I just wanted to discuss some issues I am seeing when trying
to create a couple of Asset roles. We effectively want to have two roles:
- An "Analyst" role that includes READ ONLY access to Assets
- An "Asset Administrator" role that has READ/WRITE access to Assets
Problem 1: Asset Administrator Role
The Cireson guide on how to create the roles “User-Guide-Asset-Mgt-Security-Roles-2015-Q1.pdf” (attached) details the process for creating a “Master Asset Management” role based on the “Incident Resolvers” role.
This process involves creating the new Master Asset Management role based on the Incident Resolvers role and selecting only the appropriate views and tasks related to the components in the Cireson Asset Management Pack (and a couple of others).
The second part of this process involves running the “Cireson.AssetManagement.Permissions.exe” tool and applying the required permissions to edit assets to the base profile we based our “Asset Administrators” role on (Incident Resolvers if we follow the documentation). Performing this step will provide write access to all Cireson Asset Management components (as well as User CI’s) to not only our custom “Asset Administrator” role but since we have to select the base Incident Resolver profile, this base profile and any other current or future roles based off of it (including our Analyst role) will effectively be given write access to the above components.
I verified this by making changes to Asset and User CI properties (as an Analyst) after running the tool.
You can edit the “Analyst” role and remove the tick boxes next to the Cireson Asset Management Tasks but this will only remove the links from the “Tasks” pane. An Analyst can still view an asset and edit any of the fields.
The only thing I can think of (since we cannot use the
permissions tool to select our custom role), is to select another “base profile”
which we do not think we will use again for anything else (unless we want to also provide them with read/write access to assets). We think we will end up
using most of the other roles so that does not appear to be a great solution
however. The ideal solution would be the ability to run the permissions tool
against only the custom role if that was somehow possible.
Problem 2: Analyst - Read Only Access to Hardware CI's on Cireson Portal
I also have a slight issue with READ ONLY Analyst role as well. Assuming we don’t make the above changes, the Analyst role has read only access to Cireson Assets out of the box.
Unfortunately the Analyst cannot see the Asset info in the Cireson Portal. On the Navigation settings screen, we can add in the Analyst group so that the required tabs are visible on the left hand screen. The Analyst can also see the “All Hardware Asset” grid view etc. Unfortunately though clicking on an Asset CI results in an “Access Denied” message as I believe only the “Asset Administrator” role (specified during the portal installation) is given access to Asset CI forms. This issue could probably be resolved by setting custom read permissions on the asset forms for our Analyst role if there is a way to do this.
I am wondering if anoyone else has defined similar roles and if so how they managed to address the issues I have described above.