Object Security
Object Security Principles
You can use object security to set access permissions for users to access objects in the tree. The permissions can be enabled, disabled or combined. You can change the settings in ALVAO Admin in the User Management and on the Object security tab. You can also change the settings in the individual objects in AM Console (the settings can be changed here only by the Asset System Administrator).
For the permissions settings in the Objects Tree to take effect, you need to enable the option Use permissions in the Objects Tree in the Admin settings for Asset Management – see. Global Settings. If you enable this option, no objects will be displayed to users who have no permissions for the Objects Tree. The objects will display only after the "Read" permissions have been enabled. An exception are users with the Administrator role for ALVAO Asset Management. The tree permissions do not apply to these users (all objects in the tree are always visible to them).
PermissionsThe system allows to set 5 types of permissions:
Permissions |
Description |
Read |
User can see the object in the objects tree. |
Make changes |
User can change the object attributes and the object property values. |
Move |
User can move the object into objects where the moved object will also have this permission. E.g. if the permission is set for the "Cellular" object kind on the "Department A" and "Department B" folders, the mobile phones can be moved within the both departments and also between them. |
Delete |
User can delete the object. |
Create any objects |
User can create child objects of any kind under the defined object. |
The permission can be granted or denied. Denial to access a service have greater priority over permission.
Note: By default, "deny" is set for all the objects and permissions – so the user can see no objects in the objects tree until reading is permitted to him/her.
Note: Object security can be set for entire user groups too. If the permissions for the Objects Tree are disabled, the following permissions will be assigned to the system roles:
Role |
Read |
Make changes |
Move |
Delete |
Insert objects |
Note |
Asset system administrator |
x |
x |
x |
x |
x |
Permissions for the tree cannot be restricted |
Reader |
x |
|
|
|
|
|
Asset manager |
x |
x |
x |
x |
x |
|
Software license manager |
x |
|
|
|
|
Same permissions as Readers |
Software and hardware detections manager |
x |
|
|
|
|
Same permissions as Readers |
Accountant |
x |
x1 |
|
|
|
Can change the values of certain properties |
Links reader |
x |
|
|
|
|
Same permissions as Readers |
Links manager |
x |
|
|
|
|
Same permissions as Readers |
1The Accountant role can change the values of properties with the "Accountant" role attribute. The "Accountant" can change property values in the Property definition window.
Warning:
If permissions are enabled in the Objects Tree, the following applies:
- Default rule – anything that is not permitted explicitly is forbidden by default.
- Restricting rule for an object (except for implicit one) has priority over enabling one, this is also the case for inheriting child objects.
- Reading permissions are evaluated starting at the tree root, which means that an object cannot be displayed if the specific user has insufficient permissions to read all of its parent objects too.
- The order of the rules in the table has no influence on their evaluation. All rules with the above-mentioned restrictions are always evaluated.
Note: Each user in the ALVAO WebApp can see his/her entrusted property, i.e. has the Read right in all child objects under his/her person in the tree.
Example: How to set permissions for administrator of mobile phones in the Sales Department
We want Mark Smith to become an administrator of mobile phones in the "Sales Department". We need to equip him with permissions to edit mobile phones, SIM cards and to move them from the warehouse to users (and back).
- Let us have a company tree:
- Go to Admin and make sure that the permissions are enabled for the Objects Tree: go to Manage – Asset Management – Settings..., click on the General tab and enable the Use permissions in the Object Tree option.
- Assign the Asset manager role to Mark Smith: edit the user, go the Asset roles tab and select the corresponding roles.
- Switch to the Object security tab and set the permissions based on the following table:
- If Mark Smith now logs in to the AM Console, the Objects Tree will look like this:
- Mark can see objects registered under the Sales Department only.
- He can move mobile phones and SIM cards among users and to the warehouse.
- He can edit mobile phones and SIM cards; he can also edit their property values.
- He can create new mobile phones and SIM cards under objects of the type User, Cellular and in the Warehouse.
Example: How to set permissions for "Administrator of mobile phones" group
Note: The example is described on English version of the ALVAO sample database. In this example we will create a new group "Cell phone managers business" and we will set the permission on it, so the members of this group will manage the mobile phones in the "Business Department." They should have the permission to work with "Cellular" kind of objects:
- Create (store) them under the "Warehouse" object.
- Edit their information anywhere in the whole tree.
- Move them from the warehouse anywhere under the "Business Department" object (and back, eventually).
- Group members can't see other departments.
The tree in English sample database looks like this:
- Go to Admin and make sure that the permissions are enabled for the Objects Tree: go to Manage – Asset Management – Settings..., click on the General tab and enable the Use permissions in the Object Tree option.
- Create a new group named "Cell phone managers business."
- Edit the group, add "Asset managers" group on the Member of tab. Switch to the Object security tab and set the permissions based on the following table:
Object kind |
Object Name |
Including subtree |
Kind of objects |
Read |
Make changes |
Move |
Delete |
Create any objects |
|
|
No |
Cellular phone |
Yes |
Yes |
|
|
|
Object templates |
Object templates |
No |
|
Yes |
|
|
|
|
Folder |
IT Assets |
No |
|
Yes |
|
|
|
|
Warehouse |
Warehouse |
No |
|
Yes |
|
|
|
Yes |
Warehouse |
Warehouse |
Yes |
Cellular phone |
|
|
Yes |
|
|
Organization |
Our Company, Inc. |
No |
|
Yes |
|
|
|
|
Department |
Business Department |
Yes |
|
Yes |
|
|
|
|
Department |
Business Department |
Yes |
Cellular phone |
|
|
Yes |
|
|
Note: On the "Business Department" object we have set the user can move and change objects of the "Cellular" kind. This permission allows the user to move objects under this department, but he/she can't move the whole department, only the mobile phones located within the department.
- Add the membership for a newly created group "Cell phone managers business" to the Joseph Freeman (Demo) user – edit the user and add the corresponding group on the Member of tab.
- If Joseph Freeman (Demo) user then logs in to the AM Console, the Objects Tree will look like this:
Did not find what you were looking for? Ask our technical support team.
|