How to make the dept of an asset submitter the asset owner?
Hi,
I have a requirement on asset ownership and am not sure how to fulfill it. By default, RAM makes the submitter of an asset the asset owner. For my requirement, I want the department to which the submitter belongs to become the owner. e.g. If PersonA submits an asset, by default, RAM makes PersonA the owner of that asset. That means PersonA can update and delete the asset. For my requirement, instead of making PersonA the asset owner, I need to make the department to which PersonA belongs the owner. Therefore, if the department has PersonB and PersonC in it as well, PersonA, PersonB, and PersonC all should have update and delete permissions for that asset (submitted by PersonA). I was told RAM has an out-of-the-box "Modify Asset Owner" policy, but reading the documentation of that policy seems to indicate it doesn't do exactly what I want. That out-of-the-box "Modify Asset Owner" policy relies on an attribute of User type to be defined. Then, that attribute has to contain the ID of the owner to be assigned. When the policy runs, RAM will take the value of that attribute and set it as the owner of the asset. My questions are: My questions are: 1. Can that User type attribute contain the ID of a group? 2. If 'yes' to my question #1, how can I extend that out-of-the-box policy to make that attribute contain the ID of a group? 3. If 'yes' to my question #1, how can I extend that out-of-the-box policy to resolve the group to its members? Or, is it necessary to do this resolution? e.g. Can RAM resolve it at the time it enforces access control? Using my example above with PersonA, PersonB, PersonC. Let's say they all belong to "DeptX". Can I set the value of that attribute in the Modify Asset Owner policy to "DeptX" and when PersonB logs on and attempts to do something with the asset, RAM will be able to figure out PersonB belongs to DeptX and DeptX has been assigned as the asset owner, and therefore PersonB should be granted the rights of an asset owner? If what I said above is not easy to do, I would appreciate some guidance on how to satisfy my stated requirement above. Ultimately, I don't want to "hardcode" individuals as owners of assets (for obvious reasons that individuals move around, may leave, etc.). I want to use groups to represent owners of assets and I need RAM to be able to (or allow me to extend it so that it can) resolve those groups to individuals at the time when access control decisions are made/enforced. Thanks |
2 answers
Hi Janette Wong,
in RAM, the ownership of a asset means user can download,delete,publish,read,search and update this asset.So I think you can fulfill what you want in another way. In administration you can create a user group in a specified community, in your situation, you can put the people in dept in it, and you can create a roles that has the right to do what a owner can do.giving that roles to the user group, then every asset in that community created by a user group member can be owned by the user group. Thanks. |
Would like to better understand you you meant by:
Make the "department" of the submitter the "owner" of the asset that is submitted. Is the "ownership" requirement comes to provide update permission (to the department) for that asset, or is it the ownership setting itself that is important (for contact information, notifications etc.)? Can you programatically determine a submiter's department membership? e.g., can you go to a registry (like LDAP) to get the list of uids that the department members? That will help, as your custom policy can always be in sync with the department membership (vs. duplicating all of the department as groups in RAM). If it is indeed the ownership that you would like to set, you create a policy with something like this: ........ |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.