Granting a role different permissions for diff asset types
Hi,
I can't seem to use RAM to accomplish the following -- any guidance is appreciated.
Let's say I have one role X and two asset types A and B.
I want to grant role Xdifferent permissions for A and B.
In RAM, I can use admin authority to specifyone set of permissions for one role (in my case, role X) for one or more asset types (in my case, A and B).
However, I cannot find a way to specify different permissions for A and B for the same role X.
What am I missing?
I can't seem to use RAM to accomplish the following -- any guidance is appreciated.
Let's say I have one role X and two asset types A and B.
I want to grant role X
In RAM, I can use admin authority to specify
However, I cannot find a way to specify different permissions for A and B for the same role X.
What am I missing?
6 answers
On 11/8/2011 2:08 PM, jwatbank wrote:
You can't. Permissions are assigned to roles, not the conditions. The
conditions on the role only indicate under what conditions the role is
active and will give those permissions to assigned users/usergroups.
If you want a different set of permissions you need a different role
with a different set of conditions to activate it.
--
Rich Kulp
Rational Asset Manager developer
However, I cannot find a way to specify different permissions for A
and B for the same role X.
What am I missing?
Hi,
You can't. Permissions are assigned to roles, not the conditions. The
conditions on the role only indicate under what conditions the role is
active and will give those permissions to assigned users/usergroups.
If you want a different set of permissions you need a different role
with a different set of conditions to activate it.
--
Rich Kulp
Rational Asset Manager developer
On 11/8/2011 2:08 PM, jwatbank wrote:
However, I cannot find a way to specify different permissions for A
and B for the same role X.
What am I missing?
Hi,
You can't. Permissions are assigned to roles, not the conditions. The
conditions on the role only indicate under what conditions the role is
active and will give those permissions to assigned users/usergroups.
If you want a different set of permissions you need a different role
with a different set of conditions to activate it.
--
Rich Kulp
Rational Asset Manager developer
thanks!
Hi,
I have a requirement on asset ownership and am not sure how to fulfill it.
By default, RAM makes the submitter of an asset the asset owner. For my requirement, I want the department to which the submitter belongs to become the owner.
e.g. If PersonA submits an asset, by default, RAM makes PersonA the owner of that asset. That means PersonA can update and delete the asset. For my requirement, instead of making PersonA the asset owner, I need to make the department to which PersonA belongs the owner. Therefore, if the department has PersonB and PersonC in it as well, PersonA, PersonB, and PersonC all should have update and delete permissions for that asset (submitted by PersonA).
I was told RAM has an out-of-the-box "Modify Asset Owner" policy, but reading the documentation of that policy seems to indicate it doesn't do exactly what I want.
That out-of-the-box "Modify Asset Owner" policy relies on an attribute of User type to be defined. Then, that attribute has to contain the ID of the owner to be assigned. When the policy runs, RAM will take the value of that attribute and set it as the owner of the asset. My questions are:
My questions are:
1. Can that User type attribute contain the ID of a group?
2. If 'yes' to my question #1, how can I extend that out-of-the-box policy to make that attribute contain the ID of a group?
3. If 'yes' to my question #1, how can I extend that out-of-the-box policy to resolve the group to its members? Or, is it necessary to do this resolution? e.g. Can RAM resolve it at the time it enforces access control? Using my example above with PersonA, PersonB, PersonC. Let's say they all belong to "DeptX". Can I set the value of that attribute in the Modify Asset Owner policy to "DeptX" and when PersonB logs on and attempts to do something with the asset, RAM will be able to figure out PersonB belongs to DeptX and DeptX has been assigned as the asset owner, and therefore PersonB should be granted the rights of an asset owner?
If what I said above is not easy to do, I would appreciate some guidance on how to satisfy my stated requirement above. Ultimately, I don't want to "hardcode" individuals as owners of assets (for obvious reasons that individuals move around, may leave, etc.). I want to use groups to represent owners of assets and I need RAM to be able to (or allow me to extend it so that it can) resolve those groups to individuals at the time when access control decisions are made/enforced.
Thanks
I have a requirement on asset ownership and am not sure how to fulfill it.
By default, RAM makes the submitter of an asset the asset owner. For my requirement, I want the department to which the submitter belongs to become the owner.
e.g. If PersonA submits an asset, by default, RAM makes PersonA the owner of that asset. That means PersonA can update and delete the asset. For my requirement, instead of making PersonA the asset owner, I need to make the department to which PersonA belongs the owner. Therefore, if the department has PersonB and PersonC in it as well, PersonA, PersonB, and PersonC all should have update and delete permissions for that asset (submitted by PersonA).
I was told RAM has an out-of-the-box "Modify Asset Owner" policy, but reading the documentation of that policy seems to indicate it doesn't do exactly what I want.
That out-of-the-box "Modify Asset Owner" policy relies on an attribute of User type to be defined. Then, that attribute has to contain the ID of the owner to be assigned. When the policy runs, RAM will take the value of that attribute and set it as the owner of the asset. My questions are:
My questions are:
1. Can that User type attribute contain the ID of a group?
2. If 'yes' to my question #1, how can I extend that out-of-the-box policy to make that attribute contain the ID of a group?
3. If 'yes' to my question #1, how can I extend that out-of-the-box policy to resolve the group to its members? Or, is it necessary to do this resolution? e.g. Can RAM resolve it at the time it enforces access control? Using my example above with PersonA, PersonB, PersonC. Let's say they all belong to "DeptX". Can I set the value of that attribute in the Modify Asset Owner policy to "DeptX" and when PersonB logs on and attempts to do something with the asset, RAM will be able to figure out PersonB belongs to DeptX and DeptX has been assigned as the asset owner, and therefore PersonB should be granted the rights of an asset owner?
If what I said above is not easy to do, I would appreciate some guidance on how to satisfy my stated requirement above. Ultimately, I don't want to "hardcode" individuals as owners of assets (for obvious reasons that individuals move around, may leave, etc.). I want to use groups to represent owners of assets and I need RAM to be able to (or allow me to extend it so that it can) resolve those groups to individuals at the time when access control decisions are made/enforced.
Thanks
Thanks Rich... can an administrator transfer ownership of an asset
from one user to another?
No. It depends on the version of RAM and the lifecycle.
In 7502 and lower owners, lifecycle Managers/reviewboard Members, and
admin can change ownership.
In 751, lifecycle managers/review board members, and admin can change
ownership. An owner can change ownership only if they are also a
lifecycle manager.
--
Rich Kulp
Rational Asset Manager developer