Working With Assets and Asset Groups | Isora GRC Knowledge Base

📖

Assets are objects in inventory that can be included in the asset enrichment portion of a unit assessment. An asset can be anything, but they typically represent ip-based resources on your network, like computing devices (servers, desktops, laptops, phones or tablets) or infrastructure elements (routers, switches etc). Any type of device that has security implications might be included in an assessment

What Are Asset Groups?

Assets are organized into Asset Groups (AGs) for ease of management. As a superuser, you can see all asset groups. Other types of users see asset groups that they individually own or those that belong to units in which they have certain roles. An asset group has exactly one owning unit, and it may have one or more owning people as well. The following table outlines capabilities for Asset Groups^1.

	Create New AG	View AG & Contents	Update AG Settings	Add/Remove AG Owner	Assign AG to Another Unit	Delete AG (& Contents)^2
Superuser	Yes	Yes - all	Yes - all	Yes -anybody	Yes - any unit	Yes - all
Unit Head	No	Yes - my unit’s	No	No	No	No
Assessment Manager (AM)	Yes - my unit’s	Yes - my unit’s	Yes - my unit’s	Yes - anybody	Yes - for units where I’m AM or ITS	Yes - my unit’s
IT Staff (ITS)	Yes - my unit’s	Yes - my unit’s	Yes - my unit’s	Yes - anybody	Yes - for units where I’m AM or ITS	Yes - my unit’s
Auditor	No	Yes - my unit’s	No	No	No	No
AG Owner (individual)	No	Yes - my AG	Yes - my AG	No	No	No
Anyone Else	No	No	No	No	No	No

^1Asset Permissions are currently under development. This table documents the intended permissions; current behavior may vary depending on the level of Isora GRC you have installed.

^2Deleting an Asset Group also deletes all assets in the group.

💡

Asset Groups are also referred to as Sheets.

Asset groups have notification settings that determine which asset delegates, if any, get notified when the group gets pulled into an active assessment- more on that later.

Who Can Work With Assets?

Asset group ownership is the means for conveying permissions to the assets in the group. There are two types of asset group ownership- ownership by means of having a role in the owning Unit, and individual ownership of the asset group. There are also asset delegates- these are people or units who are listed on the asset itself as Owners, IT Staff or Users. The name of the Owner asset delegate type is a bit misleading. Being a delegate on an asset does not confer inventory management capabilities for the asset. All asset delegates have the same capabilities; however, the different types of asset delegates can be individually notified based on the asset group notification settings.

📖

Asset Delegates are people or units that are able to enrich an asset during the assessment process. This includes assigning a data classification, data categories (if applicable), and possibly some other fields on the asset. In addition to capturing the classification and categories for the assessment itself, relevant fields on the asset object itself will also be updated when the enrichment activity is performed.

The following table outlines the capabilities for assets.

	Create Asset	View Assets	Update Assets (in inventory)	Delete Assets	Enrich Asset (in an assessment)
Superuser	Yes - any AG	Yes - all	Yes - all	Yes - all	Yes - all
Unit Head	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG	No	Yes - on my unit’s AG
Assessment Manager	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG
IT Staff	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG	Yes - on my unit’s AG
AG Owner (individual)	Yes - on my AG	Yes - on my AG	Yes - on my AG	Yes - on my AG	Yes - on my AG
Asset Delegate (unit- all roles)	No	No	No	No	Yes
Asset Delegate (individual)	No	No	No	No	Yes
Anyone Else	No	No	No	No	No

Working With Asset Groups

On the Inventory→ Assets page, you see a list of Asset Groups that you have access to. If you have the ability to create a new one, you can use the + sign to do so. You can also sort asset groups by column, or filter based on owning unit or individual or filter for empty ones.

Clicking an individual asset group opens it in the sidebar.

Clicking the notification settings allows you to determine which asset delegates (if any) will be notified when assets in the group are pulled into an active assessment. If none of the assets in the group have delegates listed, then the settings have no effect.

Working With Assets

In order to view or update an asset in inventory, you will need to be able to access the parent asset group where the asset resides. From the asset group details view, you can select the asset and either move it (to a different asset group that you also have access to) or delete it.

Clicking on the asset itself opens up its details page where you can view (and perhaps edit) all of the individual fields.

Asset delegate fields are now split up based on units and people. You can use these fields to allow more people to participate in the asset enrichment portion of a unit assessment that includes this asset. These are also the people who may be notified based on the notification settings of the parent asset group for this asset.