Asset Groups permissions

Abstract

Configure Asset Group permissions (under Inventory).

Asset Groups enable organizations to manage asset groups, such as creating logical groupings of assets, applying policies and rules to asset groups, scoping user access to specific asset groups (SBAC), and supporting automation exclusions by asset group.

Caution

SBAC: Asset Groups form the foundation of Scope-Based Access Control (SBAC). Granting a user View/Edit access to Asset Groups allows them to modify the groups that dictate data access boundaries for other users in the tenant.

The following features are affected:

  • Asset Groups: InventoryAssetsGroups. For more information, see Asset Groups.

  • User Groups: When defining or editing a user group, you can scope an asset by defining the access group. For more information, see Scope user access to applications (Application SBAC).

  • Automations Exclusion Center: When selecting Edit Policy, you can add an Asset Group to exclude the relevant asset class. For more information, see Manage automation exclusion policies.

Permissions

Description

Roles Example

None

No access to the Asset Group Menu, and limited ability to view groups in SBAC and Select groups in Automation Exclusion.

SOC Tier 1 Analyst: Asset group management is not part of the daily operations.

View

Read-only access to the View Assets Group list, details, members, search and filter groups, and only view groups in SBAC.

  • SOC Tier 2 Analyst: Reference asset groups during investigations

  • SOC Tier 3 Analyst: Understand asset groupings for analysis.

  • Threat Hunter: Reference asset groups for scoped hunting.

View/Edit

All View capabilities, plus create, edit, delete, add assets to a group in SBAC, and select groups in automation exclusion

Security Engineer: Configure and maintain asset groups