Ownership of Objects
The term "owner" is used two different ways in Kion.
The first way refers to the Owner permission role, which is a default role that cannot be removed. You can map users and user groups to permission roles in permission schemes. The permissions granted to users with the Owner role are based on the permissions mapped to the role, which are controlled by your organization.
The second way refers to ownership of certain objects, which is designated at the time of object creation by using the Owners dropdown. The objects that use this type of ownership are:
- Cloud Rules
- IAM Policies
- Azure Role Definitions
- Azure Policy Definitions
- AWS CloudFormation Templates
- Azure ARM Templates
- AWS Service Catalog Portfolios
- AWS AMIs
- Compliance Checks
- Compliance Standards
This second method of controlling user capabilities is separate from permission roles/permission schemes, so the Owner role permissions do not apply to them. Likewise, the non-role ownership does not apply to objects that use the Owner role (OU, projects, etc).
The permissions for the non-role type of ownership are fixed and cannot be changed by your organization. With this type of ownership, only the owner of an object may edit that object. If a user without the permission needed to create an object is made an owner of one of those objects, they can make edits to the specific object they own. For example, if a user who cannot create CloudFormation Templates is made the owner of CloudFormation Template ABC, that user can now make edits to ABC, but still cannot create or edit other CloudFormation Templates for which they do not have ownership. Conversely, a user can have create permission granted at the global level that allows them to create new CloudFormation Templates, but they won't be able to edit/delete a CFT for which they do not have ownership.
For a list of notifications for both types of owners, see Notifications