- 23 Jan 2023
- 10 Minutes to read
Data Scope Management
- Updated on 23 Jan 2023
- 10 Minutes to read
Use Data Scopes to control the sets of data different groups of users have access to. Once you define the set of data using special asset scope saved queries, assign it to a role, and assign users to the role.
Use Data Scope Management to enable groups of users to see only data that is relevant to them or that they are allowed to see. This is useful, for instance, if there are different teams in an organization that each need access to specific assets. While you want one instance of Axonius to be installed for your organization, you want each team to only see information about their own assets (devices or users), thereby creating a closed environment for each branch.
Once the Data Scope is defined, users will only see the data relevant to them based on the assets that meet the criteria defined by the asset scope queries. Each Data Scope has separate entities: queries, dashboards, enforcements and reports. When a Data Scope is first created, it is empty and does not include any of those entities. Each created entity can be accessed only by the users sharing the same Data Scope (as long as they have the appropriate view and action permissions).
Defining a Data Scope
Make sure you have the Manage data scopes permission to create and save the Data Scope.
To setup a Data Scope you need to do the following:
• Create an Asset Scope query which will define the assets to which you want to enable access.
• Create a Data Scope based on the Asset Scope query.
• Create a data restricted role for this Data Scope
• Assign users to the Data Scope
Setting Up the Asset Scope Query
First you need to define the assets which are part of the Data Scope. Define the assets by creating an Asset Scope query. You can define an Asset Scope Devices Query or an Asset Scope Users Query. The results of the query define the Data Scope; for example, they can be determined by the OS, IP addresses or tagged assets.
- Use the Query Wizard to create a new device or user query according to the criteria you require.
Click Search, all relevant assets are displayed.
Click Save As to save this query.
The Save As New Query dialog opens.
- Enable Asset scope query to save this query as an Asset Scope query, select a folder to save the query and click Save. By default Asset scope queries are saved in the Asset Scope folder.
The Asset Scope query toggle is only visible for users with relevant permissions.
When you open the Queries page this query appears as an 'Asset Scope Query'. The results of an Asset Scope query define the set of data on which a user can run all Axonius activities.
Users who have Manage Data Scope permissions can use asset scope queries like any other saved query (for instance when creating dashboard charts etc.).
Creating the Data Scope
Use the Data Scopes tab to define Data Scopes.
- From System Settings, click Data Scopes.
- Click Add Data Scope; the New Data Scope drawer opens.
- Set a name for the Data Scope.
- Select an Asset Scope Device Query or an Asset Scope User Query or both. Any Data Scope must include at least one of these queries.
- If needed, you can select an additional Asset Scope query. Continue to select queries as required. You can select up to 100 Asset Scope queries in order to create a Data Scope. This includes both Devices and Users queries.
- Click Save, the new Data Scope you created appears in the Data Scope list.
Creating an Asset Scope Query from the New Data Scope Drawer
You can also create a new Asset Scope query directly from the New Data Scope drawer.
To create a new Asset Scope query
- Click Add Query; the Query Wizard opens.
- Define the query. Refer to Creating Queries with the Query Wizard for details of how to create a query.
- Select a folder to save the query and click Save. By default Asset Scope queries are saved in the Asset Scope folder.
The new query appears as an Asset Scope query on the Queries page.
7. Click Save, the new Data Scope you created appears in the Data Scope list.
You can edit/delete the Data Scope as required.
If you do not choose any Asset Scope queries at all, then the assigned users will have access to all devices/users on the system.
Duplicating Data Scopes
You can duplicate a Data Scope to create a new Data Scope with small changes from an existing one
To duplicate a Data Scope
Click on the Data Scope on the Data Scope Page, the Data Scope drawer opens.
Click the duplicate icon; a duplicate of the Data Scope is created called Copy .
Rename the Data Scope and edit as required, then select Save.
Data Scope Query Updates
From the Add Data Scope menu, click Edit Data Scope Settings to define the frequency at which the Data Scope data is updated.
- Set the frequency in hours in which the Asset Scope Query results are updated. The default value is every 6 hours.
- Select Update complete history with scope interval to include historical data in the Asset scope, otherwise the relevant roles can see data only from the day the scope was created.
Changing Asset Scope Queries
You can edit an Asset Scope query. When you edit an Asset Scope query, then this changes the set of assets that the users associated with the Data Scope can access.
Be careful when you change an Asset Scope query. This affects the scope of the assets included in Dashboard charts, Reports, Enforcements etc. that the users assigned to the Data Scope have created.
Creating a Data Restricted Role
Use the Data Scope to define roles and assign these roles to users.
