This help describes changes to asset group assignment when your account is first migrated to AGMS, and which assets a sub-user will get when assigned the All group in an AGMS enabled subscription.
What happens to assigned asset groups when the subscription is first migrated to AGMS?
When the All group is assigned to a user in the Unassigned business unit
When the All group is assigned to a business unit
When the All group is assigned to a user in a business unit
When you change a user’s business unit
Personal asset groups cannot be called All
Asset groups no longer assigned to Contact users
UI changes when creating/updating asset groups
View User's Asset Groups in User Information
Sub-users (Unit Managers, Scanners, Readers, etc.) may notice a change to their assigned asset groups after AGMS is enabled for their subscription and account data is migrated. The asset groups assigned to a user post migration will depend on the following factors:
1) Your business unit (custom business unit vs. Unassigned business unit) and the asset groups assigned to the business unit.
2) Whether you were assigned the ALL group before the migration to AGMS.
- If you were assigned the ALL group only, then you will continue to have the ALL group assigned.
- If you were assigned the ALL group plus custom asset groups (e.g., AG1, AG2), then you will only have the ALL group assigned post migration.
- If you were assigned custom asset groups without the ALL group, then you will continue to have the custom asset groups assigned post migration.
Keep in mind that users with a Manager role are not assigned asset groups. Managers have all assets in the subscription automatically.
Note: AGMS migration is a one time activity. Once an account is migrated, it cannot be reverted to the older system.
Please see the tables below to know what to expect when your account is migrated.
|
Business Unit (BU) |
Asset groups |
Asset groups |
|
BU1 |
All |
All |
|
BU2 |
All, AG1, AG2 |
All |
|
BU3 |
All, AG1 |
All |
|
BU4 |
All, AG2 |
All |
|
BU5 |
AG1, AG2 |
AG1, AG2 |
|
BU6 |
AG1 |
AG1 |
|
BU7 |
AG2 |
AG2 |
|
Users eligible for asset group assignment |
Asset groups |
Asset groups |
Asset groups assigned to user post-migration |
|
Any sub-user |
All |
All |
All |
|
Any sub-user |
All |
All, AG1 |
All |
|
Any sub-user |
All |
AG1, AG2 |
AG1, AG2 |
|
Any sub-user |
All, AG1, AG2 |
All, AG1, AG2 |
All |
|
Any sub-user |
All, AG1, AG2 |
AG1 |
AG1 |
|
Any sub-user |
AG1, AG2 |
AG1, AG2 |
AG1, AG2 |
|
Any sub-user |
AG1, AG2 |
AG1 |
AG1 |
|
Any sub-user |
AG1, AG2 |
AG2 |
AG2 |
|
Users eligible for asset group assignment |
Asset groups |
Asset groups |
|
Any sub-user |
All |
All |
|
Any sub-user |
All, AG1, AG2 |
All |
|
Any sub-user |
All, AG1 |
All |
|
Any sub-user |
All, AG2 |
All |
|
Any sub-user |
AG1, AG2 |
AG1, AG2 |
|
Any sub-user |
AG1 |
AG1 |
|
Any sub-user |
AG2 |
AG2 |
The user gets all assets and all Manager created asset groups. The user will get all the assets (IPs, domains, networks, scanner appliances) in the subscription AND all the personal asset groups owned by Managers in the subscription.
For example, here’s a look at the asset groups list for the Manager Patrick Slimmer. Since Patrick is a Manager, he has access to all asset groups created by all users. Patrick created Asset Group 1, Asset Group 2, Asset Group 3 and Asset Group 4. Another Manager, Maggie, created Asset Group 5, and there are a few groups created by sub-users Chloe and Mike.
Patrick adds a new Scanner user, Pedro, and assigns this user the All group, as shown below.
Since Pedro is assigned the All group and he’s in the Unassigned business unit, he now has access to all the assets in the subscription and all the asset groups owned by Managers in the subscription – Patrick and Maggie. As new asset groups are added by Managers they will automatically appear in Pedro’s asset groups list. Pedro can also add his own asset groups.
Pedro can view and use any of the Manager created asset groups but he cannot edit or delete them since he is not the owner.
The business unit and the Unit Managers get all assets and all Manager created asset groups. The business unit will get all the assets in the subscription. Unit Managers in the business unit will get all the assets and all the Manager created asset groups. Unit Managers will also get asset groups created by other users in the same business unit.
For example, Business Unit ABC was assigned the All group. The Unit Manager for this business unit, Chloe, has all the asset groups created by Managers Patrick and Maggie. Chloe also has access to a group created by Mike who is in the same business unit. If any Manager creates new asset groups they will appear automatically on Chloe’s asset groups list.
The user gets all the assets and asset groups in the business unit. When a user within a business unit is assigned the All group, the user gets all the assets in the business unit. If the business unit was also assigned the All group then that user gets all assets in the subscription, all Manager created groups and all Unit Manager created groups for the same business unit. If the business unit or the user is assigned individual asset groups (not the All group) then they will have a limited set of assets/asset groups, as shown in the table below.
|
User in BU |
Asset groups |
Asset groups |
What the user gets |
|
Unit Manager |
All |
Unit Manager gets All by default |
All assets in the subscription All Manager created asset groups All groups created by Unit Managers in the same business unit All groups created by sub-users in the same business unit |
|
Unit Manager |
AG1, AG2 |
Unit Manager gets All by default |
Asset groups AG1 and AG2 and the assets included in AG1 and AG2 All groups created by Unit Managers in the same business unit All groups created by sub-users in the same business unit |
|
Sub-user |
All |
All |
All assets in the subscription All Manager created asset groups All groups created by Unit Managers in the same business unit |
|
Sub-user |
All |
AG1, AG2 |
Asset groups AG1 and AG2 and the assets included in AG1 and AG2 |
|
Sub-user |
AG1, AG2 |
All |
Asset groups AG1 and AG2 and the assets included in AG1, AG2 All groups created by Unit Managers in the same business unit |
|
Sub-user |
AG1, AG2 |
AG1 |
Asset group AG1 and the assets included in AG1 |
If a user's Business Unit is changed, you must also remove the old Business Unit from the user's scope in the Administration Module to remove access to assets via dashboards. Due to existing customer use cases and workflows, the old Business Unit will not be automatically removed. Qualys has plans to migrate completely to unifying Roles and Scopes into the Administration Module in the future, which will remove this requirement.
Users can no longer create their own asset groups with the title All (uppercase, lowercase or mixed case). This title is reserved by the service and this restriction is put in place to avoid confusion with the service provided All group. If you had a personal asset group with the title All (or ALL, all, aLl, etc) then you will need to change the asset group title.
Users with the Contact user role are no longer assigned asset groups. This is true if the user is part of a business unit or not. When you create a new Contact user no asset groups are listed on the Asset Groups tab, as shown below. If an existing Contact user was assigned asset groups prior to AGMS being enabled, those asset groups will be removed from the user’s account. Add your Contact user to a distribution group to send the user scan email notifications.
