Administration Guide

Controlling the Access Scope

Updated in 2021.1

When your technical team supports multiple departments or multiple external customer organizations, you may need to restrict their access scope with only objects that belong to those departments or organizations.

If the membership in organizations is not enough or you need to additionally restrict access to objects, use data segmentation. Data segments allow you to restrict access to certain areas and objects in Alloy Navigator across multiple organizations. For example, you can create a "Top Managers" data segment and place there sensitive data that must be available only to top managers, regardless of the organizations they belong to.

Security roles with a restricted access scope apply only to objects (such as Computers, Purchase Orders, Tickets) that belong to certain data segments and/or organizations, based on the values of the Data Segment and Organization fields of those objects.

See the table below to view examples of how different combinations of the Data Segment and Organization object values and different access scope restrictions result in the role's ability to grant the permission to view objects.

OBJECT:
Data Segment field		 OBJECT:
Organization field		 ROLE ACCESS SCOPE:
Data Segments		 ROLE ACCESS SCOPE:
Organizations		 Does the role
apply to the object?		 Description
IT Acme, Inc.
  • IT
  • HR

Unrestricted access

The role applies to the object because the Data Segment value of the object is on the list of data segments in the access scope, and the access scope is not restricted by organizations (Unrestricted access).
HR Acme, Inc.

All segments
  • Acme, Inc.
  • Alloy Software

The role applies to the object because the Organization value of the object is on the list of organizations in the access scope, and the access scope is not restricted by data segments (All segments).
HR Acme, Inc.\
Human Resources
  • IT
  • HR
  • Acme, Inc.

The role does not apply to the object because the value of the Organization object field (Acme, Inc.\
Human Resources) is not on the Organizations list of the role's access scope.

Although the role allows access for Acme, Inc., which is a parent organization of Human Resources, it does not automatically allow access for sub-organizations, such as Human Resources.

To allow access for sub-organizations, an access scope must explicitly include them, even if the parent organization is already included.
Facilities Acme, Inc.
  • IT
  • HR
  • Acme, Inc.
  • Alloy Software

The role does not apply to the object because the object's Data Segment (Facilities) is not on the list of Data Segments of the role's access scope.

Exceptions

A role with a restricted access scope applies (grants permissions to view) only to objects whose Data Segment and/or Organization values match the segments and organizations for which the role allows access to. To be able to match against the access scope, objects must have the Data Segment or Organization field.

Data Segments

Access scope by data segments apply only to objects that have the Data Segment field. These are the most of Alloy Navigator, except for Stock Rooms, PO Items, and Discovered Installations.

  • Stock Rooms have neither Organization nor Data Segment fields. When a role grants permissions to view Stock Rooms, it grants access to all Stock Rooms, regardless of the role's access scope.

  • PO Items and Discovered Installations do not have the Data Segment field. These child objects inherit the Data Segment value of their parent objects, which are Computers and Purchase Orders, correspondingly. For example, when a role grants permissions to view a Purchase Order, all its PO Items can be viewed as well.

Organizations

Organization-related restrictions apply only to organization-related objects, i.e. objects that have the Organization field. These objects are:

  • Assets
  • Computers
  • Configurations
  • Consumables
  • Documents
  • Hardware
  • Networks
  • Organizations
  • Persons
  • Purchase Orders (with their Purchase Order Items)
  • Software Licenses
  • Tickets (Change Requests, Incidents, Problems, Service Requests, Work Orders)
  • Tracked Software

In order to restrict access to other objects, such as Approval Requests or Contracts, use data segmentation.

NOTE: The term “organization” uniquely identifies a company’s organizational unit which can be defined, for example, as a company, division, department, branch, team, group, etc.