Access control lists (ACLs) for administration rules

Release version: Xanadu

Updated August 14, 2025

1 minute to read

You can either view or modify the administration rules based on the roles assigned to you.

New roles for administration rules

The following two new roles have been introduced to manage administration rules within the Security Exposure Management Workspace:

sn_sec_wf.read_admin_rules: Enables you to view all the administration rules.
sn_sec_wf.manage_admin_rules: Enables you to perform all CRUD (Create, Read, Update, Delete) operations on administration rules.

The following personas can read administration rules:

The following personas can create, update, and delete admin rules, provided they have access to the corresponding findings table:

Table 1. Persona accessible tables
Persona	Accessible Findings table
sn_vul.app_sec_manager	Application Vulnerable Item
sn_vul. vulnerability_admin	Vulnerable Item
sn_vulc.admin	Test Result
sn_vul_container.vulnerability_admin	Container Vulnerable Item
sn_vul_cmn.usem_admin	Vulnerable Item, Application Vulnerable Item, Test Result, Container Vulnerable Item

Note:

You can only modify the rules if you have create, update, and delete permissions and access to the corresponding findings table.

Additional considerations for other rule types regarding create, update, and delete access:

Lookup and Exclusion rules: Access to create, update, or delete these rules is determined by the persona's permissions for the rule table itself, as they don’t have an associated findings table.
Auto-delete rules: Only users with the admin role can create, update, or delete these rules.
Classification rules: Personas can manage these rules if they have access to the specific table defined within the classification group.
Rollup Calculator rules: Personas who have access to the corresponding target table can manage these rules.