Tag-based User Scope in CAR

Access to the Tag-based User Scoping feature is provided on request. For more details, contact Qualys Technical Support.

The Tag-based User Scoping feature enables you to control access by restricting a user to access CAR entities that are in their scope.

If an asset has multiple tags, it is accessible to any user with at least one matching tag. This ensures that users can access only relevant scripts, schedules, jobs, asset jobs, reports, and other entities based on their scoped tags. 

Only the user with the manager role can assign tags to all users through the Administration module. The manager role has unrestricted access to all assets, regardless of any tags that may be applied to the assets.

Asset tagging provides a flexible way to organize the assets in your environment. An asset tag is a tag assigned to one or more assets and allows users to access those assets by assigning the same tag in their scope. You can apply tags manually or configure rules to classify your assets automatically. For more information on tagging assets, refer to Asset Tag of VM/VMDR Online help.

Once you have assigned or removed tags for a user, it may take up to 15 minutes to reflect the scoping for the user. 

Scope of User

The below CAR entities are scoped for a user with tag-based user scoping enabled. 

Entity Scope
Script Users can view and update scripts within their scope.

Users can test and run scripts on assets that are within their scope. 

When a user updates a script, the script’s scope is updated as per the user who is updating the script.

Schedule Users can create, update, and view the schedules for scripts and tags within their scope. If no tags are assigned to schedule, then it will be visible to all users.
Jobs Users can view the jobs of scripts executed on assets within their scope.
Asset Job Users can view and delete the asset jobs for assets within their scope.
Blocked Commands

Users can view, update, and remove blocked commands that are within their scope.

When a user updates blocked commands, the blocked command’s scope is updated as per the user who is updating the commands.

Blocked Assets and Tags Users can add, view, and remove assets from the blocked assets and tags that are within their scope.
Lab Assets and Tags Users can add, view, and remove assets from lab assets and tags within their scope.
Activity Logs Users can view activity logs that are within their scope.

Key Points

  • Qualys recommends assigning at least one tag to restrict access to required users. If a user has no assigned tag, an unauthorized error displays when logging into CAR.
  • The entities created by the user with the manager role are visible to all other users.
  • When tag-based user scoping is applied to a user, existing CAR entities remain visible by default. However, once the user modifies these entities, the user scoping is enforced accordingly.

Manage User Scope

You can add or remove tags from the scope of users from the Administration module.

Add or Remove Tags from the Scope

To add tags, follow these steps:

  1. In the Administration module, navigate to Users > User Management.
  2. Select the username and click Edit from the Quick Actions menu.

  3. Click Roles And Scopes on the Edit User window. 
  4. Click Select on the Edit Scope section.
  5. Select the required tags and click Save.

    The user scope is now defined. You can view the scope in the User Management tab under the Scopes section on the right pane.

  6. To remove tags, click the  icon adjacent to the tag on the Edit User window.

Related Topics

Role-Based Access Control in CAR