Tag-based User Scope in FIM

The Tag-based User Scoping feature is currently available to limited customers and is in the early preview stage. Access to this feature is provided on request. For more details, contact Qualys Technical support.

Tag-based User Scoping enables you to control access by restricting a Sub-user from viewing and managing only those assets whose specific tags are assigned to the Sub-user. The assets that have no tags are accessible to all Sub-users regardless of assigned tags.
If an asset has multiple tags, it is accessible to any Sub-user with at least one matching tag. This ensures that Sub-users can access only relevant assets, events, profiles, incidents, reports, and other assets based on their assigned tags.

Only the user with the Manager role can assign tags to all users through the Administration module. The Manager role has unrestricted access to all assets, regardless of any tags that may be applied to the assets.

You can apply tags manually or configure rules to classify your assets automatically. For more information on tagging assets, refer to Asset Tagging in VM/VMDR Online Help.

Once you have assigned tags to a Sub-user, it may take up to 4 hours to reflect the changes.

Scope of Tag-based Sub-users

The scope of a Sub-user can be viewed in the Administration module, including the Roles, Tags, and Scopes assigned to that Sub-user.

When this Sub-user logs into FIM, they can only see the assets that are within their scope.

A tag-based Sub-user includes the following scope as per the FIM entities:

Entity	Scope
Monitoring Profile	Sub-users can only view monitoring profiles that have an asset tag assigned within their scope. If no asset tag is assigned to the profile, then it will be visible to all users.
Events	Sub-users can only view events that occur on assets within their scope.
Assets	Sub-users can only access assets that are within their assigned scope.
Incidents (View)	Sub-users can only view incidents they created or assigned to them for review.
Incident Events (View)	Sub-users can view all the events in an incident.
Incidents (Edit)	Sub-users can only edit incidents that they created.
Incidents (Review)	Sub-users can review incidents only if they were assigned to them.
Incidents (Delete)	Sub-users can delete incidents only if they were assigned to them.
Correlation Rule	Sub-users can view, edit, or delete correlation rules only if they created them or were assigned to review them.
Activity Logs	Sub-users can see activity logs for specific entities using the quick action button, but there is no dedicated Activity Logs tab.
Reports	Sub-users can create reports for entities within their scope. They can delete, download, or rerun failed reports that they created.
Report Rules	Sub-users can create report rules but can only view, edit, delete, or clone the rules that they created.

The asset.tagNames token is currently unavailable for alert generation.

Key Points

Consider the following key points while managing the user scope:

Assets without tags are accessible to all Sub-users.
Qualys recommends assigning at least one tag to restrict access to required Sub-users. If a Sub-user has no assigned tag, an unauthorized error displays when logging into FIM.
Incidents: While adding a reviewer, the user's scope must be equal to or greater than the creator's scope.
Correlation Rules:
- While adding a reviewer, the user's scope must be equal to or greater than the creator's scope.
- Only reviewers with delete permission can delete the correlation rule.

Manage User Scope

You can add or remove tags from the scope of users from the Administration module.

Add Tags to Scope

To add tags, follow these steps:

In the Administration module, navigate to Users > User Management.
Search for the username to which you want to add tags.
Select the username and click Add Tags To Scope from the Quick Actions menu.

The Add Tags To User Scope window is displayed.
Search and select the tags you want to add.
Click Save.
The tags are added to the user's scope.

Remove Tags From Scope

To remove tags, follow these steps: