Tag-based User Scope in CAR

The Tag-based User Scoping feature restricts a user from viewing and interacting with only those assets and tags that are in their scope. A manager user can now control on which assets the users are allowed to execute and schedule scripts.

A user's scope can be defined by adding or removing the required tags. This feature ensures that sensitive assets or data are accessible only to authorized users.

By default, the manager user has access to all assets and tags.

Asset tagging provides a flexible way to organize the assets in your environment. An asset tag is a tag assigned to one or more assets and allows users to access those assets by assigning the same tag in their scope. You can apply tags manually or configure rules to classify your assets automatically. For more information on tagging assets, refer to Asset Tag of VM/VMDR Online help.

Access to the Tag-based User Scoping feature is provided on request. For more details, contact Qualys Technical Support.

Tag Hierarchy in Tag-based Scope

If you have assigned a parent tag to a user, then the user has access to assets from the parent tag and all its child tags. If a user is assigned only a child tag, then the user can execute or schedule scripts on assets with only the child tag.

Example:
A manager has access to 1000k assets. Out of these, the manager assigns the Windows tag to 50k assets and then assigns the Windows tag to a user. In this case, the user can execute or schedule scripts only on those 50k tagged assets.

Scripts or Schedules Created by User

Users can schedule and execute scripts on assets only within their permitted scope, even if the schedule is later modified by a manager user.

Example:
If a user has access to the Windows and Linux tags and creates a schedule using the Windows tag, the script will run only on assets with the Windows tag.

Later, if a manager updates the schedule and adds the macOS tag (which the user doesn’t have access to), the schedule will show both Windows and macOS tags. But when the script runs, it will still only run on assets with the Windows tag, since that’s the only one the user is allowed to use.

Scope of User

The following CAR functionalities are impacted for a user with tag-based scoping enabled:

Functionality	Scope
Test Script	Users can test scripts on assets that are within their scope.
Run Script	Users can run scripts on assets that are within their scope.
Create Schedule	Users can create schedules for script execution on assets that are within their scope.
View Schedule	Users can view the schedules that they created.
Re-run Job	Users can re-run a job on assets that are within their scope.
Generate a report from the jobs tab	The report generated by users from the Jobs tab includes the assets that are within their scope.
View Asset Job	Users can view the asset jobs for assets within their scope.
Re-run Asset Job	Users can re-run a job on a particular asset that is within their scope.
Delete Asset Job	Users can delete asset jobs for assets within their scope.
Block Asset	Users can add, view, and delete assets from the block assets list that are within their scope.
Block Tags	Users can add, view, and delete asset tags from the block tags list that are within their scope.
Lab Asset	Users can add, view, and delete assets from the lab assets list that are within their scope.
Lab Tags	Users can add, view, and delete asset tags from the lab tags list that are within their scope.

Manage User Scope

You can add or remove tags from the scope of users from the Administration module.

Add or Remove Tags from the Scope

To add tags, follow these steps: