Axonius Documentation
  1. System Settings
  2. Managing Users and Roles
  3. Working with Data Scopes

Defining a Data Scope

When adding assets to a data scope, the configuration of asset subsets is inherited from the main asset type.

To define a data scope:

  1. From the Data Scopes page, click + Add Data Scope.
  2. Define which assets are included in the data scope according to the following methods.

There are a number of ways to define what assets are available in a data scope.

  • Define by Assets - You can define a data scope by selecting what asset types are to be included, Define by Assets. Then, for each asset type you can refine and further specify the included assets by creating a query that returns the assets to be included or by selecting specific fields to include or exclude from the data scope.
    • You can also apply a data scope profile to use a saved configuration of included or excluded fields.
  • Define by Adapter - The list of assets included in the data scope is defined by the selected adapter connections. Only those assets are included. However, the data for these assets can come from any adapter connection.
  • Restrict Data - You can hide adapter connection information and restrict data within a data scope by cloud account:
    • Adapter connection information - By default, information about adapter connections is visible to users who can access the data scope. You can restrict the visibility of adapter connection here. Select the adapter connections whose information you want to block within the data scope.
    • Cloud Accounts - You can select which cloud accounts are visible to the data scope in the Cloud Compliance Center.

You can combine these methods to define a data scope. For example, you can include only Device assets in a data scope that are fetched by specific adapter connections.

📘

Note:

Dashboards and queries with an access permission of Private are only available to the user who created them and only within the assigned data scope where they were created.

Defining a Data Scope by Assets

Only assets of the selected types will be available in the data scope, in combination with any selections made on the Define by Adapters tab.

To define a data scope by assets:

  1. In the Define by Assets tab, search for or select the asset types to include in the data scope and click Apply. The number of selected asset types is indicated next to the tab name and a collapsible section is added below for each selected asset type, in their order of selection. An All Data tag appears next to each asset type to indicate that all assets of this type are included in the data scope.

  2. You can further specify what assets are included in the data scope by using a query and/or specifying that the data of specific fields be included or excluded.

    1. To select an asset scope query, expand the asset type and select Refine data by query. From the list, select the asset scope query that returns the assets you want included in the data scope. Click + to add more queries. Adding queries functions as an AND, so results from all selected queries are included in the data scope. You can add as many as needed. To remove a query, click the x to the right. When an asset scope query is used, a Partial Data tag appears to indicate that only a subset of available assets of this type are included in the data scope. See Creating an Asset Scope Query.
    2. To include/exclude fields, expand the asset type and select Refine data by fields. When fields are included or excluded, a Partial Data tag appears to indicate that only a subset of available assets of this type are included in the data scope.
📘

Using Data Scope Profiles

Instead of defining included and excluded fields for every data scope individually, you can apply a data scope profile. When a profile is applied, the Refine data by fields option is disabled and the field configurations from the profile are shown greyed.

The Partial Data tag appears next to the asset type name.

To use profiles they must be enabled for all data scopes. See Data Scope Settings. When data scope profiles are enabled, the "Data scope profile" section is added to the top of the data scope configuration drawer (including existing data scopes). There you need to enable profiles for the individual data scope. See Applying a Profile to a Data Scope.

Select either Include or Exclude.

  • Include - Select all fields you want to appear in the data scope. All other field names and data are hidden.
  • Exclude - Select all the fields you do not want to appear in the data scope. The field names and all field data are hidden.
📘

Notes:

  • When specific fields are excluded from a data scope, the following modules will not be available to the data scope:

    • Data Analytics

    • Asset Investigation

  • These types of fields cannot be excluded from a data scope:

    • Preferred fields

    • Adapter-specific fields related to an aggregated field (e.g. AWS hostname)

    • Fields that Axonius correlation is based upon

  • Within Asset Profile, the XML and JSON format tabs will not be available.

  • The related modules of Software and Aggregated Security Findings will not be restricted even when those fields are restricted within any asset type.

  1. Do one of the following:
    1. Go to the Define by Adapters tab to further define the data scope to include assets according to the adapter connection used to fetch them. Selections in all tabs combine to define the data scope.
    2. Go to the Restrictions tab to manage adapter configuration information and cloud accounts.
    3. Click Save to create the data scope as it is currently defined combined with the selections on the Define by Assets tab.
  2. Assign data scopes to users to give access to specific users. Users are assigned a main data scope in the process of creation.

Defining a Data Scope by Adapter

Only assets from the selected adapters and adapter connections are included in the data scope, in combination with any selections made on the Define by Assets tab.

To define a data scope by adapter connections:

  1. In the Define by Adapters tab, and select Define data by adapter connections.
📘

Notes

  • The data scope will include only assets from the selected adapter connections. When specific asset types are selected on the Define by Assets tab, those selections combine with the assets in the Define by Assets tab.
  • Up to 50 adapter connections when defining a data scope by adapter.
    1. Select how to specify what adapter connections are included in the data scope:
      • Include only - Select the adapter connections whose assets you want included in the data scope. Only assets and asset data from these adapter connections are included in the data scope.
      • Include all but - Select the adapter connections whose assets you do not want included in the data scope. All assets and data from all other adapter connections will be included in the data scope.
      • Exclude - Select the adapter connection whose assets you do not want included in the data scope. All assets and data from all other adapter connections will be included in the data scope.

  2. Click the adapters list, then select adapters and/or adapter connections.

  1. To hide all data from specific adapters, select Hide data by adapter and select from the list the adapters you want to NOT appear in the data scope. All data fetched via the selected adapters will not be included in the data scope. Note that some data may be fetched by more than one adapter and may appear in the data scope from that other source.


  2. Optionally, do one of the following:

    1. Go to the Restrictions tab to manage adapter configuration information and cloud accounts.
    2. Go to the Define by Assets tab to select specific asset types in the data scope. Selections in all tabs combine to define the data scope.

  3. Click Save to create the data scope as it is currently defined combined with the selections on the Define by Assets tab.

Managing Adapter Connection Information

You can decide to hide or review adapter connection information within a data scope. When adapter connection information is available, users can view it in the adapter profile page. When hidden, this information is not visible by users in the data scope.

To hide or reveal adapter connection information:

  1. On the Restrictions tab, in the Adapter configuration information section, choose Select adapter connections.
  2. Select the adapters and adapter connections whose information you want available in the data scope. All others will not be available in the data scope. If left empty, even if Select adapter connections is selected, the user will see all adapter connection information.

Managing Cloud Accounts in the Data Scope

You can manage which cloud accounts are available to the data scope in the Cloud Compliance Center. When cloud accounts are selected, only the selected accounts are available. When left empty, all cloud accounts are available.

To select cloud accounts:

  1. On the Restrictions tab, in the Cloud accounts section, choose Select cloud accounts.
  2. Select the adapters and cloud accounts you want available in the Cloud Compliance Center for this data scope. All others will not be available in the data scope. If left empty, even if Select cloud accounts is selected, the user will see all cloud accounts in the Cloud Compliance Center.