- 26 Sep 2023
- 7 Minutes to read
Managing Data Scopes
- Updated on 26 Sep 2023
- 7 Minutes to read
Use Data Scopes to enable groups of users to see only data that is relevant to them or that they are allowed to see. A Data Scope is a subset of all the data in your environment defined by an Asset Scope query. Users assigned a specific Data Scope can only see the data from that Data Scope.
Data Scopes are useful, for instance, when there are different teams, departments, or geographic regions in an organization that each need access to specific assets. While you want one instance of Axonius to be installed for your organization, you want each team,department, or geographic region to only see information about their own assets, thereby creating a closed environment for each.
Each Data Scope has separate entities: queries, dashboards, Enforcement Sets and reports. When a Data Scope is first created, it is empty and does not include any of these entities. Access to each entity is defined by the permissions selected when creating them. They can also be moved from one permission level to another.
- See Creating Queries with the Query Wizard for more about creating queries.
- See Working with Dashboards for more about creating dashboards.
- See Creating Enforcement Sets for more about creating Enforcement Sets.
- See Configuring Reports for more about Reports.
There are two types of Data Scopes:
- Global Data Scope - Users assigned the Global Data Scope have access to all assets in the environment. Any role can be assigned the Global Data Scope. The Global Data Scope is created by Axonius and is not defined by an Asset Scope query.
- Other Data Scopes - These are all other Data Scopes you create. A user assigned a Data Scope can only see the information contained in that Data Scope.
Defining a Data Scope
Make sure you have the Manage data scopes permission to create and save the Data Scope.
To set up a Data Scope you need to do the following:
• Create an Asset Scope query which will define the assets to which you want to enable access.
• Create a Data Scope based on the Asset Scope query.
• Create a data restricted role for this Data Scope
• Assigning Users to the Data Restricted Role
Setting Up the Asset Scope Query
First you need to define the assets which are part of the Data Scope. Define the assets by creating an Asset Scope query. The results of the query define the Data Scope; for example, they can be determined by installed OS, IP addresses, or tagged assets.
- Use the Query Wizard to create a new query according to the criteria you require.
Click Search, all relevant assets are displayed.
Click Save As to save this query.
The Save As New Query dialog opens.
- Enable Asset scope query to save this query as an Asset Scope query, select a folder to save the query and click Save. By default Asset scope queries are saved in the Asset Scope folder.
The Asset Scope query toggle is only visible for users with relevant permissions.
When you open the Queries page, this query appears in the Asset Scope Query folder. The results of an Asset Scope query define the set of data included within a Data Scope and on which a user can perform all Axonius activities.
Users who have Manage Data Scope permissions can use asset scope queries like any other saved query (for instance, when creating dashboard charts, etc.).
Creating a Data Scope
You can define Data Scopes from the System Settings.
- From the top right corner of any page, click . The System Settings page opens.
- In the Categories/Subcategories pane of the System Settings page, expand User and Role Management, and select Data Scopes.
Click Add Data Scope; the New Data Scope drawer opens.
In Data Scope Name, enter a name for the Data Scope.
In Description, enter an optional description of the data included in the Data Scope.
Under Data Scopes, expand an asset type and select an Asset Scope query, or create new one, for one or more of the listed asset types. A Data Scope must include at least one Asset Scope query.
The next to the asset type name indicates that an Asset Scope query is selected for that asset type.
If needed, click + to select additional Asset Scope queries. Continue to add queries as required. You can add up to 100 Asset Scope queries in order to create a Data Scope. This includes queries from all asset types.
To exclude data associated with specific fields from this Data Scope for any asset type, select the fields you want to exclude in the Excluded Fields list for each asset type. The field name will still appear in tables and lists, as well as in the Query Wizard, but the data will not be visible. When a field whose data is excluded is selected, for example, when configuring a dashboard chart or in the Query Wizard, an error message is displayed saying that additional permissions are required.Notes:
When data from specific fields is hidden in a Data Scope, the following modules will not be available to the Data Scope:
- Data Analytics
- Asset Investigation
- Asset Graph
- Enforcement Center
Within Asset Profile, the XML and JSON format tabs will not be available.
The related modules of Software and Vulnerabilities will not be restricted even when those fields are restricted within any asset type.
To exclude the data of specific cloud accounts from the Data Scope, under Exclude Cloud Accounts from Scope, select the cloud provider and account you want to exclude. Data from the selected accounts will not be available to this Data Scope. Click + to select additional cloud accounts. Multiple accounts from the same provider can be selected. You can exclude as many cloud accounts as required.
You can set the Data Scope to only display settings information about specific Adapter connections in the Adapter Connections and Adapter Fetch History pages. Users of the Data Scope will only be able to see setting information about the Adapter Connections selected here. To set the Adapter Connections about which they will be able to see information, in Adapter Connections select Set specific adapter connections and select connections from the list.Notes:
- Setting specific Adapter connections does not restrict the data visible in the Data Scope. Data may be accessible from another connection.
- When Set specific adapter connections is selected, the Enforcement Center is disabled.
- When Set specific adapter connections is not selected, the Data Scope will still have access to information about all adapter connections.
- When Set specific adapter connections is selected:
- Select at least one adapter connection.
- If no adapter connection is selected, the Data Scope will not have access to any information about any connections.
- Selecting an adapter (includes all connections to that adapter) only adds existing connections. You must add any connections added later.
Click Save, the new Data Scope you created appears in the Data Scope list.
Creating an Asset Scope Query from the New Data Scope Drawer
You can also create a new Asset Scope query directly from the New Data Scope drawer.
To create a new Asset Scope query
- Click Add Query; the Query Wizard opens.
- Define the query. Refer to Creating Queries with the Query Wizard for details of how to create a query.
- Select a folder to save the query and click Save. By default Asset Scope queries are saved in the Asset Scope folder.
The new query appears as an Asset Scope query on the Queries page.
4. Click Save, the new Data Scope you created appears in the Data Scope list.
You can edit/delete the Data Scope as required.
If you do not choose any Asset Scope queries at all, then the assigned users will have access to all assets on the system.
Duplicating a Data Scope
You can duplicate a Data Scope to create a new Data Scope with small changes from an existing one
To duplicate a Data Scope
Click on the Data Scope on the Data Scope Page, the Data Scope drawer opens.
Click the duplicate icon; a duplicate of the Data Scope is created called Copy <data scope name>.
Rename the Data Scope and edit as required, then select Save.
Data Scope Query Updates
From the Add Data Scope menu, click Edit Data Scope Settings to define the frequency at which the Data Scope data is updated.
- Set the frequency in hours in which the Asset Scope Query results are updated. The default value is every 6 hours.
- Select Update complete history with scope interval to include historical data in the Asset scope, otherwise the relevant roles can see data only from the day the scope was created.
Changing Asset Scope Queries
You can edit an Asset Scope query. When you edit an Asset Scope query, then this changes the set of assets that the users associated with the Data Scope can access.
Be careful when you change an Asset Scope query. This affects the scope of the assets included in Dashboard charts, Reports, Enforcements, etc. that the users assigned to the Data Scope have created.