Before you get started with security controls, you must define who can manage it. The Exposure Management Administrator role, along with the Tenant Administrator role, possesses full Create, Read, Update, and Delete (CRUD) permissions to manually add Controls and Effectiveness Rules.
Crucially, they can also manage ownership and change a security control from public to private. Other roles (e.g., Vulnerability Management, Data Security Administrator, Identity Security Administrator) are permitted to create effectiveness rules in their respective domains.
Role | Permissions | Recommended Governance Model |
|---|---|---|
Exposure Management Administrator | Can CRUD all controls and rules and change ownership/privacy | Centralized Model. Assign this role to 2-3 Senior Analysts. This small group learns the feature, defines the initial controls, and establishes best practices. |
Tenant Administrator | Same as above | Used for initial setup and assignment of the Exposure Management Administrator role. |
Vulnerability Management (and other domain-specific admins) | Can update effectiveness in their domains | Federated Model. After best practices are set, "deputize" these domain admins. This scales the feature, allowing endpoint teams to manage controls, while implementing strong central guidance on naming conventions and taxonomy. |
Read Only All | Can view all Security and Compensating Controls objects, rules, etc. | Assign to general SOC analysts, auditors, and stakeholders (like Asset Owners) who need visibility but not edit rights. |
Tip
Start with a centralized model. This helps a core team master the new object models, states, and taxonomies to prevent confusion and ensure high-quality control creation.
Note
Ensure that you have clear visibility into the controls that are created and implemented, by periodically reviewing the Audit Logs as part of your change management process. Audit logs track the following actions:
Create/Update/Delete Security Controls
Create/Update/Delete Effectiveness Rules
Update an Effectiveness Value in a findings or issues