Creating Separate Approver and Configuration Roles

Some system-defined roles have permissions to modify (create/open/discard) and review (approve/reject) tickets:

• To both modify and review tickets:

  • Admin

• To modify tickets only:

  • Edit Only

• To review tickets only:

  • Deploy Only

  Note	A Read Only user cannot use the Change Management feature.

If you need more granular roles to separate these activities due to your organizational requirements, you can create separate roles to ensure that ticket approval is assigned only to those users who have the organizational authority to approve changes. To create a new user, navigate back to Security Cloud Control and from the Security Cloud Control navigation bar, choose Settings > User Management.

The approach you take depends on your precise requirements. For example:

• If your approvers should also be allowed to make configuration changes, you can simply assign them the system-defined roles, such as Administrator. Then, create custom configuration-only roles that include the same permissions but not the Review Tickets permission.

• If you need complete separation between approvers and those who make configuration changes, create custom roles for both, limiting the roles to either the Modify Tickets or the Review Tickets permission plus all other needed permissions for viewing or changing the supported policies and objects.