Allowing Remediation Owner users to create their own custom VUL Remediation Tasks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 11:09 AM
Hey everybody.
We are investigating the best way to allow a user with the Remediation Owner role to be able to create a custom Remediation Task without just opening everything up and giving everybody the write_all role. Based on the ACLs and UI Button conditions, it seems that is what is required for the "New" button to be available out on the Remediation Task list view.
Does anybody out there do this kind of thing, and if so what was the choice of actions and direction taken to implement?
Thanks, in advance, for all input and dialog.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 11:28 AM
I would create a menu item to take them to Remediation task assigned to their group. From there, they should have option to create new remediation task. I would also make necessary change to allow create a new task and default the assignment group to the assignment group they belong to.
Please mark this response as correct or helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 01:59 PM
Thanks SanjivMeher - but I am not following here in that I am asking because a Remediation Owner does NOT have an option to create a new remediation task from the linked list view of "Assigned to My Groups". The ACL for Create on the sn_vul_vulnerability table is tied to the sn_vul_write_all role. Remediation Owner does not have the write_all role in their set of assigned/inherited.
My whole point of asking this was to find out how others might do it or what added roles/ACLs is a better best practice to minimize ongoing technical debt when upgrades happen. Or for that matter if there is any reasons to not do this because it does then provide too much "write" capability for too many users if done.
Not sure tying the create capabilities to the assignment group makes much sense, as we have possibly hundreds of assignment groups that "COULD" be the one a user might be in that wants/needs to be able to create their own custom VUL (Remediation Task).
In your suggestion to "make necessary change" - what is that? A new Role, a new ACL, add to the existing ACL, etc.? What method of access changes are required to minimize customization technical debt, maximize ability to let users do some extra efforts, but also minimize their ability to change any and all data (as remediation owners should not be on par with analysts or managers) ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 02:10 PM
By "make necessary change", I meant to add new ACL to provide user option to create a Remediation Task Rules. But as you said, you might need to limit to number of users, who should have access to create.
So if you dont want to make changes to ACL or provide additional roles, I would create a Record Producer, which provide another way for users to create a Remediation task, without providing additional access to the end users. This record producer form can be create to take inputs from user and create tasks for them.
In the record produce
Please mark this response as correct or helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2023 04:58 PM
Thanks, much! I am not sure it is a case that I don't want to do it, I am looking for that sanity check that it is a right way to do it. I'll look into record producer to see what that looks like and see if it gets things done with the balance of access and minimal technical debt as a way to approach. We were looking for options to then make our decision of how to continue on ...
I really appreciate the quick responses from you Sanjiv
