How can non-SecOps groups see SIT when only assigned to the group?

Bill_Ymr_61 · ‎08-18-2022

We have just recently started using SecOps, and have run into an issue. When a Security Incident Task (SIT) is created within a Security Incident (SIR), if it is only assigned to the group that does not have any SecOps roles (sn_si.*), then they do not see the SIT in their groups outstanding work (Service Desk ==> My Groups Work).

Currently, within a SIR there are times when we need to have a non-SecOps group do something on a device (workstation, server, etc...). The Security Analyst will click on "Add Response Task" to create a SIT.

***If the SIT is assigned directly to an individual, that individual is able to see the SIT in their outstanding work (Service Desk ==> My Work).

***If the SIT is assigned to just the group (which is standard policy in our organization), no members of that group are able to see the SIT in their group's outstanding work. Even if they know the SIT number, if they search for it, it does not show up.

Because we are a global organization, it is next to impossible to know who is able to work on the SIT; this is why our policy is to assign it to a group.

How can we make the SIT visible to the Assignment Group when assigned to only the group? We would like to avoid any ACL work if possible, but at this point will take almost any suggestion.

Chris McDevitt · ‎08-18-2022

Hi,

Try making a new Read ACL for the SIT table:

And you should probably try and limit the groups to certain roles.

View solution in original post

Chris McDevitt · ‎08-18-2022

Hi,

Try making a new Read ACL for the SIT table:

And you should probably try and limit the groups to certain roles.

Bill_Ymr_61 · ‎08-18-2022

Thank you for the quick reply, Chris. I had actually already used that solution, but my management has asked me to find a way to do it without creating/modifying an ACL.

I think that their thinking is that we cannot possibly be the first customer with this type of ask, and that there has to be an easier way to accomplish it.

Chris McDevitt · ‎08-19-2022

Ummm.... so.... no.... The current ACL set prevents this from happening.

You can not "workaround" an ACL. ACLs are the "law" of the system, which is strictly enforced.

I'm curious... why does management not want a new ACL? ACLs are part of the configuration, NOT customization of a module.

qcj3 · ‎08-31-2022

Chris, I thought that you can use sn_si.external to allow this activity. Am I missing something?