Security Exposure Management Workspace personas and granular roles
Before you can successfully remediate vulnerabilities with the Security Exposure Management Workspace plugin, you must assign personas and roles to your users and groups in Setup Assistant.
One of the first configuration steps required for the Security Exposure Management Workspace plugin is to assign roles to users and groups. Roles define what users and groups can see and do in Security Exposure Management Workspace, Performance Analytics for Vulnerability Response, and all third party integrations with Security Exposure Management Workspace.
You assign persona roles to existing users and groups in Setup Assistant. See Assign the Vulnerability Response persona roles using Setup Assistant.
If you are an upgrade customer, you can continue using your existing roles for the Vulnerability Response application. Access for users and groups assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions and remediation owner prior to v10.3 has not changed.
However, for more control over what users and groups can do and see in the Security Exposure Management Workspace plugin at the task level, you may prefer using granular roles. For more information, see Manage persona and granular roles for Vulnerability Response.
If you have already assigned roles using Setup Assistant and you want to manage granular role assignments for all users and groups from the User Administration module, see Manage persona and granular roles for Vulnerability Response for more information.
Persona roles and granular roles starting
Key terms.
- Role
- Roles define what users and groups can see and do in the Security Exposure Management Workspace plugin.
- Group
- A set of users who share certain roles and a common purpose.
- Persona role
- A pre-configured role in the application that is made up of multiple granular roles. The persona roles in Setup Assistant, Vulnerability Admin, Vulnerability Analyst, Remediation Owner, Configuration Item Manager, and Exception Manager, are designed to correspond to common job titles for managers, analysts, and service owners in an IT organization or vulnerability remediation group.
- Inherited roles
- A term that describes roles that users automatically acquire when they are assigned other roles. For example, any users or groups assigned with the sn_vul.remediation_owner persona role also inherit the sn_vul.read_assigned,sn_vul.write_assigned granular roles.
- Access control list (ACL)
- Access control lists restrict access to data by requiring users to pass a set of requirements before they can interact with it.
Starting from Vulnerability Response v16.5, to protect reports from being exposed, set the All report_view ACLs as active=true. This ACL ensures that the protected data is only available to authorized users.
The following table lists Vulnerability Response persona roles installed with the application.
| Persona roles for Vulnerability Response | Description |
|---|---|
| Assign sn_vul.vulnerability_admin - Vulnerability Admin to users or groups. | Users with this role have complete access to the Vulnerability Response (VR) application and its records. Users with this role configure all VR applications and rules and install third party integrations. |
| Assign sn_vul.vulnerability_analyst - Vulnerability Analyst to users and groups. | Users and groups with this role view and update all records for VI remediation. |
| Assign sn_vul.remediation_owner - Remediation Owner to users and groups. | Users and groups with this role remediate vulnerabilities assigned to them or to a group they belong to. Groups or users with this role view and update the records assigned to them or to a group they belong to. |
|
Assign sn_vul.ci_manager to users and groups. |
Users and groups with this role manage reclassification of unmatched configuration items (CIs) that are not found in the Configuration Management Database (CMDB). |
| Assign read access to specific areas in the application by task. | For example, assign sn_vul.read_all so a user can view all VR records. For read access to view remediation task rules, assign sn_vul.read_group_rules. Users and groups with this role do not update records. |
Granular roles and persona roles
One way to think about persona roles is to consider how their descriptions may relate to job descriptions for various IT or vulnerability remediation positions in your organization. The following figure illustrates a possible job description for a remediation specialist in IT, and how the tasks associated with this job relate to the tasks of a remediation owner persona role in the Vulnerability Response application.
Both the job description and the remediation owner persona role could be defined as a series of remediation tasks. In the preceding image, a job description and a persona role in green blocks sit atop the tasks that describe them. In this example, some of the typical job requirements for a specialist in a remediation group correspond directly to the tasks that make up the remediation owner persona in Vulnerability Response: Review and update records, track the remediation status of vulnerabilities, prioritize items for remediation, and apply fixes and patches with IT.
Sometimes, however, the jobs in your organization may not directly correspond to the tasks that make up one of the five persona roles in the Vulnerability Response application. For various reasons, such as protecting sensitive data, or complying with regulations, you must limit the broad access some of the persona roles provide to your users and groups. Or, conversely, you are required to provide users and groups with more access so they can perform their jobs. Using granular roles, you can easily customize roles and control the access users and groups have to Vulnerability Response, Performance Analytics for Vulnerability Response, and third party integrations.
The granular roles define the tasks
The names for the granular roles in Vulnerability Response usually describe what users can do and see in the Vulnerability Response application. For example, in the previous image, users and groups with the Remediation owner persona assigned have the sn_vul.read_assigned and sn_vul.write_assigned granular roles. These granular roles permit users or groups to view and update vulnerable items and remediation task records that are assigned to them. To view descriptions of specific granular roles, as a user with the system admin role, navigate to and locate the role that you want. Roles that are automatically inherited when a role is assigned are listed. Also, when a role depends on other role assignments, any required roles are also listed.
In the following image, the granular roles of both the remediation owner persona role and the vulnerability analyst persona are illustrated. Note that the remediation owner persona does not include the read_all and write_all permissions of the vulnerability analyst persona. The granular roles, read_all and write_all, are required before users and groups can read and edit all of the vulnerable item and remediation task records. To customize these roles, simply add or remove granular roles to expand or limit access.
If you want your users and groups to have more access than the persona roles permit, you can add more granular roles to users and groups. Conversely, if you want to limit access for specific users and groups at the task level, you can remove granular roles.
Granular roles in the User Administration module
For an example of how to manage granular roles for a user or group, see Manage persona and granular roles for Vulnerability Response.
To assign persona roles, see Assign the Vulnerability Response persona roles using Setup Assistant.