Configuration Compliance - Read Roles

Kevin Lillis
Tera Expert

Similar to our Vulnerability Response implementation, we want our teams that fix misconfigurations to only see the misconfigurations assigned to their Assignment Group.  I assumed (incorrectly) that adding the sn_vulc.remediation_owner role would allow them to do that (as this is what happens in VR for sn_vul.remediation_owner).

After further examination, the sn_vulc.remediation_owner role is pretty bare.  And it is missing the role that is important from VR sn_vul.remediation_owner; the role it is missing is the 'read_assigned' role (sn_vul.read_assigned).  However, there is no equivalent for Config Compliance; that is, there is no sn_vulc.read_assigned role.

 

So how do we ensure remediators see only the misconfigurations that are assigned to their team?

 

Thanks for your help.

1 REPLY 1

Greg Stone
Tera Contributor

In a related question, we have an "analyst" role which give read only access to certain folks in our sister teams. We uncovered some issues the other day whereby they were lacking visibility into certain data items. Has anyone else had a similar experience. I would expect read only "sn_vulc.read" to be for all data elements in CC, regardless of assignment.