Tag-based User Scope in CAR
The Tag-based User Scoping feature restricts a user from viewing and interacting with only those assets and tags that are in their scope. A manager user can now control on which assets the users are allowed to execute and schedule scripts.
A user's scope can be defined by adding or removing the required tags. This feature ensures that sensitive assets or data are accessible only to authorized users.
By default, the manager user has access to all assets and tags.
Asset tagging provides a flexible way to organize the assets in your environment. An asset tag is a tag assigned to one or more assets and allows users to access those assets by assigning the same tag in their scope. You can apply tags manually or configure rules to classify your assets automatically. For more information on tagging assets, refer to Asset Tag of VM/VMDR Online help.
Access to the Tag-based User Scoping feature is provided on request. For more details, contact Qualys Technical Support.
Tag Hierarchy in Tag-based Scope
If you have assigned a parent tag to a user, then the user has access to assets from the parent tag and all its child tags. If a user is assigned only a child tag, then the user can execute or schedule scripts on assets with only the child tag.
Example:
A manager has access to 1000k assets. Out of these, the manager assigns the Windows tag to 50k assets and then assigns the Windows tag to a user. In this case, the user can execute or schedule scripts only on those 50k tagged assets.
Scripts or Schedules Created by User
Users can schedule and execute scripts on assets only within their permitted scope, even if the schedule is later modified by a manager user.
Example:
If a user has access to the Windows and Linux tags and creates a schedule using the Windows tag, the script will run only on assets with the Windows tag.
Later, if a manager updates the schedule and adds the macOS tag (which the user doesn’t have access to), the schedule will show both Windows and macOS tags. But when the script runs, it will still only run on assets with the Windows tag, since that’s the only one the user is allowed to use.
Scope of User
The following CAR functionalities are impacted for a user with tag-based scoping enabled:
Functionality | Scope |
---|---|
Test Script | Users can test scripts on assets that are within their scope. |
Run Script | Users can run scripts on assets that are within their scope. |
Create Schedule | Users can create schedules for script execution on assets that are within their scope. |
View Schedule | Users can view the schedules that they created. |
Re-run Job | Users can re-run a job on assets that are within their scope. |
Generate a report from the jobs tab | The report generated by users from the Jobs tab includes the assets that are within their scope. |
View Asset Job | Users can view the asset jobs for assets within their scope. |
Re-run Asset Job | Users can re-run a job on a particular asset that is within their scope. |
Delete Asset Job | Users can delete asset jobs for assets within their scope. |
Block Asset | Users can add, view, and delete assets from the block assets list that are within their scope. |
Block Tags | Users can add, view, and delete asset tags from the block tags list that are within their scope. |
Lab Asset | Users can add, view, and delete assets from the lab assets list that are within their scope. |
Lab Tags | Users can add, view, and delete asset tags from the lab tags list that are within their scope. |
Manage User Scope
You can add or remove tags from the scope of users from the Administration module.
Add or Remove Tags from the Scope
To add tags, follow these steps:
- In the Administration module, navigate to Users > User Management.
- Select the username and click Edit from the Quick Actions menu.
- Click Roles And Scopes on the Edit User window.
- Click Select on the Edit Scope section.
- Select the required tags and click Save.
The user scope is now defined. You can view the scope in the User Management tab under the Scopes section on the right pane.
-
To remove tags, click the
icon adjacent to the tag on the Edit User window.
Related Topics
Role-Based Access Control in CAR