Admin Tutorial · Internal IT Helpdesk

Configure CrmLeaf for an internal IT helpdesk

Three linked tutorials for admins setting up CrmLeaf for internal IT helpdesk operations - HRMS, role-based access control (RBAC), and a self-service knowledge base.

Start Free TrialGet Price Quote

HRMS: employee management, roles & attendance

The outcome
What you will achieve

A fully configured HRMS module with employee records synced to IT provisioning workflows, role assignments, attendance tracking, and automated onboarding/offboarding ticket triggers.

Before you start

Prerequisites

  • ·Admin access to CrmLeaf (Settings > System Admin)
  • ·Your employee list (name, department, role, start date, manager)
  • ·IT team structure defined (who provisions what)
  • ·HR contact confirmed for joiners/leavers notification process
Step-by-step
1
Step 1

Configure departments and roles

Navigate toSettings → HRMS → Departments
  1. 1

    Click Add Department. Create your company's departments.

    • Information Technology
    • Finance & Accounting
    • Sales & Marketing
    • Operations
    • Human Resources
    • Executive
  2. 2

    Navigate to Settings → HRMS → Job Roles. Create role categories that determine default IT access levels:

    Executive

    Default IT Access Level
    Full access - all systems
    Provisioning Template
    Executive provisioning template

    Manager

    Default IT Access Level
    Standard + reporting tools
    Provisioning Template
    Manager provisioning template

    Standard Employee

    Default IT Access Level
    Standard access - all core tools
    Provisioning Template
    Standard provisioning template

    Contractor

    Default IT Access Level
    Limited, time-bound access
    Provisioning Template
    Contractor provisioning template

    IT Staff

    Default IT Access Level
    Elevated - admin tools included
    Provisioning Template
    IT provisioning template
  3. 3

    For each role, click Edit Provisioning Template and list the systems to provision. This becomes the onboarding checklist template that fires automatically when a new hire is added.

2
Step 2

Import or add employee records

Navigate toHRMS → Employees → Import
  1. 1

    Use the bulk import template (CSV) to import your existing employee list. Required fields: Full Name, Email, Department, Role Category, Manager, Start Date, Employment Type (Permanent / Contractor).

  2. 2

    For each employee, verify the Role Category is assigned correctly - this determines what provisioning template applies to future onboarding checklists.

  3. 3

    Enable the Employee Self-Service toggle for employees who should have portal access (typically all permanent staff).

Pro Tip

If your organisation uses an HR platform (BambooHR, Workday, SAP SuccessFactors), check Settings → Integrations for available HRMS sync connectors. A live sync means employee records update automatically when HR makes changes - reducing the manual import cycle to zero.

3
Step 3

Configure onboarding ticket sequences

Navigate toSettings → HRMS → Onboarding Workflows
  1. 1

    Click Create Onboarding Workflow. Name it by role category (e.g. 'Standard Employee Onboarding').

  2. 2

    Add checklist tasks. Each task becomes a linked ticket assigned to the relevant IT sub-team:

    Create Active Directory / SSO account

    Assigned To
    Sysadmin
    Target Completion
    3 days before start
    Depends On
    -

    Provision laptop / device

    Assigned To
    Hardware team
    Target Completion
    2 days before start
    Depends On
    Account created

    Configure email and calendar

    Assigned To
    Support agent
    Target Completion
    1 day before start
    Depends On
    Account created

    Set up core software (Office, Slack, etc.)

    Assigned To
    Support agent
    Target Completion
    Day of start
    Depends On
    Device provisioned

    Grant system access per role template

    Assigned To
    Sysadmin
    Target Completion
    Day of start
    Depends On
    SSO account active

    Send welcome + credentials email

    Assigned To
    IT Manager
    Target Completion
    Day of start
    Depends On
    All above complete

    30-day check-in ticket

    Assigned To
    Support agent
    Target Completion
    30 days post-start
    Depends On
    -
  3. 3

    Repeat for each role category, adjusting tasks and access levels per template.

  4. 4

    Under Triggers, set: when an employee record is added with Status = Active and Start Date = [X days away], auto-launch the matching onboarding workflow. Set the trigger to fire 5 business days before start date.

