Hello!

For quite some time now, since version 11 all the way to 14.2 that we're currently running, me and my colleagues have tried to find a conclusive answer to the following (seemingly simple) question about ServiceDesk Plus:

We have looked through the Admin Guide several times now, but cannot find any documentation nor even a mention of this behavior. Whenever you assign multiple roles to a technician, a majority of the configured permissions are almost guaranteed to come into conflict with each other. This leads to poor understanding of what the resulting permissions will be, since most of them are resolved by a system we do not fully understand. Our administrators have resorted to trial and error in the past.

A simple workaround is to avoid assigning multiple roles altogether, and create unique roles for each and every use-case. However, this could quickly result in a huge list of custom roles that is hard to manage.

We did find this (link) topic here on PitStop from around 1 year ago, where Michael Charles wrote the following:

"[...] In the current design of ServiceDesk, when a technician is assigned 2 sets of roles, in regards to access permission application will consider the intersection of both the roles. ie if one role is set to "Allow technicians to View: All in group & Assigned to Technician [Requests only]" and the other role is set to "Allow Technicians to View: All" particular technicians will be allowed only to View: All in group & Assigned to Technician [Requests only]". [...]"

We're not sure on how accurate this information is for our current ServiceDesk Plus installation (14.2 Build 14200), and exactly how it should be interpreted. "Intersection" as in the least common denominator, the least permissive role? So if we create a role for the sole purpose of explicitly adding one single permission (leaving everything else unchecked), combining that role with any other would essentially strip a technician of almost every single permission?

And then there's the question about the built-in roles, which cannot be edited nor viewed in detail. How do we even find out which permission conflicts these create between each other, or with custom roles?