Managing Data Scopes

Use data scopes to allow users to see only data that is relevant to them or their role. A data scope is a subset of all the data in your environment. Users assigned a specific data scope can only see the data that is available to that data scope.

Data scopes are useful, for instance, when there are different teams, departments, or geographic regions in an organization that each need access to specific assets. While you want one instance of Axonius to be installed for your organization, you want each team, department, or geographic region to only see information about their own assets, thereby creating a closed environment for each.

Each data scope has separate entities: queries, dashboards, Enforcement Sets and reports. When a data scope is first created, it is empty and does not include any of these entities. Access to each entity is defined by the permissions selected when creating them. They can also be moved from one permission level to another.

• See Creating Queries with the Query Wizard for more about creating queries.
• See Working with Dashboards for more about creating dashboards.
• See Creating Enforcement Sets for more about creating Enforcement Sets.
• See Configuring Reports for more about Reports.

There are two types of data scopes:

• Global Data Scope - Users assigned the global data scope have access to all assets in the environment. Any role can be assigned the global data scope. The global data scope is created by Axonius and is not defined by an asset scope query.
• Other Data Scopes - These are all other data scopes you create. A user assigned a data scope can only see the information contained in that data scope.

Defining a Data Scope

There are a number of ways to define what assets are available in a data scope.

• Define by Assets - You can define a data scope by selecting what asset types are to be included, Define by Assets. Then, for each asset type you can refine and further specify the included assets by creating a query that returns the assets to be included or by selecting specific fields to include or exclude from the data scope.
• Define by Adapter - A data scope can be defined by adapter where only asset data fetched by the selected adapter connections is included in the data scope.
• Restrict Data - You can hide adapter connection information and restrict data within a data scope by cloud account:
  • Adapter connection information - By default, information about adapter connections is visible to users who can access the data scope. You can restrict the visibility of adapter connection here. Select the adapter connections whose information you want to block within the data scope.
  • Cloud Accounts - You can select which cloud accounts are visible to the data scope in the Cloud Compliance Center.

You can combine these methods to define a data scope. For example, you can include only Device assets in a data scope that are fetched by specific adapter connections.

Defining a Data Scope by Assets

Only assets of the selected types will be available in the data scope, in combination with any selections made on the Define by Adapters tab.

To define a data scope by assets:

1. In the Define by Assets tab, search for or select the asset types to include in the data scope and click Apply. The number of selected asset types is indicated next to the tab name and a collapsible section is added below for each selected asset type, in their order of selection. An All Data tag appears next to each asset type to indicate that all assets of this type are included in the data scope.
   

2. You can further specify what assets are included in the data scope by using a query and/or specifying that the data of specific fields be included or excluded.

   1. To select an asset scope query, expand the asset type and select Refine data by query. From the list, select the asset scope query that returns the assets you want included in the data scope. Click + to add more queries. You can add as many as needed. To remove a query, click the x to the right. When an asset scope query is used, a Partial Data tag appears to indicate that only a subset of available assets of this type are included in the data scope. See Creating an Asset Scope Query.
   2. To include/exclude fields, expand the asset type and select Refine data by fields. When fields are included or excluded, a Partial Data tag appears to indicate that only a subset of available assets of this type are included in the data scope.
      Select either Include or Exclude.
      • Include - Select all fields you want to appear in the data scope. All other field names and data are hidden.
      • Exclude - Select all the fields you do not want to appear in the data scope. The field names and all field data are hidden.
   Notes:

   • When specific fields are excluded from a data scope, the following modules will not be available to the data scope:

     • Data Analytics
     • Asset Investigation

   • These types of fields cannot be excluded from a data scope:

     • Preferred fields
     • Adapter-specific fields related to an aggregated field (e.g. AWS hostname)
     • Fields that Axonius correlation is based upon

   • Within Asset Profile, the XML and JSON format tabs will not be available.

   • The related modules of Software and Vulnerabilities will not be restricted even when those fields are restricted within any asset type.

3. Do one of the following:

   1. Go to the Define by Adapters tab to further define the data scope to include assets according to the adapter connection used to fetch them. Selections in all tabs combine to define the data scope.
   2. Go to the Restrictions tab to manage adapter configuration information and cloud accounts.
   3. Click Save to create the data scope as it is currently defined combined with the selections on the Define by Assets tab.

