Roles
The Roles tab on the Administration > IT Asset Management Settings > IT Asset Accounts page displays an alphabetical list of available roles that can be assigned to accounts. IT Asset Management supports role-based access control. A role is a logical grouping of access rights or privileges. Instead of assigning individual privileges to each account, the administrator groups the privileges into roles, and you can then assign an operator's account to one or more roles.
Until an operator's account is assigned to at least one role, the operator cannot access any part of IT Asset Management.
Access rights define what an account can do in IT Asset Management. For example, an administrator role can control the configuration and management of IT Asset Management whereas a report viewer role can only view the reports and dashboards (and then only for data objects where the operator has at least Read only privileges). When you assign a role to an account, IT Asset Management assigns the access rights contained in the assigned role to that account.
Mapping Roles and Accounts�
Only user accounts that have specific responsibilities and security approvals should be assigned to roles that bring high-level privileges. For example, the typical administrator role has tasks like:
-
Configuring IT Asset Management properties
-
Configuring currency settings
-
Troubleshooting through the IT Assets Inventory Status System Tasks page, and accessing/downloading logs
-
Managing operators of IT Asset Management, and their privilege levels.
However, by default this role does not include the ability to manage contracts, for example. Typically, a separate operator has responsibility for contract records. In short, tailor the privileges to suit the operator's responsibilities, using one or more roles as best suits your environment. Assignments to real, responsible people is best practice, rather than assigning privileges to an unsecured Windows account or a service account.
You can create multiple roles and assign one or more roles to an account, based on its job requirements. When you assign multiple roles to an account, the account receives a logical union of all the access rights assigned to each of the assigned roles.
If you assign multiple roles where you have an overlap between an 'allow' right and a 'deny', the 'deny' always wins.
Actions
This page enables you to perform the following activities:
| Action | Description |
|---|---|
| Search for existing roles | You can search for an existing role. For information about searching and using other UI options, see the topics under Using Lists in IT Asset Management. |
| View accounts associated with a role | Each role record displays the number of accounts assigned with that role. You can click this link to view the list of accounts assigned with the role on the IT Asset Accounts page. |
| Create a role | You can create a new role and assign it to one or more accounts. See Creating a Role. |
| Copy an existing role | You can copy an existing role to create a new role with modified privileges. Click the copy icon for the role you wish to copy. IT Asset Management displays the Create a Role page. Modify the desired properties and click Create . For more information, see Creating a Role. |
| Change the rights for an existing role | You can adjust the privileges given to an existing role. Click the edit (pencil) icon for the role you wish to edit. IT Asset Management displays the Edit rolename page, where you can change any values except the role Name (other than this, the page is identical to the display for creating a new role). Modify the desired properties, and scroll to the bottom of the page to click Save . For more information, see Creating a Role. |
| Delete a role | Click the delete icon for the role you wish to delete. IT Asset Management displays a confirmation message. Click OK to delete the role. |
You can delete a role whether or not there are accounts assigned to the role. When a role is deleted, any privileges granted to accounts through only that one role are revoked, so that (as always) each account has the sum of privileges granted by the roles to which it is currently assigned. Keep in mind that an account must be assigned to at least one role to have any access to IT Asset Management. If you delete the only role to which an account is assigned, the operator using that account is no longer able to use IT Asset Management until you assign that account to another role.