Refer to Manage Roles for full information about working with roles. You can assign a Data Scope to more than one role.
- Click Manage Roles and choose Add Role or duplicate an existing role (either a default role or a custom role) and edit it. This role can contain any subset of the Axonius permissions described in Manage Roles.
- Enable Restrict data access; the system asks you if you are sure, as this means that this role limits System and User Management.
- Click Yes, and then from the drop-down box, select the Data Scope.
- Configure or edit the role as required and click Save.
This new role now appears in the list of roles. The Data Scope selected appears in the Data Scope column in the role page. This column is only available when Data Scope is enabled.
Changing Data Restrictions
You can edit a role with Data Restrictions. If you make any changes to the Data Scope listed under Restrict data access, or remove the Data Scope from the role, the user assigned to the role will no longer be able to access Axonius configuration items that are part of the Data Scope and may change the system entities with which they can work. For example, Kim is assigned to a certain Data Scope. This means that they can create Dashboard charts, Enforcement actions, Reports, etc. on the assets that are part of the Data Scope. If Kim is no longer assigned to the Data Scope, then they will not be able to access any of the charts, actions or reports that they created while they had access to the Data Scope.
Assigning Users to the Data Scope Role
Refer to Manage Users for full information about working with users.
- Click the Manage Users tab.
- Define new users, or edit existing users, and define this role for the users.
Now, when this user logs on to the system, they will only see the data from assets included in the Data Scope assigned to their role. The Data Scope defines the user's access to all System entities in the Axonius system including Dashboards, Charts, Enforcements, Saved Queries and Reports. Users assigned to a specific Data Scope role can only access items created as part of the Data Scope. For example, when Kim and Jean are both assigned to the same Data Scope and share the same system permissions, they will be able to access Queries and Charts each of them creates. If Liz and Alice are assigned to a different Data Scope, they will not be able to access Queries that Kim and Jean create.
In addition, an icon is displayed next to the avatar of a user whose role is associated with a Data Scope. When you mouse over, the name of the Data Scope is displayed.
You can create any number of Data Scopes and assign users to them as required.
Working with Data Scopes
When you define Data Scopes on your system this does not change what data is fetched on your system. Defining Data Scopes on your system only determines which portion of the data and other entities the users assigned to the scope can access.
In addition, when working with Data Scopes, please note the following:
- Axonius default predefined dashboards or queries are not displayed for Data Scopes.
- All Axonius activities can only be performed on the data assigned to that scope and will only include data assigned to that scope. Including:
- Creating dashboards
- Creating queries
- Creating reports,
- Creating Enforcement center activities
Everything created when working with a Data Scope is only available to the users assigned to the Data Scope. Even an Admin user cannot see them unless they are logged in to that Data Scope. In order to view the items under a specific Data Scope, you must login as a user associated with the relevant Data Scope.
Working with Data Scopes and Dashboard Charts
Once a user is assigned to a Data Scope, when they use the system the Axonius Dashboard is not displayed.
When a user creates a new chart that is based on a query, only queries that are included in the Data Scope are available. In the example here, only one query is available.
If you change the role of the user who created a chart or a space, and they are no longer assigned to this Data Scope, then they will not be able to see the chart or space they created.
Any dashboard space created under a Data Scope has two access level options:
All - means all the users sharing the Data Scope
By Role - means all the users with the assigned roles (the roles list is based on the roles connected to the Data scope).
When a user assigned to a Data Scope adds a dashboard space, the access option All is limited to all users in their Data Scope.
Working with Data Scopes and Queries
Once a user is assigned a role with a Data Scope, they do not see any of the system pre-saved queries. All the queries that they create are specific for the Data Scope. Users can still create private queries. They can see their private queries as long as they are associated with the relevant Data Scope.
Working with Data Scopes and Reports
When you assign a user to a Data Scope, they can only see reports created by other users associated with the same Data Scope or Private reports that they created. Reports can only include data and items associated with the user's Data Scope.
When they include dashboard charts and queries in the report, they can only choose from Dashboard Spaces and queries that were created within the Data Scope.
When My Dashboard is included in a report, it only includes the charts created with the same Data Scope. This is noted in the report once it is created.
When a user clicks on a link in the report, the user will see the data based on their defined Data Scope. Only a user with access to the Data Scope can see the data when they click on the links in the report.
Working with Data Scopes and Enforcement Sets
When you assign a user to a Data Scope, they can only access Enforcement Sets and run data created under the same Data Scope.
When users assigned to a Data Scope create Enforcement Sets and want to define a query trigger, the users can only select queries associated with their Data Scope. The Enforcement Sets will only run on the data which is defined in the Data Scope.