4. Assign data scopes to users to give access to specific users. Users are assigned a main data scope in the process of creation.

Defining a Data Scope by Adapter

Only assets from the selected adapters and adapter connections are included in the data scope, in combination with any selections made on the Define by Assets tab.

To define a data scope by adapter connections:

1. In the Define by Adapters tab, and select Define data by adapter connections.
   Notes:

   The data scope will include only assets from the selected adapter connections. When specific asset types are selected on the Define by Assets tab, those selections combine with the assets in the Define by Assets tab.

2. Select adapters and adapter connections from which you want to include assets in the data scope.
   
3. Do one of the following:
   1. Go to the Define by Assets tab to select specific asset types in the data scope. Selections in all tabs combine to define the data scope.
      2. Go to the Restrictions tab to manage adapter configuration information and cloud accounts.
   2. Click Save to create the data scope as it is currently defined combined with the selections on the Define by Assets tab.

Managing Adapter Connection Information

You can decide to hide or review adapter connection information within a data scope. When adapter connection information is available, users can view it in the adapter profile page. When hidden, this information is not visible by users in the data scope.

To hide or reveal adapter connection information:

1. On the Restrictions tab, in the Adapter configuration information section, choose Select adapter connections.
2. A warning message is displayed explaining that the Enforcement Center is not available when adapter connections are restricted. After reading the message, click Continue Configuration to apply the restrictions or click Cancel to go back to the Restrictions tab.
3. After clicking Continue Configuration, select the adapters and adapter connections whose information you want available in the data scope. All others will not be available in the data scope. If left empty, even if Select adapter connections is selected, the user will see all adapter connection information.

Managing Cloud Accounts in the Data Scope

You can manage which cloud accounts are available to the data scope in the Cloud Compliance Center. When cloud accounts are selected, only the selected accounts are available. If left empty, the user will see assets from all cloud accounts.

To select cloud accounts:

1. On the Restrictions tab, in the Cloud accounts section, choose Select cloud accounts.
2. Select the adapters and cloud accounts you want available in the Cloud Compliance Center for this data scope. All others will not be available in the data scope. If left empty, even if Select cloud accounts is selected, the user will see all cloud accounts in the Cloud Compliance Center.

Creating an Asset Scope Query

An asset scope query can be used to define the assets included in a data scope. The assets returned by the query are included in the data scope. For example, they can be determined by installed OS, IP addresses, or tagged assets or any other queryable data.

1. Use the Query Wizard to create a new query according to the criteria you require.

2. Click Search, all relevant assets are displayed.

3. Click Save As to save this query.

4. The Save As New Query dialog opens.

5. Enable Asset scope query to save this query as an asset scope query, select a folder to save the query and click Save. By default asset scope queries are saved in the Asset Scope folder.

When you open the Queries page, this query appears in the Asset Scope Query folder. The results of an asset scope query define the set of data included within a data scope and on which a user can perform all Axonius activities.

Creating an Asset Scope Query from the New Data Scope Drawer

You can also create a new Asset Scope query directly from the New Data Scope drawer.
To create a new Asset Scope query

1. Click Add Query; the Query Wizard opens.

2. Define the query. Refer to Creating Queries with the Query Wizard for details of how to create a query.
3. Select a folder to save the query and click Save. By default asset scope queries are saved in the Asset Scope folder.

The new query appears as an asset scope query on the Queries page.
4. Click Save, the new Data Scope you created appears in the Data Scope list.

You can edit/delete the data scope as required.

Duplicating a Data Scope

You can duplicate a data scope to create a new data scope with small changes from an existing one
To duplicate a data scope

1. Select a data scope on the Data Scope Page. The Data Scope drawer opens.

2. Click the duplicate icon; a duplicate of the data scope is created called Copy <data scope name>.

3. Rename the data scope and edit as required, then select Save.

Updating the Data in a Data Scope

From the Add Data Scope menu, click Edit Data Scope Settings to define the frequency at which the data scope data is updated. These settings apply to all data scopes.

• Set the frequency in hours in which the asset scope query results are updated. The default value is every 6 hours.
• Select Update complete history with scope interval to include historical data in the asset scope, otherwise the relevant roles can see data only from the day the scope was created.

Changing Asset Scope Queries

You can edit an asset scope query. When you edit an asset scope query, the set of assets that the users associated with the data scope can access is updated accordingly.