Managing asset roles

Roles determine who can view and act on assets and records. In the filing cabinet analogy, roles are the locks and keys needed to access and modify things.

Asset Inventory requires a subscription to IT Risk Management (previously ITRMBond) or Third Party Risk Management (previously ThirdPartyBond).

Roles are associated to asset types, assets, sections, statuses, and users. They represent the permissions needed to view and act on your assets. Different asset types might be reserved for certain departments (for example, only members of your IT team can update assets for laptops and servers), and some statuses might be reserved for certain roles (for example, only managers can approve a new software vendor).

Understanding role permissions

In Asset Inventory, permissions are associated with roles, which can then be assigned to all users in a group, or individual users. When a user is given permission to interact with an object, they are given permission to perform up to four actions on that object:

  • Create
  • Read
  • Update
  • Delete

This permission structure allows different users to interact with the same object in different ways. For example, an asset administrator may be able to create, read, update, and delete assets, but a reviewer may be able to only read and update certain sections of those assets when the asset is in the Review status.

Depending on your organization's configuration, the roles available in your organization may vary. For help configuring roles in your organization, contact Support or your Diligent representative.

The permissions that can have true or false values associated with roles include:

Permission association Permission
Organization-wide
  • Manage asset types
  • Manage roles
    • This permission is automatically granted to System Admins with Professional subscriptions.
  • Manage workflows

Note

"Manage" permissions include full create, read, update, and delete permissions. However, because roles cannot be deleted, the "Manage roles" permission doesn't allow users to delete existing roles.

Specific to asset type
  • Create asset
  • Delete asset
  • Read asset section based on workflow status (can be configured to include all assets, all sections, and all statuses)
  • Update asset section based on workflow status (can be configured to include all assets, all sections, and all statuses)

Note

Asset sections are groupings of attributes. Rather than assigning permissions to individual attributes, you can control access to those attributes by grouping them into sections, and then assigning permissions to those sections.

Interactions between permissions

Certain combinations between permissions are necessary for roles to function properly.

  • If a user is assigned more than one role, they get access to everything that each separate role provides them access to. In other words, if a user is assigned one role that gives them permission to perform an action and another role that lacks the same permission, they will be able to perform that action.
  • If a user has permission to delete an object, they must also have permission to read that object so they can see what they're deleting.
  • It is possible to have permission to create an object but not read it (similar to responding to a survey but being unable to see your responses after submitting).
  • If a user has permission to delete a parent object, they can also delete all the child objects with the parent, even if they don't have permission to delete the child objects on their own.

Managing roles

You may need to contact Support or your Diligent representative to get the roles in your organization configured to meet your needs. Then, System Admins can assign or unassign those roles to groups and users.

Assigning roles to groups vs. individual users

As an organization grows larger and more complex, it becomes increasingly important to be able to manage permissions on a high level, so role administrators don't have to spend time administering permissions for large numbers of individual users.

While it is possible to assign roles directly to users, we recommend assigning roles to groups instead, and adding users to those groups to manage their permissions. Then, if you need to change those permissions, you can do one of the following:

  • Change the role's permissions, which automatically apply to all members of all groups associated with that role
  • Add or remove a user from a group, which allows you to change permissions for that user without having to add or remove individual permissions for them

Users can belong to multiple groups, and groups can be assigned multiple roles. For more information, see Adding and managing groups.

Assigning roles

Assign Asset Inventory roles to groups and users in your organization.

  1. Open Launchpad.
  2. If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
  3. Select Options > Users.

    If you do not see Users as an option, the account you used to sign in does not have Admin privileges.

  4. Click the Assets roles tab.
  5. Click Assign. The Assign role side panel opens.
  6. In the Role list, select the role you want to assign.
  7. Click Select groups or users and select all the groups and users you want to assign the role.
  8. Click Assign. The Assign role side panel closes and the assigned groups and users appear in the Assets roles table under the role you assigned them.

Unassigning roles

Permanently unassign roles from the Assets roles table.

  • Unassign an individual role Click the Delete button beside the group or user you want to unassign from the role, then click Unassign in the confirmation message that appears.
  • Unassign multiple roles Select the check boxes beside the groups or users you want to unassign, click Unassign: #, then click Remove in the confirmation message that appears.