Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
User Management OverviewHow to Use Single Sign On (SSO)About Multi-factor AuthenticationMFA Enrollment InstructionsHow to Configure and Use the Microsoft Purview and Spirion IntegrationHow to Manually Unlock a Spirion Console AccountWhat is ULR (User Level Remediation)?
User and Role Functions
How to Use Role-Based Access ControlsHow to Use User ProfilesHow to Manage UsersHow to Add a New UserHow to View a UserHow to Edit a UserHow to Search for a UserHow to Change a User's Target PermissionsHow to Change a User's Tag/Target PermissionsHow to Change a User's Scan PermissionsHow to Remove a User's Tag PermissionsHow to Remove a User's Target PermissionsHow to Change a User's Playbook PermissionsHow to Change a User's Reports PermissionsHow to Export a List of UsersHow to Reset a User's PasswordHow to Reset a User's AuthenticationHow to Import Users into Spirion Sensitive Data PlatformHow to Manage User RolesHow to Add a New RoleHow to Edit a User RoleHow to Delete a User RoleHow to Import/Export Users and User Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

How to Manage User Roles

How to view, search, and create user roles as well as how to identify Spirion-defined user roles.

Overview

You can manage your roles on the User Management screen (Settings > User Management):

  • View a Role
  • Search for a Specific Role
  • Create a new Role
  • Identify Spirion-Defined Roles

Granular Permissions

Roles include granular permissions to determine whether users can read, create or manage:

  • Individual Scans
  • Playbooks
  • Reports created by other users
  • Note: All Role permissions can be modified, (including deletion). This does not apply to the Admin role.

Default User Roles

Example User Roles from drop-down menu

Below is a list of native user roles and their permissions.

Note that by default all users assigned to a custom role have access to the SPIglass™ Dashboard, Data Asset Inventory (including the SDV3 dashboard, targets, and tags), Agent Management, scans, playbooks, and reports.

  • The agents, targets, scans, playbooks, and reports a user can view and manage are controlled by Role-based Access Control (RBAC) permissions that can be setup after the role is created.
  • Access to all tags, targets, scans, and reports are denied by default, excluding only those the user created before being assigned to the role.

Native User Roles

You can assign users to the roles below. Users inherit the permissions provided by the role they are assigned.

Note: As an administrator you can create a custom role if the following default roles and their inherent permissions do not meet your needs.

  • Activity Monitor Admin
    • View permissions:
      • Agent Policies/Installation - User can view agent policies and agent configuration installations
      • Sensitive Data Watchers* - User can view Sensitive Data Watchers
      • * requires User Guide feature (requires separate license)
    • Manage permissions:
      • Agent Policies/Installation - User can manage agent policies and agent configuration installations
      • Sensitive Data Watchers* - User can manage Sensitive Data Watchers
      • * requires User Guide feature (requires separate license)
  • Activity Monitor User
    • View permissions:
      • Sensitive Data Watchers* - User can view Sensitive Data Watchers
      • * requires User Guide feature (requires separate license)
    • Manage permissions:
      • None
  • Admin
    • No restrictions
    • Admin users have full control
    • Admin role permissions cannot be changed
    • Only Admin users have permission to view and use the Global Ignore Lists section on Scans Settings page (under Settings>Application Settings).
  • Compliance Admin
    • View-Only permissions:
      • Sensitive Data Finder* - User can view Sensitive Data Finders
      • Sensitive Data Finder* (Erasure Checklist)
      • * requires Sensitive Data Finder feature (requires separate license)
    • Manage permissions:
      • Sensitive Data Finder* - User can manage Sensitive Data Finders
      • Sensitive Data Finder* (Erasure Checklist)
      • * requires User Guide feature (requires separate license)
  • Compliance User
    • View-Only permissions:
      • Sensitive Data Finder* - User can view Sensitive Data Finders
      • Sensitive Data Finder* (Erasure Checklist)
      • * requires User Guide feature (requires separate license)
    • Manage permissions:
      • None
  • Data Privacy Admin
    • View permissions:
      • Agent Policies/Installation - User can view agent policies and agent configuration installations
      • Script Repository - User can view the custom script repository
      • Scan Results - User can view sensitive data and discovery scan results
    • Manage permissions:
      • Create Tags and Targets - User can create tags and targets
        • Role-based Access Control (RBAC) permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any tag or target they create.
      • Create Scans - User can create sensitive data and discovery scans
        • Role-based Access Control (RBAC) permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any scan they create.
      • Create Playbooks - User can create playbooks. Creating playbooks requires read-only access to the custom script repository. The Manage option grants this access when the user role is created.
        • Role-based Access Control (RBAC) permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any playbook they create.
      • Create Custom Reports - User can create custom reports
        • Role-based Access Control (RBAC) permissions are used to control the playbooks a user in this role can view, modify, or delete. By default, users are permitted to view and manage any report they create.
      • Scan Results - User can manage sensitive data and discovery scan results
  • Data Privacy User
    • View permissions:
      • Agent Policies/Installation - User can view agent policies and agent configuration installations
      • Scan Results - User can view sensitive data and discovery scan results
      • Script Repository - User can view the custom script repository
    • Manage permissions:
      • None
  • General User
    • View permissions:
      • Scan Results - User can view sensitive data and discovery scan results

Available User Role Permissions

When you create or edit a role in Spirion Sensitive Data Platform, the screen below appears which provides you a list of available permissions to assign to your user role.

  • Permissions can assigned as either or both:
    • View (Read) - Check the View box for a permission to enable read access.
    • Manage (Write/Create/Delete) - Check the Manage box for a permission to enable write, create, and delete actions. Check the Manage box for a permission and the correlated View box (Read access) is automatically enabled.

Custom Roles

When creating custom roles for subsets of users:

  • Access is built through explicit inclusion by specifying what playbooks, scans and reports should be available.

Read Permission

  • Scan Policy: the Read permission for a Scan Policy enables users to only initiate a scan.
    • This means the policy details cannot be seen via the create/edit screen.
  • Playbook: the Read permission for a Playbook enables users to select a playbook when defining a scan.
    • Users with this level of access are not able to view the playbook itself until navigating to a result’s executor view (if authorized).
    • Note: Users have full control over objects they create, even if their permissions to create new items are subsequently restricted.
    • Note: See Defining Access Controls for more information on how to manage your Roles' access to data.

How to View a Role

Use the following steps to view a user role:

  1. From the left menu, click Settings.

  2. Click User Management.

  3. Select the USER ROLES tab.

  4. Roles are displayed in a table by Role Name and Role Status (enabled or disabled).

How to Search for a Role

Use the following steps to search for a specific Role:

  1. From the left side navigation menu select Settings > User Management.
  2. The User Management page appears.
  3. Select the USER ROLES tab.
  4. In the search box, type the Role name.
  5. Roles matching your search criteria are displayed in the list.

  6. Click x to clear the search term.


Was this article helpful?

Powered by Product Fruits