Managing Asset Inventory roles

Roles determine who can view and act on assets and records in Asset Inventory. In the filing cabinet analogy, roles are the locks and keys needed to access and modify things.

Roles are associated to asset types, assets, sections, statuses, and users. They represent the permissions needed to view and act on your assets. Different asset types might be reserved for certain departments (for example, only members of your IT team can update assets for laptops and servers), and some statuses might be reserved for certain roles (for example, only managers can approve a new software vendor).

Understanding role permissions

In Asset Inventory, permissions are associated with roles, which can then be assigned to all users in a group, or individual users. When a user is given permission to interact with an object, they are given permission to perform up to four actions on that object:

Create
Read
Update
Delete

This permission structure allows different users to interact with the same object in different ways. For example, an asset administrator may be able to create, read, update, and delete assets, but a reviewer may be able to only read and update certain sections of those assets when the asset is in the Review status.

Depending on your organization's configuration, the roles available in your organization may vary. For help configuring roles in your organization, contact Support or your Diligent representative.

The permissions that can have true or false values associated with roles include:

Permission association	Permission
Organization-wide	Manage asset types Manage roles This permission is automatically granted to System Admins with Professional subscriptions. Manage workflows Note "Manage" permissions include full create, read, update, and delete permissions. However, because roles cannot be deleted, the "Manage roles" permission doesn't allow users to delete existing roles.
Specific to asset type	Create asset Delete asset Read asset section based on workflow status (can be configured to include all assets, all sections, and all statuses) Update asset section based on workflow status (can be configured to include all assets, all sections, and all statuses) Note Asset sections are groupings of attributes. Rather than assigning permissions to individual attributes, you can control access to those attributes by grouping them into sections, and then assigning permissions to those sections.

Permission association

Permission

Organization-wide

Manage asset types
Manage roles
- This permission is automatically granted to System Admins with Professional subscriptions.
Manage workflows

Note

"Manage" permissions include full create, read, update, and delete permissions. However, because roles cannot be deleted, the "Manage roles" permission doesn't allow users to delete existing roles.

Specific to asset type

Create asset
Delete asset
Read asset section based on workflow status (can be configured to include all assets, all sections, and all statuses)
Update asset section based on workflow status (can be configured to include all assets, all sections, and all statuses)

Note

Asset sections are groupings of attributes. Rather than assigning permissions to individual attributes, you can control access to those attributes by grouping them into sections, and then assigning permissions to those sections.

Interactions between permissions

Certain combinations between permissions are necessary for roles to function properly.

If a user is assigned more than one role, they get access to everything that each separate role provides them access to. In other words, if a user is assigned one role that gives them permission to perform an action and another role that lacks the same permission, they will be able to perform that action.
If a user has permission to delete an object, they must also have permission to read that object so they can see what they're deleting.
It is possible to have permission to create an object but not read it (similar to responding to a survey but being unable to see your responses after submitting).
If a user has permission to delete a parent object, they can also delete all the child objects with the parent, even if they don't have permission to delete the child objects on their own.

Show me an example

Example

You want to set up roles for two different users: Abhishek, who needs to be able to create, edit, and delete vendors; and Gwen, who only needs to be able to see and edit vendor information when Abhishek requests a review.

Working with your Diligent representative, you set up the following roles with the following permissions:

Role	Object	Permissions
Vendor Manager	Asset type - Vendor	Create asset Read all assets, all sections, and all statuses Update all assets, all sections, and all statuses Delete asset
Vendor Reviewer	Asset type - Vendor	Read all sections while workflow is in "Needs review" status Update all sections while workflow is in "Needs review" status

Knowing that there are multiple users who will need to occupy these roles, you create a Vendor Managers group, add Abhishek to it, and assign the Vendor Manager role to the group. Then, you create a Vendor Reviewers group, add Gwen to it, and assign the Vendor Reviewer role to the group.

Abhishek creates a new vendor and adds information about the vendor into Asset Inventory. Then, he puts the new vendor into "Needs review" status and asks Gwen to review it. She can read the information that Abhishek put in, and makes changes to the vendor as required.

Abhishek reviews Gwen's changes and puts the vendor into "Review complete" status. Gwen loses the ability to see or edit the vendor.

Managing roles

You may need to contact Support or your Diligent representative to get the roles in your organization configured to meet your needs. Then, System Admins can assign or unassign those roles to groups and users.

Assigning roles to groups vs. individual users

As an organization grows larger and more complex, it becomes increasingly important to be able to manage permissions on a high level, so role administrators don't have to spend time administering permissions for large numbers of individual users.

While it is possible to assign roles directly to users, we recommend assigning roles to groups instead, and adding users to those groups to manage their permissions. Then, if you need to change those permissions, you can do one of the following:

Change the role's permissions, which automatically apply to all members of all groups associated with that role
Add or remove a user from a group, which allows you to change permissions for that user without having to add or remove individual permissions for them

Users can belong to multiple groups, and groups can be assigned multiple roles. For more information, see Adding and managing groups.

Assigning roles

Assign Asset Inventory roles to groups and users in your organization.

Open Launchpad.
If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
Select Platform Settings > Users.
If you do not see Users as an option, the account you used to sign in does not have Admin privileges.
Click the Assets roles tab.
Click Assign. The Assign role side panel opens.
In the Role list, select the role you want to assign.
Click Select groups or users and select all the groups and users you want to assign the role.
Click Assign. The Assign role side panel closes and the assigned groups and users appear in the Assets roles table under the role you assigned them.

Unassigning roles

Permanently unassign roles from the Assets roles table.

Unassign an individual role Click the Delete button beside the group or user you want to unassign from the role, then click Unassign in the confirmation message that appears.
Unassign multiple roles Select the checkboxes beside the groups or users you want to unassign, click Unassign: #, then click Remove in the confirmation message that appears.