---
title: Managing ownership
aliases: ["managing-asset-ownership"]
---
<!-- licenses: platform -->

runZero is able to help users track ((ownership)) with the ability to configure different types of owners and assign owners to runZero assets and vulnerability records. Ownership coverage can also be tracked as a [goal](docs/goal-tracking.md).

<iframe src="https://demo.arcade.software/V7pjRI8KY5VVr5dbbriG?embed" loading="lazy" allowfullscreen title="Managing ownership demo"></iframe>

## Ownership types

Superusers can manage the available types of ownership on the [**Account** > **Ownership types**](https://console.runzero.com/account/ownership-types) page. Custom ownership types can be configured to meet your needs. Some common ownership types may include **Security owner**, **IT owner**, or **Compliance owner**.

The ownership type requires configuring three fields:
* **Name**: the name of the ownership type.
* **Reference**: whether the ownership type should be correlated with the user inventory, group inventory, or neither.
* **Visibility**: whether the ownership type is visible through the asset inventory and asset details pages.

The default `Asset Owner` ownership type, when visible, will be automatically populated with ownership-related data that runZero can glean from your configured integrations. The name of this ownership type can be changed by a superuser.

The list of ownership types can be prioritized by dragging the types into the preferred order. This will dictate the order in which the types are displayed in the inventory and asset details pages. Only types marked `visible` will be displayed.

## Default asset owner

Integrations populate the default asset ownership type. This is a prioritized mapping showing which traits from each integration would update that value. If an asset has more than one of these attributes, the first match in this table would populate.

| Integration Source | Device/Object Type | Attribute Name | Reference Type |
| :--- | :--- | :--- | :--- |
| **Google Workspace** | Mobile | `owner` | User |
| **LDAP** | Computer | `managedBy` | User |
| **LDAP** | Computer | `manager` | User |
| **Google Workspace** | ChromeOS | `orgUnitPath` | Group |
| **Defender 365** | Device | `rbacGroupName` | Group |
| **SentinelOne** | Device | `groupName` | Group |
| **Google Workspace** | ChromeOS | `recentUsers.names` | User |
| **Google Workspace** | Mobile | `email.names` | User |
| **Google Workspace** | Endpoint | `email.names` | User |
| **Miradore** | Device | `user.name` | User |
| **Intune** | Device | `userDisplayName` | User |
| **CrowdStrike** | Falcon Device | `email` | User |
| **Google Workspace** | ChromeOS | `annotatedUser` | User |
| **Google Workspace** | ChromeOS | `recentUsers` | User |
| **Google Workspace** | Mobile | `email` | User |
| **Google Workspace** | Endpoint | `email` | User |
| **Miradore** | Device | `user.email` | User |
| **Intune** | Device | `emailAddress` | User |
| **Intune** | Device | `userPrincipalName` | User |
| **SentinelOne** | Device | `lastLoggedInUserName`| User |

## Assigning owners to assets and vulnerabilities

Once created, custom owners can be assigned via the inventory or through an alert rule.

Superusers, administrators, and users can add or modify owner values, and can remove owners from assets or vulnerability records. Annotators can only add owner values, but cannot modify or remove owners.

### Ownership in the inventory

Follow these steps to assign owners through the asset or vulnerability inventory:
1. Select all the assets or vulnerability records you wish to update, applying a query filter if needed.
2. Click the _Manage asset ownership_ or _Manage vulnerability ownership_ button to open the ownership popup.
    **Note**: Ownership values applied to an asset will be inherited by unowned vulnerability records on that asset. Vulnerability records with owners defined will not inherit the ownership value assigned to the asset.
3. Click _Add ownership type_ and choose which type(s) of owner you wish to apply to the selected assets or vulnerability records.
4. Add the owner value to the field.
5. Click _Save_ to apply your changes.

### Applying owners with rules

To automatically apply ownership values to assets after a scan, [create an alert rule](https://console.runzero.com/alerts/rule/create) by going to **Alerts > Rules** and clicking the _Create rule_ button:
1. Select an inventory query you wish to use, such as the `asset-query-results` rule type, then click _Configure rule_.
2. Configure any desired settings.
3. Set the **Action** to _Modify asset_.
4. Specify a value for the _Set [ownership type]_ field for the ownership type(s) you wish to apply.
    **Note**: Ownership values applied to an asset will be inherited by unowned vulnerability records on that asset. Vulnerability records with owners defined will not inherit the ownership value assigned to the asset.
5. Save the rule.

This rule will now add the specified owner type and value to all assets that match the rule when a scan completes.