A legal assessor might be a lawyer or a specially trained person who cares about licenses which apply to applications that include OSS and/or other 3rd party software.

Responsibilites, tasks and role

As a legal assessor I am responisble for supporting and advising the product owner and the development staff in a way that applications are made available with minimal risk. This may comprise license analysis (meaning to derive the permissions, obligations, restrictions and risks of unknown licenses brought in the organization by integrating e.g. new OSS packages) and about the entire license obligations which have to be fulfilled by a certain application in the context of the specific "delivery models" of the application.

Epic

As a legal assessor I always want to get informed whenever a yet unknown license is brought into the organization. In order to achieve my tasks I need a system where all known and analysed licenses are stored together with their associated permissions, restrictions, obligations and risks. I must be able to add the unknown licenses with its analysed characteristics and to make the analysis result available to the entire organziation. Further I need to have the possibility to assign a certain risk level to the licenses based on the organizational policy. In order to support the product owner to make the application available at minimal risk I need to know the delivery models the application will be made available under and I need an overview of all applicable licenses of the application with respect to the integrated 3rd party software (no matter whether it is OSS or commercial software) and "how" they are brought into the application like "these packages are stand alone executables", "these packages are linked dynamically", "this docker container is realizing the xyz". I need to have the ability to immediately inform the product owner when a certain license or component cannot be accepted so that they have enough time to look for alternatives. Whenever there are new aspects in license interpretation I want to update the information in the system accordingly and inform the organization about such updates, this also inculdes the ability to change the state of packages from "ok" to "denied" or "deprecated".