Skip Navigation LinksALVAO 10.0ALVAO Asset ManagementObjects and PropertiesObject Security Skip Navigation Links. Skip Navigation Links Skip Navigation Links.


Object Security

Object Security Principles

You can use object security to set access permissions for users to access objects in the tree. The permissions can be enabled, disabled or combined. You can change the settings in ALVAO Admin in User Management on the Object security tab. You can also change the settings of individual objects in the AM Console (the settings can be changed here only by the Asset system administrator).

For the permissions settings in the objects tree to take effect, you need to enable the option Use permissions in the objects tree in the Admin settings for Asset Management – see Global settings. If you enable this option, no objects will be displayed to users who have no permissions for the objects tree. The objects will be shown only after the "Read" permissions have been enabled. An exception are users with the Administrator role for ALVAO Asset Management. The tree permissions do not apply to these users (all objects in the tree are always visible to them).

Permissions

The system allows to set 5 types of permissions:

Permissions Description
Read User can see the object in the objects tree.
Make changes User can change the object properties and their values.
Move User can move the object into objects where the moved object will also have this permission. For example, if the permission is set for the "Cellular" object kind on the "Department A" and "Department B" folders, the mobile phones can be moved within the both departments and also between them.
Delete User can delete the object.
Create any objects User can create child objects of any kind under the defined object.
Warning:
The permission can be granted or denied. Denying permission takes priority over allowing permission.
Note:
By default, "deny" is set for all the objects and permissions – so the user can see no objects in the objects tree until reading is permitted to him/her.
Note:
Object security can be set for entire user groups too.

If the permissions for the Objects Tree are disabled, the following permissions will be assigned to the system roles:

Role Read Make changes Move Delete Create any objects Note
Asset Management administrator x x x x x Permissions for the tree cannot be restricted
Reader x          
Asset manager x x x x x  
Software license manager x         Same permissions as Readers
Software and hardware detections manager x         Same permissions as Readers
Accountant x x1       Can change the values of certain properties
Links reader x         Same permissions as Readers
Links manager x         Same permissions as Readers

1The Accountant role can change the values of properties with the "Accountant" role attribute. The "Accountant" can change property values in the Property definition window.

Warning:
If permissions are enabled in the Objects Tree, the following applies:
  1. Default rule – anything that is not permitted explicitly is forbidden by default.
  2. Restricting rule for an object (except for implicit one) has priority over enabling one, this is also the case for inheriting child objects.
  3. Reading permissions are evaluated starting at the tree root, which means that an object cannot be displayed if the specific user has insufficient permissions to read all of its parent objects too.
  4. The order of the rules in the table has no influence on their evaluation. All rules with the above-mentioned restrictions are always evaluated.
Note:
Each user in the ALVAO WebApp can see his/her entrusted property, i.e. has the Read right in all child objects under his/her person in the tree.

Example: How to set permissions for "Administrator of mobile phones" group

Note:
The example is described on English version of the ALVAO sample database.
In this example we will create a new group "Cell phone managers business" and we will set the permission on it, so the members of this group will manage the mobile phones in the "Business Department." They should have the permission to work with "Cellular" kind of objects:
  1. Create (store) them under the "Warehouse" object.
  2. Edit their information anywhere in the whole tree.
  3. Move them from the warehouse anywhere under the "Business Department" object (and back, eventually).
  4. Group members can't see other departments.
The tree in English sample database looks like this:
  1. Go to Admin and make sure that the permissions are enabled for the Objects Tree: go to Manage – Asset Management – Settings..., click on the General tab and enable the Use permissions in the Object Tree option.
  2. Create a new group named "Cell phone managers business."
  3. Edit the group, add "Asset managers" group on the Member of tab. Switch to the Object security tab and set the permissions based on the following table:
    Object kind Object Name Including subtree Kind of objects Read Make changes Move Delete Create any objects
        No Cellular phone Yes Yes      
    Object templates Object templates No   Yes        
    Folder IT Assets No   Yes        
    Warehouse Warehouse No   Yes       Yes
    Warehouse Warehouse Yes Cellular phone     Yes    
    Organization Our Company, Inc. No   Yes        
    Department Business Department Yes   Yes        
    Department Business Department Yes Cellular phone     Yes    
    Note:
    On the "Business Department" object we have set the user can move and change objects of the "Cellular" kind. This permission allows the user to move objects under this department, but he/she can't move the whole department, only the mobile phones located within the department.
  4. Add the membership for a newly created group "Cell phone managers business" to the Joseph Freeman (Demo) user – edit the user and add the corresponding group on the Member of tab.
  5. If Joseph Freeman (Demo) user then logs in to the AM Console, the Objects Tree will look like this:

 

Did not find what you were looking for? Ask our technical support team.