Tips and Tricks: Data Segmentation

One of the newer, more powerful features added to RF Code’s Asset Manager 2.1 is User Data Security and Segmentation which gives Asset Manager Administrators the ability to strictly control access by asset type, asset attribute, and asset location.

Deployment challenges:

    • Asset Manager is deployed as a hosted application serving multiple internal or external customers, so it is mission-critical that customer data and Users are segmented
    • Different asset types, such as office assets and data center assets, are managed by different Groups and need to be segmented
    • Asset Manager is deployed enterprise-wide, but there is a need to segment asset visibility by site or location (i.e. Users at one site should not have visibility to asset data at other sites)
    • Sensitive asset attributes, such as accounting data, should only be visible to a select Group of Users

      For some Asset Manager deployments, data segmentation would be a cumbersome process without this essential feature. With this new feature, admins can restrict non-administrator user roles (Manager, Editor, Reporter, and Viewer) to a subset of the Asset Manager asset population and corresponding data such as asset views, reports, maps, and alerts.

      Solution:

      • User Data Security and Segmentation allows admins to segment User populations into distinct Groups
      • Administrators can then associate asset types with these Groups
      • Administrators can also associate specific locations with Groups
      • Finally, Administrators can hide particular asset attributes from Groups

      Let’s go through an example of how this would be accomplished. Suppose that we want to create a Group called “Austin Data Center Managers” and we want to restrict the visibility of the data center assets that are in the Austin location to members of this Group. We also want to hide the Purchase Value attribute since management considers this confidential company data.

      • First, there is a new setting available for all Attributes and Calculated Attributes in the schema editor called “Restrictable.”If an attribute or calculated attribute is marked as “Restrictable” then it can be selected and used as part of the Groups definition. The same is true for Locations in the “Locations and Rules” task of the Admin console. By selecting the top of the Location tree and marking it as restrictable as shown below, the Admin can make all Locations hidden until a Group is explicitly granted access to it.


      • Next, there is a new task in the Admin console called “Groups” where admins can control access to asset types, attributes, and locations.
        • To create a new Group, fill in the name and optional description as shown in the figure below.
        • The “Unrestricted Access to Assets and User Console Objects” checkbox determines if the Group will have visibility to all assets. Since we want to restrict asset access for the Austin Data Center Managers Group, we’ll leave this box unchecked.
        • Next, the “Everyone Group Access” checkbox determines if this Group belongs to the Everyone Group. The purpose of the Everyone Group is to provide a single common Group for all users (i.e. default access level).
        • Next, select the “Allowed Location and Custom Types” radio button. Then click on the ellipses (…) to select the location of the data center – in this case, we choose the “RFC Data Center” located in Austin.
        • Next, select the “All Restrictable Attributes” radio button. Selecting this option means that any attributes that have been marked Restrictable will NOT be viewable by this Group. To override this and grant access to a Restrictable attribute, select the “Allowed Restrictable Attributes” button and then click on the ellipses (…) to choose the Restrictable attributes that the Group should be allowed to view.


        • Finally, when users are defined in the Users task under the Security tab in the Admin console, there will be an option to add them to a Group. Note that a User can be a member of multiple Groups. In this case, we will add the user “channa” to the Austin Data Center Managers Group. As a result, when this User logs into Asset Manager, he will only be able to access the RFC Data Center location.


      When one of these Users logs into Asset Manager and they look at the Location tree, the Locations that they do not have access to will be shown as “hidden”.


      Next, access to system objects such as assets, views, reports, maps, alerts, alert thresholds, and graphs, are controlled by a new subtask in the User Console called “Access Control”.


      Access Control is only available to Administrators, Managers and Editors. To enable the Austin Data Center Managers Group to access objects at the RFC Data Center location, select the assets and then click “Add Groups” and select the Austin Data Center Manager Group.


      In a similar fashion, access must be also be granted to the Group for views, maps, graphs, alerts, reports, etc.


      User Data Security and Segmentation can be a complex topic, but with some planning it can pay dividends for an Enterprise deployment or hosted instance of Asset Manager where keeping a tight rein on asset access is critical to success.