Managing Roles

 

Overview

You can manage your roles on the User Management screen:

  • View a Role

  • Search for a Specific Role

  • Create a new Role

  • Identify Spirion Defined Roles

Granular Permissions

Roles include these controls which determine whether users can create scans, playbooks, and custom reports:

  • Granular permissions to read or manage:

    • Individual Scans

    • Playbooks

    • Reports created by other users

  • Roles can have their permissions adjusted, edited, and be deleted.

Custom Roles

When creating custom roles for subsets of users:

  • Access is built through explicit inclusion by specifying what playbooks, scans and reports should be available.

Read Permission

  • Scan Policy: the Read permission for a Scan Policy enables users to only initiate a scan.

    • This means the policy details cannot be seen via the create/edit screen.

  • Playbook: the Read permission for a Playbook enables users to select a playbook when defining a scan.

    • Users with this level of access are not able to view the playbook itself until navigating to a result’s executor view (if authorized).

Note: Users have full control over objects they create, even if their permissions to create new items are subsequently restricted.

Note: See Defining Access Controls for more information on how to manage your Roles' access to data.

Expand a section for more information:

View a Role

To view a Role:

1. From the left menu, click Settings.

2. Click User Management.

3. Click the Roles tab.

4. Roles are displayed in a table by Role Name and Role Status (enabled or disabled).

Search for a Role

To search for a specific Role:

1. Ensure the Roles tab is selected.

2. In the search box, type the Role name.

3. Roles matching your search criteria are displayed in the list.

4. Click x to clear the search term.

Add a New Role

To add a new Role:

1. Ensure you are on the User Roles tab.

  1. In the top right of the screen, click Add Role.

Note: By default all users assigned to a custom role will have access to the SPIglass™ Dashboard, Data Asset Inventory (including the SDV3 dashboard, targets, and tags), Agent Management, Scans, Playbooks, and Reports.

The agents, targets, tags, scans, playbooks, and reports a user can view and manage are controlled by RBAC permissions that can be setup after the role is created.

Access to all tags, targets, scans, playbooks, and reports are denied by default, excluding only those the user created before being assigned to this role.

  1. On the Create New Role page, complete the following:

  2. Type a name in the Role Name box.

Note: User Role names must be unique.

  1. Select the appropriate access for View and Manage.

Note: Custom roles do not have access to existing scans, playbooks, or reports by default. Permissions to Read or Manage these resources are handled in the subsequent step.

  1. Click Review. The Verify New Role Configuration pop-up window displays.

  2. Review the permissions you have granted for the new role.

  3. Click Confirm to create the new role or click Cancel to discard.

  4. On the Tags/Targets tab, select any relevant tag groups or targets for the role.

    Select either:

    • All Targets

    • Custom tag (which is Inherited by default)

  5. From the kebab menu, select Edit Permissions.

  6. In the Edit Tag Permissions pop-up window controls, select from the following:

    • Partial or full visibility of matches against the Tag or Target.

    • Whether users can add Targets or create nested Tags when working with manual Tag types.

    • Allows Modify access to be assigned to edit target details

  7. Click Confirm to save the settings or Cancel to discard.

  8. On the Scans tab, select which scan(s) should be accessible to the role.

    As previously stated above, Read enables scans to be executed from the kebab menu from the Scans table.

    Select from:

    • None

    • Read

    • Manage

  9. a. From the Playbooks tab, select which playbook(s) should be accessible to the role. As previously stated above, Read enables playbooks to be selected during the scan creation process (if authorized to create scans).

  10. b. Select from:

  • None

  • Read

  • Manage

Note: The Playbook Override option controls whether a role is authorized to perform user-level remediation against the specified Target(s).

  1. c. From the Reports tab, select which report(s) should be accessible to the role.

  2. d. Select from:

  • None

  • Read

  • Manage

Note: Reports with Read access can be viewed in the console only and exporting is not allowed.

Edit a Role

To edit a Role:

1. Ensure you are on the User Roles tab.

2. Locate the role you want to edit.

3. Select Edit Role from the kebab menu.

4. Select the appropriate View and Manage access for the role.

5. Click Review.

6. In the Verify Updated Role Configuration pop-up window, click Confirm to save your selections or Cancel to discard.

Delete a Role

To delete a Role:

1. Ensure you are on the User Roles tab.

2. Locate the Role you want to delete.

3. From the kebab menu, select Delete Role.

4. In the Delete Role pop-up window, you must select a new role for users currently assigned the role to be deleted.

Note: Disabling a role prevents it from being assigned to new users but does not impede the access of currently assigned users.

5. Click Confirm to save your changes or Cancel to discard.