4
Step 4

Configure offboarding trigger

Navigate toSettings → HRMS → Offboarding Workflows
  1. 1

    Create an Offboarding Workflow with tasks covering:

    • Revoke all system access (sysadmin)
    • Retrieve hardware and devices (hardware team)
    • Archive email and transfer data (sysadmin)
    • Disable SSO/Active Directory account (sysadmin)
    • Remove from all SaaS platforms (support agent)
    • Final equipment check and sign-off (IT Manager)
  2. 2

    Set trigger: when employee Status changes to Leaving or Terminated, immediately launch offboarding workflow. The trigger should fire on the same day as the status change - not on last working day.

Security Note

The offboarding trigger fires on status change, not on the employee's last day. This is intentional. Many organisations wait until the last day to revoke access, leaving a window of exposure. By initiating the workflow on notification of departure - even if the employee is working a 4-week notice period - IT can manage the revocation timeline deliberately rather than reactively.

5
Step 5

Attendance and availability tracking

Navigate toSettings → HRMS → Attendance
  1. 1

    Enable Attendance Tracking for IT staff. This feeds into the workload dashboard, showing the Head of IT which agents are available, on leave, or working reduced hours - critical for ticket assignment during busy periods.

  2. 2

    Configure Leave Types: Annual Leave, Sick Leave, Training, Flexi/Remote Day.

  3. 3

    Under Workload View (Reports → HRMS → Team Workload), the Head of IT sees each agent's open ticket count against their current availability. This prevents the common failure mode of routing tickets to an agent who is on leave or already at 130% capacity.

RBAC: roles, permissions & agent access control

The outcome
What you will achieve

A structured RBAC configuration where every IT team member sees and can act on exactly what their role requires, with no over-permissioning and no access gaps.

Step-by-step
1
Step 1

Understand the CrmLeaf permission structure

CrmLeaf's RBAC operates on four levels: System (platform-wide settings), Module (access to specific modules like Billing, HRMS), Object (access to specific records), and Action (what they can do - view, create, edit, delete, approve). Roles are combinations of these four levels.

  1. 1

    System

    Controls
    Who can access Settings, integrations, audit logs
    Example
    Only IT Manager has system access

    Module

    Controls
    Which modules are visible to each role
    Example
    Support agents see Tickets + KB; not Billing or HRMS

    Object

    Controls
    Which specific records are visible
    Example
    Agents see only tickets assigned to them or their group

    Action

    Controls
    What actions can be taken on visible records
    Example
    Agents can resolve tickets; cannot delete them
2
Step 2

Create RBAC roles for the IT team

Navigate toSettings → Users & Roles → Roles → Create Role
  1. 1

    Create the following roles (adjust to your team structure):

    IT Admin (Head of IT)

    Module Access
    All modules
    Key Permissions
    Full read/write/delete/approve + system settings

    Senior Engineer

    Module Access
    Tickets, KB, HRMS (view), Reports
    Key Permissions
    Edit + resolve all tickets; create KB articles; view HRMS records

    Support Agent

    Module Access
    Tickets (own queue + group), KB, Portal
    Key Permissions
    Create + resolve standard tickets; read KB; no delete

    Sysadmin

    Module Access
    Tickets, HRMS (full), User Management
    Key Permissions
    Manage users, provision access; cannot edit billing

    IT Analyst (read-only)

    Module Access
    Reports, Tickets (view only), KB
    Key Permissions
    View all data; no create/edit/delete
  2. 2

    For each role, click Configure Permissions and use the permission matrix to set module and action access. Toggle each capability individually - do not use the 'All Access' shortcut unless for the Admin role.

  3. 3

    Enable Ticket Visibility Rules per role:

    • Support Agent: sees tickets assigned to their group + unassigned tickets in their category
    • Senior Engineer: sees all tickets in all categories
    • Sysadmin: sees all tickets + user management queue
    • IT Admin: sees all tickets, all categories, all teams
3
Step 3

Assign roles to team members

Navigate toSettings → Users & Roles → Users
  1. 1

    For each IT team member, select their profile and assign the appropriate role from the Role dropdown.

