Managing Asset Manager roles
Roles determine who can view and act on assets and records in Asset Manager.
Roles are associated to asset types, assets, sections, statuses, and users. They represent the permissions needed to view and act on your assets. Different asset types might be reserved for certain departments (for example, only members of your IT team can update assets for laptops and servers), and some statuses might be reserved for certain roles (for example, only managers can approve a new software vendor).
Understanding role permissions
In the Asset Manager app, permissions are associated with roles, which can then be assigned to all users in a group, or individual users. When a user is given permission to interact with an object, they are given permission to perform up to four actions on that object:
- Create
- Read
- Update
- Delete
This permission structure allows different users to interact with the same object in different ways. For example, an asset administrator may be able to create, read, update, and delete assets, but a reviewer may be able to only read and update certain sections of those assets when the asset is in the Review status.
Depending on your organization's configuration, the roles available in your organization may vary. For help configuring roles in your organization, contact your Diligent representative.
The permissions that can have true or false values associated with roles include:
Permission association | Permission |
---|---|
Organization-wide |
Note "Manage" permissions include full create, read, update, and delete permissions. However, because roles cannot be deleted, the "Manage roles" permission doesn't allow users to delete existing roles. |
Specific to asset type |
Note Asset sections are groupings of attributes. Rather than assigning permissions to individual attributes, you can control access to those attributes by grouping them into sections, and then assigning permissions to those sections. |
Interactions between permissions
Certain combinations between permissions are necessary for roles to function properly.
- If a user is assigned more than one role, they get access to everything that each separate role provides them access to. In other words, if a user is assigned one role that gives them permission to perform an action and another role that lacks the same permission, they will be able to perform that action.
- If a user has permission to delete an object, they must also have permission to read that object so they can see what they're deleting.
- It is possible to have permission to create an object but not read it (similar to responding to a survey but being unable to see your responses after submitting).
- If a user has permission to delete a parent object, they can also delete all the child objects with the parent, even if they don't have permission to delete the child objects on their own.
Example
You want to set up roles for two different users: Abhishek, who needs to be able to create, edit, and delete vendors; and Gwen, who only needs to be able to see and edit vendor information when Abhishek requests a review.
Working with your Diligent representative, you set up the following roles with the following permissions:
Role | Object | Permissions |
---|---|---|
Vendor Manager | Asset type - Vendor |
|
Vendor Reviewer | Asset type - Vendor |
|
Knowing that there are multiple users who will need to occupy these roles, you create a Vendor Managers group, add Abhishek to it, and assign the Vendor Manager role to the group. Then, you create a Vendor Reviewers group, add Gwen to it, and assign the Vendor Reviewer role to the group.
Abhishek creates a new vendor and adds information about the vendor into Asset Manager. Then, he puts the new vendor into "Needs review" status and asks Gwen to review it. She can read the information that Abhishek put in, and makes changes to the vendor as required.
Abhishek reviews Gwen's changes and puts the vendor into "Review complete" status. Gwen loses the ability to see or edit the vendor.
Managing roles
You may need to your Diligent representative to get the roles in your organization configured to meet your needs. Then, System Admins can assign or unassign those roles to groups and users.
Assigning roles to groups vs. individual users
As an organization grows larger and more complex, it becomes increasingly important to be able to manage permissions on a high level, so role administrators don't have to spend time administering permissions for large numbers of individual users.
While it is possible to assign roles directly to users, we recommend assigning roles to groups instead, and adding users to those groups to manage their permissions. Then, if you need to change those permissions, you can do one of the following:
- Change the role's permissions, which automatically apply to all members of all groups associated with that role
- Add or remove a user from a group, which allows you to change permissions for that user without having to add or remove individual permissions for them
Users can belong to multiple groups, and groups can be assigned multiple roles. For more information, see Adding and managing groups.
Assigning roles
Assign Asset Manager roles to groups and users in your organization.
- Open Launchpad.
- If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
- Select Platform Settings > Users.
If you do not see Users as an option, the account you used to sign in does not have Admin privileges.
- Click the Assets roles tab.
- Click Assign. The Assign role side panel opens.
- In the Role list, select the role you want to assign.
- Click Select groups or users and select all the groups and users you want to assign the role.
- Click Assign. The Assign role side panel closes and the assigned groups and users appear in the Assets roles table under the role you assigned them.
Unassigning roles
Permanently unassign roles from the Assets roles table.
- Unassign an individual role Click the Delete button beside the group or user you want to unassign from the role, then click Unassign in the confirmation message that appears.
- Unassign multiple roles Select the checkboxes beside the groups or users you want to unassign, click Unassign: #, then click Remove in the confirmation message that appears.