Adding Agents¶
Agents are the technicians and staff who work within the GRC-ITSM platform: triaging tickets, executing changes, performing reviews, and managing day-to-day operations. There are three ways to add agents to the platform.
Navigation
Configuration > Teams & Agents > Agents on the GRC-ITSM website navigation.
Method 1: Manual Creation¶
Create an agent record directly in the platform.
- Navigate to Configuration > Teams & Agents > Agents
- Click New
-
Fill in the required fields on the Agent Details tab:
Field Required Purpose Username Yes Login identifier for the agent Password Yes Initial password (agent can change later) Email Address Yes Used for notifications, SSO matching, and 2FA Name Yes Display name shown throughout the platform Default Team Yes The team whose ticket queue loads first for this agent (e.g., Continuous Monitoring, Engineering, 1st Line Support). Must be set or the agent will not function correctly. See Teams for available teams Default Working Hours Yes Determines SLA calculations and availability tracking Role Recommended Assigns the agent's permission template, controlling what the agent can see and do. For example, "Engineer - ConMon Team" scopes visibility to ConMon tickets, while "Engineer - All Teams" provides full visibility. See Agent Roles for available roles -
Save the agent record
- Configure additional tabs as needed (Departments & Teams, Permissions, Preferences)
Method 2: Invite¶
Send a registration link to the new agent and let them create their own account.
- Navigate to Configuration > Teams & Agents > Agents
- Click Invite
- Fill in the invitee's name and email address
- The invitee receives an email with a registration link
- They follow the link and set up their own username and password
This is useful when onboarding agents who should set their own credentials from the start, avoiding the need to share temporary passwords.
Method 3: Microsoft Entra ID Import¶
Import agents from Microsoft Entra ID (Azure Active Directory) for organizations using Microsoft 365. This is the recommended approach for bulk agent provisioning and ongoing synchronization.
- Navigate to Configuration > Integrations > Microsoft Entra ID
- Select the target tenant
- Configure Site/Agent Mappings to map Azure groups to teams and roles
- Use the Imports tab to import agents manually, or enable the Halo Integrator for automatic scheduled synchronization
What Entra ID Import Handles¶
| Capability | Description |
|---|---|
| Agent creation | Creates agent records from Azure user accounts in mapped groups |
| Role assignment | Azure security groups can map to specific platform roles automatically |
| Team assignment | Azure groups can map to platform teams |
| Field mapping | Azure user properties (name, email, manager, etc.) map to agent record fields |
| Ongoing sync | The Halo Integrator keeps agent records in sync with Entra ID on a recurring schedule |
| Automatic deactivation | Agents removed from mapped Azure groups are automatically deactivated in the platform |
Compliance Benefit
Entra ID synchronization supports FedRAMP AC-2 (Account Management) and CMMC AC.L2-3.1.1 by ensuring the platform's agent directory reflects the current state of the identity provider. Automatic deactivation helps satisfy PS-4 (Personnel Termination) by promptly disabling access for departing staff.
Agent Record Configuration¶
After creating an agent, the record can be further configured across several sections.
Agent Details¶
The primary tab containing the agent's identity, credentials, default team, working hours, and role assignment. Also includes:
- API-only agent flag for integration accounts that do not consume a license seat
- Agent signature for formal communications
- Two-factor authentication setup
Departments & Teams¶
Agents can belong to multiple teams simultaneously, but must have one default team. Teams are used for ticket routing, queue visibility, and permission scoping.
Teams exist within departments, forming the organizational hierarchy: Department > Team > Agent.
Permissions¶
Permissions are primarily controlled through the assigned role, but individual overrides can be set at the agent level. Key permission areas include:
- Access levels for tickets, users, and other entities (Read and Modify, Read Only, or Not Set)
- Ticket permissions such as creating tickets, editing closed tickets, viewing unassigned tickets, reassigning, and changing ticket types
- Restrictions that limit the agent to specific organizations, ticket groups, sites, or reporting areas
- Configuration access for agents who need to modify specific platform configuration without full admin access
Permission Inheritance
Permissions follow a highest-access-wins model. If the role grants full access, it cannot be lowered at the agent level. Agent-level permissions can only add to what the role provides.
Preferences¶
Agent-specific settings including working hours, timezone, and holiday configuration. These affect SLA calculations and availability tracking for the agent.
License Types¶
The platform supports different agent types that affect licensing:
| Type | License | Use Case |
|---|---|---|
| Named Agent | Consumes one named license | Regular staff with a dedicated login |
| Concurrent Agent | Consumes one shared concurrent slot | Shift-based staffing where not all agents are logged in at the same time |
| API-Only Agent | No license consumed | Integration and automation accounts that interact via the API only |