  2. 2

    Set their Team/Group assignment - this determines which ticket queues they appear in for auto-assignment rules.

  3. 3

    Enable Two-Factor Authentication (2FA) for all users with Senior Engineer access and above. This is mandatory, not optional, for elevated roles.

  4. 4

    Review the role assignment quarterly. As team members develop, roles should be updated - and when someone leaves, their role should be revoked immediately (this is part of the offboarding workflow from T-08).

Common Mistake

Creating too many custom roles. Most IT teams of under 15 people need 4–5 roles maximum. More than 7 roles creates an administrative burden and makes it harder to audit permissions correctly. Start with the 5 roles above and consolidate rather than proliferate.

4
Step 4

Audit and test permissions

  1. 1

    Use the Permission Audit tool (Settings → Roles → Audit) to generate a full matrix of what each role can see and do. Review this before going live.

  2. 2

    Test each role by logging in as a test user with that role and verifying:

    • Only permitted modules are visible in the navigation
    • Ticket visibility matches the configured rules
    • Actions (edit, delete, approve) are appropriately available or hidden
    • Billing and HRMS are not visible to roles that should not see them
  3. 3

    Schedule a quarterly RBAC review in your team calendar. Permissions tend to creep over time - regular audits keep the matrix clean.

Knowledge base: building a self-service portal that actually works

The outcome
What you will achieve

A structured, searchable knowledge base with articles covering your most common ticket types, integrated with the employee portal to deflect 35–45% of incoming tickets - without requiring any behaviour change from employees.

Step-by-step
1
Step 1

Structure your knowledge base categories

Navigate toKnowledge Base → Settings → Categories
  1. 1

    Create top-level categories that match how employees think about IT - not how IT thinks about IT. Employees search by problem, not by system:

    Account & Password Help

    IT Translation
    Identity & access management
    Article Target Count
    8–12 articles

    Remote Work & VPN

    IT Translation
    Network access, remote tools
    Article Target Count
    6–10 articles

    Hardware & Equipment

    IT Translation
    Device provisioning, peripherals
    Article Target Count
    8–12 articles

    Software & Applications

    IT Translation
    SaaS tools, installs, licences
    Article Target Count
    10–15 articles

    Email & Calendar

    IT Translation
    Microsoft 365 / Google Workspace
    Article Target Count
    6–8 articles

    Security & Compliance

    IT Translation
    MFA, phishing, data handling
    Article Target Count
    5–8 articles

    New Employee Setup

    IT Translation
    Onboarding guides
    Article Target Count
    4–6 articles

    Request Something

    IT Translation
    Access requests, procurement
    Article Target Count
    4–6 articles
  2. 2

    Under each category, enable the Audience setting. Set all categories to Employee (internal) access - not public. The portal only shows articles to authenticated employees.

2
Step 2

Write your first 10 articles (priority order)

The fastest path to deflection ROI is writing the 10 articles that answer your 10 most common ticket types. Pull your last 3 months of tickets, identify the top 10 by volume, and write those first.

  1. 1

    For a typical internal IT team, the first 10 articles are almost always:

    How do I reset my password?

    Category
    Account & Password Help
    Deflection Impact
    Very high

    How do I connect to VPN from home?

    Category
    Remote Work & VPN
    Deflection Impact
    Very high

    How do I request access to a new application?

    Category
    Request Something
    Deflection Impact
    High

    My laptop won't start - what should I try first?

    Category
    Hardware & Equipment
    Deflection Impact
    High

    How do I set up two-factor authentication (2FA)?

    Category
    Security & Compliance
    Deflection Impact
    High

    How do I install approved software on my device?

    Category
    Software & Applications
    Deflection Impact
    Medium-high

    How do I share a file securely?

    Category
    Security & Compliance
    Deflection Impact
    Medium

    How do I add an email signature?

    Category
    Email & Calendar
    Deflection Impact
    Medium

    How do I request a new piece of equipment?

    Category
    Request Something
    Deflection Impact
    Medium

    What do I do if I receive a suspicious email?

    Category
    Security & Compliance
    Deflection Impact
    Medium
Article writing formula

Title = exactly how an employee would type it in search. Opening = one-sentence answer. Steps = numbered, plain English, no assumed knowledge. Screenshots at each key step. End with: 'Still stuck? Submit a ticket and we'll help within [X] hours.'

