Managing Roles

You can manage your Roles on the User Management screen to:

  • View a Role

  • Search for a Specific Role

  • Create a new Role

  • Identify Spirion Defined Roles

Roles include these controls which determine whether users can create scans, playbooks, and custom reports:

  • Granular permissions to read or manage:

    • Individual Scans

    • Playbooks

    • Reports created by other users

  • Roles can have their permissions adjusted, edited, and be deleted.

When creating custom roles for subsets of users, access is built through explicit inclusion by specifying what playbooks, scans and reports should be available.

  • The Read permission for a scan policy allows users to initiate a scan only. This means the policy details cannot be seen via the create/edit screen.

  • The Read permission for a playbook allows users to select a playbook when defining a scan, though users with this level of access will not be able to view the playbook itself until navigating to a result’s executor view (if authorized).

Note: Users will have full control over objects they create, even if their permissions to create new items are subsequently restricted.

Note: See Defining Access Controls for more infomation on how to manage your Roles' access to data.

Expand a section for more information:

To view a Role:

1. From the left menu, click Settings.

2. Click User Management.

3. Click the Roles tab.

4. The Roles are displayed in a table by name and status.

To search for a specific Role:

1. Ensure the Roles tab is selected.

2. In the search box, type the Role name.

3. Roles matching your search criteria are displayed in the list.

4. Click the x to clear the search term.

To add a new Role:

1. Ensure you are on the User Roles tab.

2. In the top right of the screen, click Add Role.

Note: By default all users assigned to a custom role will have access to the SPIglass™ Dashboard, Data Asset Inventory (including the SDV3 dashboard, targets, and tags), Agent Management, Scans, Playbooks, and Reports. The agents, targets, tags, scans, playbooks, and reports a user can view and manage are controlled by RBAC permissions that can be setup after the role is created. Access to all tags, targets, scans, playbooks, and reports are denied by default, excluding only those the user created before being assigned to this role.

3. On the Create New Role page, complete the following:

a. Type a name in the Role Name box.

Note: User Role names must be unique.

b. Select the appropriate access for View and Manage.

Note: Custom roles do not have access to existing scans, playbooks, or reports by default. Permissions to Read or Manage these resources are handled in the subsequent step.

c. Click Review. The Verify New Role Configuration pop-up window displays.

d. Review the permissions you have granted for the new role.

e. Click Confirm to create the new role or click Cancel to discard.

f. On the Tags/Targets tab, select any relevant tag groups or targets for the role. Select either:

  • All Targets

  • Custom tag (which is Inherited by default)

g. From the kebab menu, select Edit Permissions.

h. In the Edit Tag Permissions pop-up window controls, select from the following:

  • Partial or full visibility of matches against the Tag or Target.

  • Whether users can add Targets or create nested Tags when working with manual Tag types.

  • Allows Modify access to be assigned to edit target details

,

i. Click Confirm to save the settings or Cancel to discard.

j. On the Scans tab, select which scan(s) should be accessible to the role. As previously stated above, Read allows for scans to be executed from the kebab menu from the Scans table. Select from:

  • None

  • Read

  • Manage

k. From the Playbooks tab, select which playbook(s) should be accessible to the role. As previously stated above, Read allows for playbooks to be selected during the scan creation process (if authorized to create scans). Select from:

  • None

  • Read

  • Manage

Note: The Playbook Override option controls whether a role is authorized to perform user-level remediation against the specified Target(s).

l. From the Reports tab, select which report(s) should be accessible to the role. Select from:

  • None

  • Read

  • Manage

Note: Reports with Read access can be viewed in the console only and exporting is not allowed.

To edit a Role:

1. Ensure you are on the User Roles tab.

2. Locate the role you want to edit.

3. Select Edit Role from the kebab menu.

4. Select the appropriate View and Manage access for the role.

5. Click Review.

6. In the Verify Updated Role Configuration pop-up window, click Confirm to save your selections or Cancel to discard.

To delete a Role:

1. Ensure you are on the User Roles tab.

2. Locate the Role you want to delete.

3. From the kebab menu, select Delete Role.

4. In the Delete Role pop-up window, you must select a new role for users currently assigned the role to be deleted.

Note: Disabling a role prevents it from being assigned to new users but does not impede the access of currently assigned users.

5. Click Confirm to save your changes or Cancel to discard.