Vulnerability Response with Domain Separation

Rita Gon_alves2
Tera Contributor

Hello all,

I'm working with a client that has domain separation in their instance. They're going to start using the Vulnerability Response application, and their CIs are already domain separated so I believe it makes sense to have the vulnerable items in the same domain of the associated CI. However, they have users that need access to some vulnerabilities regardless of the domain. I'm assuming the best way to do this is to give these users visibility over all domains (or the TOP domain) and then manage the access with ACLs. I think this comes with the issue that, if the user has multiple groups and roles, these will be propagated across domains, so they could have access to many other modules that are not being restricted with ACLs, correct?

Do you see another way to this? We've considered having a dedicated domain for the vulnerable items (instead of placing them in the CIs domain) but then it could be the case that a user can access the vulnerable item and not the associated CI.

 

If someone has dealt with this, your experience would be much appreciated.

 

Thank you

1 REPLY 1

Tony Chatfield1
Kilo Patron

Hi, I would not change user domains as this will impact visibility of all data.
If records need to be visible to all users I would update configuration so that these specific records are created in global domain (no domain) as these will then be visible by all with no further customization required.