Administration Guide

Controlling the Access Scope

Updated in 2025

When your technical team supports multiple departments or multiple external customer organizations, you may need to restrict their access scope with only objects that belong to those departments or organizations.

If the membership in organizations is not enough or you need to additionally restrict access to objects, use data segmentation. Workspaces allow you to restrict access to certain areas and objects in Alloy Navigator across multiple organizations. For example, you can create a "Top Managers" workspace and place there sensitive data that must be available only to top managers, regardless of the organizations they belong to.

Security roles with a restricted access scope apply only to objects (such as Computers, Purchase Orders, Tickets) that belong to certain workspaces and/or organizations, based on the values of the Workspace and Organization fields of those objects.

See the table below to view examples of how different combinations of the Workspace and Organization object values and different access scope restrictions result in the role's ability to grant the permission to view objects.

OBJECT:
Workspace field		 OBJECT:
Organization field		 ROLE ACCESS SCOPE:
Workspaces		 ROLE ACCESS SCOPE:
Organizations		 Does the role
apply to the object?		 Description
IT Acme, Inc.
  • IT
  • HR

Unrestricted access

The role applies to the object because the Workspace value of the object is on the list of workspaces in the access scope, and the access scope is not restricted by organizations (Unrestricted access).
HR Acme, Inc.

All workspaces
  • Acme, Inc.
  • Alloy Software

The role applies to the object because the Organization value of the object is on the list of organizations in the access scope, and the access scope is not restricted by workspaces (All workspaces).
HR Acme, Inc.\
Human Resources
  • IT
  • HR
  • Acme, Inc.

The role does not apply to the object because the value of the Organization object field (Acme, Inc.\
Human Resources) is not on the Organizations list of the role's access scope.

Although the role allows access for Acme, Inc., which is a parent organization of Human Resources, it does not automatically allow access for sub-organizations, such as Human Resources.

To allow access for sub-organizations, an access scope must explicitly include them, even if the parent organization is already included.
Facilities Acme, Inc.
  • IT
  • HR
  • Acme, Inc.
  • Alloy Software

The role does not apply to the object because the object's Workspace (Facilities) is not on the list of Workspaces of the role's access scope.

Exceptions

A role with a restricted access scope applies (grants permissions to view) only to objects whose Workspace and/or Organization values match the workspaces and organizations for which the role allows access to. To be able to match against the access scope, objects must have the Workspace or Organization field.

Workspaces

Access scope by workspace applies only to objects that have the Workspace field. These are the most of Alloy Navigator, except for Stock Rooms, PO Items, and Discovered Installations.

  • Stock Rooms have neither Organization nor Workspace fields. When a role grants permissions to view Stock Rooms, it grants access to all Stock Rooms, regardless of the role's access scope.

  • PO Items and Discovered Installations do not have the Workspace field. These child objects inherit the Workspace value of their parent objects, which are Computers and Purchase Orders, correspondingly. For example, when a role grants permissions to view a Purchase Order, all its PO Items can be viewed as well.

Organizations

Organization-related restrictions apply only to organization-related objects, i.e. objects that have the Organization field. These objects are:

  • Assets
  • Brands
  • Computers
  • Configurations
  • Consumables
  • Documents
  • Hardware
  • Networks
  • Organizations
  • Persons
  • Purchase Orders (with their Purchase Order Items)
  • Projects
  • Software Licenses
  • Tickets (Change Requests, Incidents, Problems, Service Requests, Work Orders)
  • Tracked Software

In order to restrict access to other objects, such as Approval Requests or Contracts, use workspaces.

NOTE: The term “organization” uniquely identifies a company’s organizational unit which can be defined, for example, as a company, division, department, branch, team, group, etc.