3
Step 3

Enable pre-submission article surfacing

Navigate toSettings → Portal → Ticket Submission → Knowledge Base Suggestions
  1. 1

    Toggle ON: Show KB suggestions during ticket submission.

  2. 2

    Set Minimum Match Score to 60% - articles with lower relevance won't surface and confuse employees.

  3. 3

    Enable the Feedback widget on each suggestion: 'Did this article solve your issue? Yes / No'. This data tells you which articles are working and which need improvement.

  4. 4

    Set the deflection tracking report: Reports → Knowledge Base → Deflection Rate. Review weekly for the first 8 weeks. You should see deflection rate climb from 0% to 25–30% within the first 4 weeks as article quality improves.

4
Step 4

Build the article growth habit

The most common reason knowledge bases fail is not enough articles. The most common reason teams don't write enough articles is that it feels like extra work on top of ticket resolution. CrmLeaf removes this friction with the Resolution-to-Article prompt:

  1. 1

    When an agent resolves a ticket, CrmLeaf checks if the resolution involved a problem that doesn't yet have a KB article.

  2. 2

    If no matching article exists, the agent sees: 'Would you like to turn this resolution into a KB article? (Takes ~3 minutes)'. One click opens a pre-filled draft using the ticket description and resolution notes.

  3. 3

    The agent edits, adds any screenshots, and publishes. The article is immediately live in the portal.

  4. 4

    As IT Admin, set a monthly KB target: minimum 8 new articles per month for the first 3 months. After that, 3–4 per month as maintenance. Review the KB health report monthly - articles with zero views after 60 days should be rewritten or retired.

Pro Tip

Gamify KB contribution in your first 90 days. A simple leaderboard showing 'Articles published this month by agent' creates healthy competition and dramatically accelerates article production. The agent who publishes the most articles in month one almost always has the lowest ticket volume in month three - because their articles do the answering for them.

5
Step 5

Validate before launch

  1. 1

    KB categories visible in employee portal

    How to Test
    Log in as a test employee, check portal navigation

    Article suggestions appear during ticket submission

    How to Test
    Start typing a common issue in the portal, verify suggestions appear

    Feedback widget working

    How to Test
    Click Yes/No on a suggestion, check KB analytics for the response

    Resolution-to-article prompt firing

    How to Test
    Resolve a test ticket, verify the KB prompt appears

    Deflection tracking report active

    How to Test
    Check Reports → KB → Deflection Rate shows a baseline

    2FA required for IT admin roles

    How to Test
    Attempt login as admin role without 2FA, verify blocked

    RBAC: agent cannot see billing module

    How to Test
    Log in as support agent role, verify billing not in navigation
FAQ

Internal IT helpdesk setup - frequently asked questions

Most IT teams reach meaningful deflection (25%+) within 6–8 weeks of consistent article creation. The first 20 articles covering the top ticket types produce the majority of the deflection gain. After that, incremental articles produce diminishing but still valuable returns.

Update the employee's HRMS record with the new role. CrmLeaf will prompt you to review and update their IT access based on the new role's provisioning template. A change ticket is auto-generated for the sysadmin to update system access. This ensures role changes trigger the same structured process as joiners and leavers.

Yes. Under RBAC, the KB module permissions control who can create, edit, publish, and delete articles independently. A recommended configuration: all agents can create draft articles; senior engineers and above can publish; only IT Admin can delete.

CrmLeaf's workload view shows real-time capacity vs. open ticket load. For peak periods, create a temporary priority queue with elevated SLA targets, and use the bulk assignment feature to redistribute tickets. The HRMS attendance view helps avoid routing tickets to agents on leave during peak periods.

Keep Exploring

Related guides

Internal IT Helpdesk use caseIT Helpdesk ROI business caseSee pricing

Ready to put this tutorial into practice?

Start free, migrate from any tool, and configure your service-desk workflows in days, not weeks.

Start Free Trial - No card neededGet Price Quote

Free 14-day trial · Free onboarding · Free data migration · Cancel anytime