314301* *314301* *314301* *314301*

*103413*