Skip navigation
1122 Views 1 Reply Latest reply: May 31, 2012 8:16 AM by Caleb Corey RSS
Sec MD Lurker 2 posts since
Apr 9, 2011
Currently Being Moderated

May 30, 2012 4:21 PM

scanner profile restriction

Does QualysGuard VM have the ability to restrict "SCANNER" Role to specific scanner appliances? I'm looking to create roles for admin teams to scan specific segments and/or branch offices using only the scanners available in specific network/location without them having the ability to accidentaly launch scans which are not part of their location.

  • Caleb Corey Level 2 32 posts since
    Jul 27, 2010
    Currently Being Moderated
    May 31, 2012 8:16 AM (in response to Sec MD)
    scanner profile restriction

    Hello!

     

    There are a number of ways to deal with business segmentation.  The most thorough and 'secure' way to segment your business operations is through the use of Business Units: however, implementing Business Units adds additional complexity and management overhead, so if you do not NEED that level of separation, I would recommend against implementing them.

     

    However, on the other hand, without business units, a user with a SCANNER role will be able to access only assets assigned to them: this means that any Host Assets contained in asset groups they have been assigned can be scanned, and it means that they can use the external scanners as well as any scanner appliances that are in asset groups assigned to them.  (In point of fact, as SCANNER role user cannot see any scanner appliances until they are assigned to the user in this manner - added to an asset group that has been assigned to the SCANNER user.)

     

    In your case, it should be a relatively simple task to ensure that you create asset groups for 'Location A' and 'Location B' and so on; then assign these asset groups to the users in those locations, and ensure that only host assets (and scanner appliances) in each location are assigned to the correct group.  Thus a user with access to your 'Location B' group would have access ot the host assets (IPs) and scanner appliances that are in Location B.  This adds additional flexibility over using Business Units as it is possible for someone to be given access to asset groups for multiple locations (if you choose to do so).

     

    -Caleb Corey

    Qualys Technical Support Engineer

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points