Manage User Scope - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-05-24
Category
User Guide
Solution
Cloud
Abstract

Use tags and business units to restrict user access to data in Expander.

Cortex Xpanse provides support for Scope Based Access Control (SBAC), which enables you to control user access to data within Expander using tags and business units as a scoping mechanism. SBAC works in conjunction with (RBAC) role-based access control. Whereas RBAC controls access to components or screens in Expander, SBAC controls the data displayed on the screens.

How SBAC works in Expander

At a high level, SBAC in Expander works as follows:

  1. Assets are tagged and assigned to business units (BUs). For information about how tagging and BU assigments work, see Asset Tagging and Manage Business Units.

  2. Tags and BUs are automatically propagated to the services, alerts, and incidents associated with the assets.

  3. Scope-based access is configured for users and user groups based on the tags and BUs.

  4. When a user accesses Expander, the content displayed on the Incidents, Alerts, Dashboards, and Inventory screens is filtered according to the assigned tags and BUs. Users who do not have scope assigned to them will have access to all the data.

Things to consider before configuring SBAC in Expander

SBAC applies only if it is explicitly configured for a user or user group. By default users have access to all data in Expander. Once a user has been scoped, that user will be able to see only the assets, services, alerts, and incidents that have at least one tag that the user is permitted.

In the case of incidents, a user can see all incidents containing the tags the user is permitted, even if some of the alerts associated with the incident are not permitted on their own. The user will be prohibited from pivoting to an alert details page for an alert that is not permitted. The user will also be prohibited from performing actions on alerts that are outside of their scope. Incidents that do not have a tag that the user is permitted will be completely hidden.

Note

The only way to provide access to all the data in Expander is to not assign scope. If you assign scope and choose Select All, the user will still be restricted from seeing some widgets and new data for newly added business units or tags.

Note

Users with the Instance Administrator role or a custom role that gives the same permissions as Instance Administrator cannot be restricted using scope-based access control.

Configure Scope-Based Access for Users

The steps below explain how to configure scope-based access for a user by assigning tags and BUs in the user profile. Once you have assigned tags, the user will be able to see any asset, service, alert, or incident that has one or more of the tags. For more information about asset and business unit tags, see Asset Tagging.

  1. Navigate to SettingsConfigurationsAccess ManagementUsers.

  2. Select one or more users in the list view, right click and select Update User.

  3. Select the Scope tab.

  4. Select the Tag Family and Tags that will be in scope (permitted) for this user or users.

  5. Save the settings.

Configure Scope-Based Access for User Groups

The steps below explain how to configure scope-based access for a user group. Once you have assigned tags to a user group, users in that group will be able to see any asset, service, alert, or incident that has one or more of the tags. For more information about asset and business unit tags, see Asset Tagging.

  1. Navigate to SettingsConfigurationsAccess ManagementUser Groups.

  2. Select one or more groups in the list view, right click and select Edit Group.

  3. In the Scope section, select the Tag Family and Tags that will be in scope (permitted) for this user group.

  4. Save the settings.