You can use object security to set access permissions for users to access objects in the tree. The permissions can be enabled, disabled or combined. You can change the settings in ALVAO WebApp – Management in User Management in the Object security block. You can also change the settings of individual objects in the AM Console (the settings can be changed here only by the Asset system administrator).

For the permissions settings in the objects tree to take effect, you need to enable the option Use permissions in the objects tree in the settings for Asset Management – see Global settings. If you enable this option, no objects will be displayed to users who have no permissions for the objects tree. The objects will only be shown after the Read authorization has been enabled. An exception are users with the Administrator role for ALVAO Asset Management. The tree permissions do not apply to these users (all objects in the tree are always visible to them).

Permissions

The system allows to set 5 types of permissions:

Permissions	Description
Read	User can see the object in the objects tree.
Make changes	User can change the object properties and their values.
Move	User can move the object into objects where the moved object will also have this permission. For example, if the authorization is set for the Cellular object type on the Department A and Department B folders, the mobile phones can be moved within both departments and also between them.
Delete	User can delete the object.
Create any objects	User can create child objects of any kind under the defined object.

Notification:

The permission can be granted or denied. Denying permission takes priority over allowing permission.

Note:

Deny is the default setting for all objects and authorizations, which means that the user can see no objects in the objects tree until he/she is permitted to read them.

Note:

Object security can be set for entire user groups too.

If the permissions for the Objects Tree are disabled, the following permissions will be assigned to the system roles:

Role	Read	Make changes	Move	Delete	Create any objects	Note
Asset Management administrator	x	x	x	x	x	Permissions for the tree cannot be restricted
Reader	x
Asset manager	x	x	x	x	x
Software license manager	x					The same authorizations as Readers
Software and hardware detections manager	x					The same authorizations as Readers
Accountant	x	x¹				Can change the values of certain properties
Links reader	x					The same authorizations as Readers
Links manager	x					The same authorizations as Readers

¹The Accountant role can edit the values of properties if this option has been enabled in the Property definition window in the Security tab.

Notification:

If permissions are enabled in the Objects Tree, the following applies:

Default rule – anything that is not permitted explicitly is forbidden by default.
Restricting rule for an object (except for implicit one) has priority over enabling one, this is also the case for inheriting child objects.
Reading permissions are evaluated starting at the tree root, which means that an object cannot be displayed if the specific user has insufficient permissions to read all of its parent objects too.
The order of the rules in the table has no influence on their evaluation. All rules are always evaluated, with the above-mentioned limitations.

Note:

Each user in ALVAO WebApp can see his/her assigned property, i.e. is authorized to read all child objects under his/her person in the tree.

Note: Group membership of AM users is no alternative for object security. Users who want to edit, move, create, and delete objects must be members of the Asset managers group. It is also necessary to define which objects their authorizations apply to.

Example: How to set permissions for "Administrator of mobile phones" group

Note:

The example is described on English version of the ALVAO sample database.

In this example we will create a new group named Cell phone managers business and we will set the authorizations so that the members of this group will manage the mobile phones in the Business Department. They should be authorized with Cellular type objects:

Create (store) them under the Warehouse object.
Edit their information anywhere in the whole tree.
Move them from the warehouse anywhere under the Business Department object (and back, if necessary).
Group members can't see other departments.

The tree in English sample database looks like this:

Go to the ALVAO WebApp application and make sure that the rights in the Objects Tree are enabled – enable the Use permissions in the Object Tree option under Management – Asset Management – Settings – General.
Create a new group named Cell phone managers business.

Edit the group; add the Asset managers group in the Member of section. In the Object security section, set the permissions based on the following table:

Object kind	Object Name	Including subtree	Kind of objects	Read	Make changes	Move	Create any objects
		No	Cellular phone	Yes	Yes
Object templates	Object templates	No		Yes
Folder	IT Assets	No		Yes
Warehouse	Warehouse	No		Yes			Yes
Warehouse	Warehouse	Yes	Cellular phone			Yes
Organization	Our Company, Inc.	No		Yes
Department	Business Department	Yes		Yes
Department	Business Department	Yes	Cellular phone			Yes

Note:

According to our settings for the Business Department object, the user can move and edit Cellular type objects. This permission allows the user to move objects under this department, but he/she can't move the whole department, only the mobile phones located within the department.

Make user Joseph Freeman (Demo) a member of the newly created Cell phone managers business group – edit the user and add the group in the Member of tab.
If Joseph Freeman (Demo) user then logs in to the AM Console, the Objects Tree will look like this:

Did not find what you were looking for? Ask our technical support team.