User access can be controlled at several levels to limit what users can see and do.

Role Level

Within an account access to data (and functionality) can be controlled by user roles. There are three user roles:

Administrator

Administrators Can

  • See all data
  • Scan any node and run any policy
  • Add, remove or edit any nodes
  • Add, change access for, or remove, all users
  • Schedule jobs
  • Change appliance settings (Enterprise only)

Member

Members Can

  • Only see data for node groups they are members of
  • Scan and run policies only for nodes in groups they are members of

Members Cannot

  • Access node data for nodes in groups they are not members of
  • Scan or run policies for nodes in groups they are not members of
  • Schedule jobs
  • Manage user access
  • Change appliance settings (Enterprise)

Analyst

Analysts Can

  • See all data

Analysts Cannot

  • Scan nodes or run policies
  • Schedule jobs
  • Manage user access
  • Change appliance settings (Enterprise)

Account Level

For Enterprise users (appliance), increased separation of access can be attained by splitting nodes between accounts. When additional accounts are added to an appliance only users who are explicitly granted access to the new account will have access to nodes and data within that account. Full role based access is also applicable within additional accounts.

Appliance Level

For complete separation of both access and data nodes can be split between appliances. In these instances, not only is user access completely segmented, but data storage is also separated.

Tags: access