Managing Roles

 

Overview

You can manage your roles on the User Management screen:

  • View a Role

  • Search for a Specific Role

  • Create a new Role

  • Identify Spirion Defined Roles

Granular Permissions

Roles include granular permissions to determine whether users can read, create or manage:

  • Individual Scans

  • Playbooks

  • Reports created by other users

  • Note: Roles can have their permissions adjusted, edited, and be deleted.

Default User Roles

Available Native User Roles

Below is a list of native user roles and their permissions.

Note that by default all users assigned to a custom role have access to the SPIglass™ Dashboard, Data Asset Inventory (including the SDV3 dashboard, targets, and tags), Agent Management, scans, playbooks, and reports.

  • The agents, targets, scans, playbooks, and reports a user can view and manage are controlled by Role-based Access Control (RBAC) permissions that can be setup after the role is created.

  • Access to all tags, targets, scans, and reports are denied by default, excluding only those the user created before being assigned to the role.

Native User Roles

  • Activity Monitor Admin

    • View permissions:

      • Agent Policies/Installation - User can view agent policies and agent configuration installations

      • Sensitive Data Watchers - User can view Sensitive Data Watchers

    • Manage permissions:

      • Agent Policies/Installation - User can manage agent policies and agent configuration installations

      • Sensitive Data Watchers - User can manage Sensitive Data Watchers

  • Activity Monitor User

    • View permissions:

      • Sensitive Data Watchers - User can view Sensitive Data Watchers

    • Manage permissions:

      • None

  • Admin

  • Compliance Admin

    • View-Only permissions:

      • Sensitive Data Finder - User can view Sensitive Data Finders

      • Sensitive Data Finder (Erasure Checklist)

    • Manage permissions:

      • Sensitive Data Finder - User can manage Sensitive Data Finders

      • Sensitive Data Finder (Erasure Checklist)

  • Compliance User

    • View-Only permissions:

      • Sensitive Data Finder - User can view Sensitive Data Finders

      • Sensitive Data Finder (Erasure Checklist)

    • Manage permissions:

      • None

  • Data Privacy Admin

    • View permissions:

      • Agent Policies/Installation - User can view agent policies and agent configuration installations

      • Script Repository - User can view the custom script repository

      • Scan Results - User can view sensitive data and discovery scan results

    • Manage permissions:

      • Create Tags and Targets - User can create tags and targets

        • RBAC permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any tag or target they create.

      • Create Scans - User can create sensitive data and discovery scans

        • RBAC permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any scan they create.

      • Create Playbooks - User can create playbooks. Creating playbooks requires read-only access to the custom script repository. The Manage option grants this access when the user role is created.

        • RBAC permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any playbook they create.

      • Create Custom Reports - User can create custom reports

        • RBAC permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any report they create.

      • Scan Results - User can manage sensitive data and discovery scan results

  • Data Privacy User

    • View permissions:

      • Agent Policies/Installation - User can view agent policies and agent configuration installations

      • Scan Results - User can view sensitive data and discovery scan results

      • Script Repository - User can view the custom script repository

    • Manage permissions:

      • None

  • General User

    • View permissions:

      • Scan Results - User can view sensitive data and discovery scan results

 

Custom Roles

When creating custom roles for subsets of users:

  • Access is built through explicit inclusion by specifying what playbooks, scans and reports should be available.

Read Permission

  • Scan Policy: the Read permission for a Scan Policy enables users to only initiate a scan.

    • This means the policy details cannot be seen via the create/edit screen.

  • Playbook: the Read permission for a Playbook enables users to select a playbook when defining a scan.

    • Users with this level of access are not able to view the playbook itself until navigating to a result’s executor view (if authorized).

Note: Users have full control over objects they create, even if their permissions to create new items are subsequently restricted.

Note: See Defining Access Controls for more information on how to manage your Roles' access to data.

View a Role

To view a Role:

  1. From the left menu, click Settings.

  2. Click User Management.

  3. Click the Roles tab.

  4. Roles are displayed in a table by Role Name and Role Status (enabled or disabled).

Search for a Role

To search for a specific Role:

  1. Ensure the Roles tab is selected.

  2. In the search box, type the Role name.

  3. Roles matching your search criteria are displayed in the list.

  4. Click x to clear the search term.

Add a New Role

To add a new Role:

  1. Ensure you are on the User Roles tab.

  2. In the top right of the screen, click Add Role.

    3. Note: By default all users assigned to a custom role have access to the SPIglass™ Dashboard, Data Asset Inventory (including the SDV3 dashboard, targets, and tags), Agent Management, Scans, Playbooks, and Reports.

    The agents, targets, tags, scans, playbooks, and reports a user can view and manage are controlled by RBAC permissions that can be setup after the role is created.

    Access to all tags, targets, scans, playbooks, and reports are denied by default, excluding only those the user created before being assigned to this role.

  3. On the Create New Role page, complete the following:

    Type a name in the Role Name box.

    Note: User Role names must be unique.

  4. Select the appropriate access for View and Manage.

    5. Note: Custom roles do not have access to existing scans, playbooks, or reports by default.

    Permissions to Read or Manage these resources are handled in the subsequent step.

  5. Click Review. The Verify New Role Configuration pop-up window displays.

  6. Review the permissions you have granted for the new role.

  7. Click Confirm to create the new role or click Cancel to discard.

  8. On the Tags/Targets tab, select any relevant tag groups or targets for the role.

    Select either:

    • All Targets

    • Custom tag (which is Inherited by default)

  9. From the kebab menu, select Edit Permissions.

  10. In the Edit Tag Permissions pop-up window controls, select from the following:

    • Partial or full visibility of matches against the Tag or Target.

    • Whether users can add Targets or create nested Tags when working with manual Tag types.

    • Allows Modify access to be assigned to edit target details

  11. Click Confirm to save the settings or Cancel to discard.

  12. On the SCANS tab, select which scan(s) should be accessible to the role.

    As previously stated above, Read enables scans to be executed from the kebab menu from the Scans table.

    Select from:

    • None

    • Read

    • Manage

  13. From the Playbooks tab, select which playbook(s) should be accessible to the role.

  14. As previously stated above, Read enables playbooks to be selected during the scan creation process (if authorized to create scans).

  15. Select from:

    • None

    • Read

    • Manage

      Note: The Playbook Override option controls whether a role is authorized to perform user-level remediation against the specified Target(s).

  16. From the Reports tab, select which report(s) should be accessible to the role.

    1. Select one of the following:

      • None

      • Read

      • Manage

        Note: Reports with Read access can be viewed in the console only and exporting is not allowed.

Edit a Role

To edit a Role:

  1. Ensure you are on the User Roles tab.

  2. Locate the role you want to edit.

  3. Select Edit Role from the kebab menu.

  4. Select the appropriate View and Manage access for the role.

  5. Click Review.

  6. In the Verify Updated Role Configuration pop-up window, click Confirm to save your selections or Cancel to discard.

Delete a Role

To delete a Role:

  1. Ensure you are on the User Roles tab.

  2. Locate the Role you want to delete.

  3. From the kebab menu, select Delete Role.

  4. In the Delete Role pop-up window, you must select a new role for users currently assigned the role to be deleted.

    5. Note: Disabling a role prevents it from being assigned to new users but does not impede the access of currently assigned users.

  5. Click Confirm to save your changes or Cancel to discard.