AssetSonar caters to the ITAM needs of various organizations ranging from small startups with few employees to large IT-intensive enterprises. As employees and departments expand, businesses must enforce group-based access control to better manage asset visibility and use by employees.
There are two ways this can be done:
- Separate AssetSonar Accounts: Create separate accounts when ITAM workflows of each department and its employees are independent. For every account, you can have different policy settings and run independent reports. This is ideal when there’s no sharing of IT Assets or employees across departments.
- Use Advanced Access Control: This feature allows you to manage departments and divisions from a single AssetSonar account. By storing data in a single account, you can run aggregate reports and apply consistent settings across all departments.
- Enabling Access Control
- Restricting access by Groups
- Restricting access by Locations
- Restricting access by Groups and Locations
- Using Arbitration within User Listings
- Staff User settings for User Listings
- When to use Custom Roles?
1. Enabling Access Control
To enable Advanced Access Control, go to Settings → Company Settings → Policy → Access Control, select ‘Advanced’, and update the settings.
As you can see, there are three ways to restrict access to users: by Groups, by Locations, and by both Groups and Locations.
2. Restricting access by Groups
This option allows members of certain User Listings to only view items belonging to Groups that they have access to. Let’s suppose there are three departments in your company, Finance, Sales, and Operations. Each department works independently, however, there is limited sharing of Assets across the departments.
To start off, you must create a User Listing from the left navigation bar. Go to More → User Listings. Here, a Default User Listing already exists and contains all item groups.
Note the following:
- Employees associated with the Default User Listing can see all items.
- If there are no members in any User Listing, no Staff User or Admin can see any items.
Let’s create a User Listing to enable employees of different departments to access relevant items. Start by creating a User Listing named Finance for employees in this department.
Click on the ‘Add User Listings’ button.
Select the item groups you want to be visible to members in the Finance user listing and click on ‘Done’ to create the User Listing.
This is how a User Listing looks like once it has been created.
Now, go to the Users tab and click on the ‘Add or Remove Users’ button to add employees in the Finance department to this user listing.
Hit ‘ Change User Listing’ once you’re done.
This is how the Finance User Listing will now look:
In this example, Charles and David can only see Assets and Inventory items in the Groups selected earlier. They do not have access to items in other groups.
David is the supervisor for the Finance User Listing. This means he’s an Administrator but only for the users and groups in his User Listing. Within the Finance User Listing, he can run reports, add Assets, print labels, and add or remove employees as needed.
In the same way, you can add User Listings for your Sales and Operations departments. As an Administrator, you can edit a member to change their role and/or User Listing.
With User Listings enabled, there are four total roles to choose from: Administrator, Agent, Supervisor, and Staff User.
Please note the following:
- A new User Listing needs to be created for each Access Control group.
- Members can belong to a maximum of one User Listing.
- Any number of Asset groups can belong to a User Listing i.e. items can be shared across many departments.
- Staff users have visibility to only those items that belong to one of the groups in their User Listing.
- Supervisors have Administrative capabilities but only for their own User Listing. They do not have access to items and members outside their User Listing.
- Administrators are not associated with any User Listing and have full access to all items and users.
- Users not associated with a User Listing can only see Assets checked out to them.
- Default User Listing contains all item groups.
3. Restricting access by Location
You can also restrict access by locations instead of groups when configuring User Listings. Enable this setting from Settings → Company Settings → Access Control. Here, select to restrict access ‘By Locations’.
You can either create a new User Listing based on locations or assign locations to an existing User Listing.
Let’s assign locations to an existing User Listing listing called ‘IT Support’. Select IT Support from the User Listings page as shown:
Next, go to the Locations tab and click ‘Add or Remove Locations’. Make your selections and update the User Listing.
After adding locations, this is what your IT Support User Listing will look like:
In the above example, all members in the IT Support user listing can access items in the locations, Baltimore and Harleysville.
4. Restricting access by Groups and Locations
In case you have multiple offices in different locations, you may want employees to only access relevant items at their location. Let’s say you want people in the Maryland office to only have access to items grouped under ‘Laptops’ in Maryland.
To enable restrictions by Groups and Locations, follow the pathway: Settings → Company Settings → Policy → Access Control → Advanced → Restrict Access → Both Groups and Locations.
After enabling the settings, you can update the Groups and Locations for your User Listings by going to More → User Listings → Groups/Locations.
In the above example, the two users in the User Listing ‘IT Support’ can see all items in the 10 groups and at the two locations mentioned.
5. Using Arbitration within User Listings
Arbitration in User Listing enables Administrators to approve all items checked in/out by a user in the specified User Listing. Go to Settings → Company Settings → Arbitration in a User Listing → Arbitration in a User Listing and select ‘Enabled’.
When Arbitration is enabled in a User Listing, all items checked out, checked in, or reserved by members of the listing will need to be approved by ?r=blog_custom-rolesthe Admin.
If Arbitration is enabled outside a User Listing, all items checked out, checked in, or reserved by members that aren’t part of any listing will have to be approved by the Admin.
6. Staff User settings for User Listings
You can authorize Staff Users to take certain actions based on the User Listing(s) that they are a part of. These actions include:
- Creating items
- Scheduling and starting maintenance on items
To configure Staff User settings specific to each User Listing, go to User Listings → User Listing Name → Settings. Select the options highlighted below and hit ‘Save Settings’.
Note: If Arbitration settings specific to the User Listing have not been enabled, default Company Arbitration settings will apply to that User Listing
7. When to use Custom Roles?
You can Advanced Access Control to restrict access by department (User Listing) and status (member role). While these standard restrictions work for most industries, the User Listings approach offers limited flexibility for customized workflows.
If you need more granular restrictions over item visibility, you can use the Custom Roles feature. Completely personalize permissions for each role and gain granular control over visibility and action permissions.
Please note that you should implement only one of the two methods. Using both Advanced Access Control and Custom Roles will lead to complicated workflows and unnecessary confusion for your administration.
Read more: Types of Members
AssetSonar is the leading ITAM tool used by IT-intensive organizations and businesses all over the globe. It gives you the freedom to customize user roles and workflows as per your needs. Sign up today for a free 15-day trial.