HaloCRM Guides

In this guide we will cover: 

- How to set restrictions on which agents can access the reporting module

- How to restrict agent access to specific reports

- How to restrict what report agents can create

- Reporting with Sensitive tickets

How to restrict access to the reporting module

If you would like certain agents to have no access to the reporting module you can restrict their access against either on an agent's role, or on their agent profile. To do this head to configuration > teams and agents > roles > select the role you would like to restrict > permissions tab, here there is a setting for 'reporting access level'. 

Fig 1. Setting reporting access level on role

No  Access- will prevent the agent being able to see/open the reporting module at all

Read only- Agent can view reports that already exist but cannot edit or create their own

Read and Modify- Agent can view, edit existing and create new reports

(Note that the reports that agents can read/modify can be set on an individual report basis too)

How to restrict agent access to specific reports

If you have some reports in your Halo that contain sensitive/confidential data, you can restrict who can view this report. To do this head to reporting > open the report you would like to restrict > edit > availability tab. Under the agent access section, you have a setting to 'Restrict access to this report'. If left unchecked all agents who have access to the reporting module will be able to see this report. If checked you will have the option to choose which agents have access to this report, only the agents specified in the table will be able to see the report. When giving an agent access, you can also set if they have read only access or not. Giving an agent read only access to a report will override the permission they have on their agent profile/role. For example, if an agent has the permission to read and modify all reports, but on this report they have read only access, they will be able to modify all reports, except this one. 

Fig 2. Restricting agent access to a specific report

How to restrict access to the types of reports agents can create

You can restrict the types of reports agents can create by restricting which data sources they have access to.

Data sources

When creating a report there are various options you can choose from for the data source of the report. There are 5 types of data source you can choose from. 

Fig 3. Data Sources to choose from

*Use a System Data Source* - Allows you to use a hard coded data source from the system. This cannot be edited. 

*Use Query Builder* - Use our Query builder to build a data source, this allows you choose the entity and the fields under this entity you would like data from.

*Write a custom SQL Query* -Write a custom query in sql to use as a data source

*Use AI Query Builder* - Give a prompt on the report you would like to our AI, this will then create a data source for you. 

The other options you see in this list 'All Open Tickets', 'All Open Tickets for Customer' etc. are pre-set data sources. These are custom data sources that a Halo admin creates, allowing agents to use this data source rather than having to create their own. 

Restricting Data Source access

When using AI or SQL to create a data source, you will be able to create a report to obtain any data in Halo, regardless of permissions. If you do not want all agents to have this sort of access you can restrict which data source they have access to. This can be done on the agent profile or role. 

Head to configuration >teams and agents > roles > select a role > permissions tab, here there are two permissions of importance: 

'Can Create SQL Data Sources' - If set to yes agents will be able to use the data sources *Write a custom SQL Query*, *Use AI Query Builder* as well as the pre-set data sources.

'Can Use Report Builder' - If set to yes agents will be able to use *Use a System Data Source*, *Use Query Builder* as well as the pre-set data sources.

If both permissions are set to no, but the agent has 'read and modify' access to the reporting module, then the agent can still create and edit reports but only those using the pre-set data sources.

Fig 4. Data source restrictions against role

For agents that need to have access to all Halo data to create reports it is best to set both these permissions to 'yes'. For agents that you would like to be able to create reports, but only have access to data related to the entities available in the query builder it is best to set 'Can Create SQL Data Sources' to no and 'Can Use Report Builder' to yes. 

How to restrict report data based on agent permissions

You can restrict which results an agent sees when running a report using the setting shown in figure 5. This setting is found under the data source of a report, when using the Query builder as the data source. 

Fig 5. Apply Agent's permissions to Ticket, Action and Asset query builder queries

When enabled this will filter the report data so it only shows data that the agent has access to according to their permissions. For example, if an agent does not have access to a 'change request' ticket type a ticket report would not show any data on change request tickets. Please note this only applies to queries using ticket, action and asset entities in the query builder, if running queries on other entities results will not be filtered. 

To ensure agents can only create reports that filter results on their permissions you will need to only give them access to use pre-set data sources. To do this set both agent permissions in figure 4 to 'no'. This will result in the agent only being able to use pre-set data sources. 

Then you will need to head to reporting > data sources > new, create a new data source using the query builder and enable the setting in figure 5. This will ensure that if a report is created using this data source, the results will always be filtered according to the permissions of the agent who is viewing the report. If you have other pre-set data sources in your reporting module that do not have this setting enabled you will need to prevent this agent accessing it. To do this head to the 'availability' tab while inside the report, enable 'restrict access to this report' and add in the agents you would like to have access. 

Now when the agent creates a report, they will be able to choose from the allowed pre-set data sources. When running the report they will only be able to see data that is in line with their agent permissions.

Example- Co-managed IT

If using co-managed IT you may want some of your agents to be able to access the reporting module, but only be able to obtain data on customers that they have access to. To do this you will need to head into the agent's profile/role and set their reporting access level to read and modify. Set both permissions in figure 4 to 'no', so that the agent only has access to using pre-set data sources in the reporting module. 

Then you will need to create some data sources for the agent to use. Head to reporting > data sources > new, create the data source using the query builder and then enable the setting 'Apply Agent's permissions to Ticket, Action and Asset query builder queries'. This will ensure any reports that are created with this data source only show results in line with the agent's permissions. That is, it will only show data on the customer that the agent has access to.  

Then you will need to ensure the agent only has access to data sources that have this setting (figure 5) enabled. Head into each of your data sources, for any data sources that use SQL or do not have this setting enabled, you will need to restrict the agent's access to the report in the 'availability' tab. 

Now when the agent goes to create a report they will only be able to create reports using the pre-set data sources configured. Which will result in them only seeing data for the customer(s) they have access to.

Note that the filter will apply based on who is viewing the report. If a co-managed agent (with limited permissions) creates the report, they will only be able to see data in line with the customers they have access to. If an admin views this same report, they will be able to see all the data for the customers they have access to. 

Worked Example

In the below Example I would like all agents with the '1st line support' role to create reports, but to only see data on the assets types that they have access to. Figure 6 shows all the assets types they have access to.

Fig 6. Accessible asset types for 1st line support

Restricting Access to other areas in the reporting module

To give the agent access to the reporting module, but not to the 'Data Sources' and 'Online repository' areas. Set the permission 'Can Create SQL Data Sources' to no and 'Can Use Report Builder' to no. 

Fig 6. Data Sources and Online Repository area in reporting suite

Sensitive Tickets

Any tickets marked as being sensitive will be excluded from reports created using the query builder. Tickets can be marked as sensitive if the ticket type has the 'Is sensitive' field against it. Any tickets that have the field checked will not appear in reports made using the query builder. If this field is not checked, or not a field against the ticket type, the ticket will appear in the report. 

Fig 7. Is sensitive ticket field