Tag-based User Scoping

Tag-based user scoping (TBUS) allows customers to scope a user’s asset access via asset tags rather than IP-based methods, such as Asset Groups or Business Units.

This feature will allow for greater flexibility for scoping a user’s asset access and will address specific use cases, such as roaming agents with unpredictable IP addresses. Currently, this new model will cover asset access for Reporting and Asset Search. In a future release, it will also cover asset access for Scanning.

When enabled, tag-based user scoping is supported in VM/VMDR, PC and SCA. 

Some things to consider

- A Manager will assign a set of tags to each user to define the user’s scope. This can include all types of tags, including Business Unit Tags, Asset Group Tags, Static Tags, Dynamic Tags, Agent Activation Key Tags. The user’s final scope will be derived from all of the assigned tags as a union.

- Dynamic Tags must be managed carefully, as an improperly scoped tag could enable a user to see assets beyond their intended scope. We recommend using a combination of Asset Group Tags, Business Unit Tags, and Agent Activation Key Tags.

- There is no automatic propagation like with Asset Groups. Asset access is managed entirely through tags, and any IP scopes that the user should have access to view must be added as an IP Range Tag to that user’s scope. (Note that Asset Group Tags and Business Unit Tags are IP Range Tags and can be used for this purpose.)

- The existing Asset Group model and the new Asset Tag model are both available and they work independently of each other. Both can be used to define a user’s scope. If a user is assigned assets via Asset Groups and also via Asset Tags then both options will be available to the user when taking actions like generating reports. 

Tag-based user scoping must be enabled

Contact your Technical Account Manager to request tag-based user scoping for your subscription. The following option is currently available.

Include all assets from tags in all operations, except scan launch

For Scanning, any IP being scanned must be in the license container (for VM/PC) and the user’s All group. This means the IP must be available to the user via Asset Groups or Business Unit assignment. If the IP is not available to the user launching the scan, then it will be ignored. 

For Reporting, the user can report on any asset tag in their scope even if the tag resolves to an IP address that’s not in their All group. In other words, the user can run a report on IPs that they have not been assigned via Asset Groups or Business Unit. 

How to assign asset tags to users

Asset tags can be assigned to a user by a Manager from the Administration utility. Choose Administration from the module picker. On the User Management tab, identify the user you’re interested in and choose Add Tags to Scope from the Quick Actions menu. Select new tags you want to assign to the user, and click Save.

Add Tags to User Scope

Optionally, if you want to view the tags already assigned to a user before adding tags, then choose Edit from the Quick Actions menu. Go to the Roles And Scopes tab and you’ll see assigned tags under Edit scope. Here you can add/remove tags to define the user’s scope. 

Edit User to add or remove tags

You’ll see these options in the Edit Scope section:

Select – Select tags to assign to the user.

Create – Create a new tag and assign it to the user.

Remove All – Remove all tags already assigned to the user. 

Do I also need to assign asset groups to users?

Only if the user will also need to perform scanning. In a future release, when tag-based user scoping is supported for scanning, the user will only need to have asset tags assigned and asset group assignment will not be needed. 

Keep in mind that Managers have access to all assets in the subscription, Auditors have access to all assets in PC, and Unit Managers have access to all assets in their assigned business unit.

How to generate reports on asset tags

The steps you take to generate the report are the same whether you have tag-based user scoping enabled or not. You’ll go to Reports, and choose the type of report you want to generate from the New menu. Then select the asset tags you want to include in the report source. 

The asset tags are resolved to IP addresses at the time of report generation. If tag-based user scoping is enabled, all resolved IP addresses that match the user’s tag-based scope will be included in the report. If tag-based user scoping is not enabled, only the resolved IP addresses that match the user’s assigned asset groups/business unit will be included in the report. 

Example 1

Let’s say a user has the following assets assigned:

AG1 with 10.10.10.10-10.10.10.15 – assigned asset group

Tag1 with 10.10.10.10-10.10.10.15 – assigned tag in user scope

Tag2 with 10.10.10.20-10.10.10.30 – assigned tag in user scope

The user scope determined with the above assignment:

 

If tag-based user scoping is not enabled and the user runs a report on Tag2, the report will not resolve to any assigned IP addresses. The error “Empty report targets/assets resolved from the tags” will appear and the report cannot be generated. The user can successfully report on Tag1 since the IPs will resolve to IPs that have also been assigned to the user via AG1. 

If tag-based user scoping is enabled and the user runs a report on Tag2, then the report will run and the IPs 10.10.10.20-10.10.10.30 will be included in the report even though these IPs have not been assigned to the user via AG1. The user can also report on Tag1 and AG1 since these are also in the user’s asset scope. 

Example 2

In this example, the user is assigned AG1 and Tag2. The user does NOT have Tag1 assigned to their user scope. 

AG1 with 10.10.10.10-10.10.10.15 – assigned asset group

Tag1 with 10.10.10.10-10.10.10.15 – NOT assigned to user

Tag2 with 10.10.10.15-10.10.10.30 – assigned tag in user scope

The user scope determined with the above assignment:

 

If tag-based user scoping is enabled and the user runs a report on Tag1, the report will not be generated even though the user is assigned the same set of assets through asset group AG1. The report doesn’t run because the user selected a tag for the report target that is not in their user scope. The user can run the report by specifying the asset group AG1 for the report target. The user can also report on Tag2 without issue since this tag is in the user’s scope.  

A few notes on reporting

- Tag-based user scoping is not yet supported for STIG Based Reports or the Compliance Posture Information API (/api/2.0/fo/compliance/posture/info/). The report/API output will not show posture information for assets that match the user’s tag-based scope. 

- When you run an Interactive Report or Scorecard Report (from PC/SCA) on asset tags, the report displays a union of the assets that match the user’s tag-based scope and the assets that match the user’s assigned asset groups/business unit. 

- If your subscription has both PC and SCA enabled and a sub-user runs an Interactive Report or Scorecard Report (from PC/SCA) on asset tags, the report displays assets from both PC and from SCA.