1 Reply Latest reply on May 31, 2012 8:16 AM by Caleb Corey

    scanner profile restriction

    Sec MD Lurker

      Does QualysGuard VM have the ability to restrict "SCANNER" Role to specific scanner appliances? I'm looking to create roles for admin teams to scan specific segments and/or branch offices using only the scanners available in specific network/location without them having the ability to accidentaly launch scans which are not part of their location.

        • scanner profile restriction
          Caleb Corey Level 2

          Hello!

           

          There are a number of ways to deal with business segmentation.  The most thorough and 'secure' way to segment your business operations is through the use of Business Units: however, implementing Business Units adds additional complexity and management overhead, so if you do not NEED that level of separation, I would recommend against implementing them.

           

          However, on the other hand, without business units, a user with a SCANNER role will be able to access only assets assigned to them: this means that any Host Assets contained in asset groups they have been assigned can be scanned, and it means that they can use the external scanners as well as any scanner appliances that are in asset groups assigned to them.  (In point of fact, as SCANNER role user cannot see any scanner appliances until they are assigned to the user in this manner - added to an asset group that has been assigned to the SCANNER user.)

           

          In your case, it should be a relatively simple task to ensure that you create asset groups for 'Location A' and 'Location B' and so on; then assign these asset groups to the users in those locations, and ensure that only host assets (and scanner appliances) in each location are assigned to the correct group.  Thus a user with access to your 'Location B' group would have access ot the host assets (IPs) and scanner appliances that are in Location B.  This adds additional flexibility over using Business Units as it is possible for someone to be given access to asset groups for multiple locations (if you choose to do so).

           

          -Caleb Corey

          Qualys Technical Support Engineer