Filtering vulnerable item based on assigned to or assignment group

saptarshiamc
Tera Contributor

User has sn_vul.read_all role. When the user accesses the sn_vul_vulnerable_item table, all vulnerabilities can be viewed (including those assigned to others). The requirement is to display only those vulnerable items that are assigned to users or groups to which the user is a member.

9 REPLIES 9

Joe Kline
Kilo Guru

In our environment, we utilize the Remediation Owner role to do this very thing.  Instead of read_all, the user gets read_assigned roles, and then are limited to seeing only those VIT records that they are named in the Assigned To field or for any records where a group they are a member is in the Assignment Group field.

Hi @Joe Kline , I have tried it with the following role/s (sn_vul.write_assigned/sn_vul.read_assigned) however with the role user can see vulnerable items and getting the following message "Number of rows removed from this list by Security constraints". Have you added any other role as well?

@saptarshiamc ,

In our case it was not a case of "adding roles", but to give each user either a "Remediation Owner" role or a "Read User" role.  Intent being to have remediation teams see only what they are responsible for, as provided out of the box by SN granular roles and no need to do custom ACL's.

Remediation Owner then provides sn_vul_read_assigned, sn_vul.read_effort, sn_vul.read_watch_topic, sn_vul.remediation_owner, sn_vul.update_assigned_to, sn_vul.update_assignment_group, sn_vul.write_assigned and a few others that may not be specifically associated with that table.

 

sn_vul.read_all comes along with a bunch others in our use of the Read User role structure, used by Managers and other team members that are responsible to see over a wide area portion of the enterprise network, whereas those responsible (System Admins) to fix things really need to focus on their own small piece of the pie.  Mixing read_all and read_assigned has caused some minor issues for us in what a user can and cannot see or get similar error messages that highlight not all records are being displayed on a  list view due to security constraints ...

Hope this helps.

Hi @Joe Kline , In our case, the VIT is only assigned to the specific group and no remediation task has been created against that.  Can you please help me to understand, whether remediation task is also being created in your case?