cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

Coming Up: Adding Granular Permissions to the Compliance Module

The Dome9 permissions model is evolving! We’re adding additional granular permissions for the Compliance related features, allowing our customers to better define their Dome9 users and roles. The new permission model is scheduled for release on Wednesday, October 2nd.

 

Background

Dome9 allows you to define users and roles. The Dome9 permissions model includes the ability to specify the permissions to view data for specific Cloud Accounts and Organizational Units, and manage the Network Security permissions (create and manage Security Groups, as well as ability to use Dynamic Access and IAM elevations).

 

The new capabilities we’re adding would allow you to better control the permissions of the Compliance Engine, and include:

  • Add, edit or delete Rulesets 
  • Add, edit or delete notifications and integrations with external systems and control alerts actions
  • Add, edit or delete Remediations 
  • Add, edit or delete Exclusions 
  • Acknowledge alerts, add comments, assign alerts to users and change alert severity.
  • Associate/disassociate Compliance Policy

clipboard_image_0.png

How does this change affect us?

Dome9 permissions management screens - Roles screen and Users screen - would include additional permissions related to the Compliance Engine. Dome9 Super Users would be able to assign these new permissions to roles (or specific users directly). Users that do not include these permissions would not be able to perform the relevant actions (i.e. edit exclusions or acknowledge alerts).

 

These changes will affect the predefined “Auditor” role.

Currently this role can perform many types of operations; when adding the new permissions Dome9 users assigned to the predefined “Auditor” role will not be able to:

  • Create or edit rulesets.
  • Edit Notifications and Integrations with external systems.
  • Edit Compliance Policies.
  • Perform actions on alerts (edit Remediations, edit Exclusions, acknowledge alerts, add comments, assign alerts and change severity).

With that change, the predefined “Auditor” role would become an actual read-only role, and would be dedicated to auditing.

 

Note: No changes would be applied to the Super User role, it would still be able to perform any action.

 

What can I do to provide my users permissions the actions they used to perform?

When the new permissions would be introduced it would be possible to choose which compliance-related actions your uses would be able to perform.

Here are a few suggestions for the new roles you can use or generate:

  1. For auditors, that only observe and monitor, the updated “Auditor” role can be used.
  2. For users that also need to review alerts, process generated alerts and acknowledge, a new role should be created, and it should include the “Alerts Configurations and Actions” permission.
  3. Users that modify compliance content (create or modify compliance rulesets) should be assigned with the “Rulesets and Content” permission.
  4. Users that need to create notifications (send alert reports via emails, or other types of integrations such as AWS SNS, HTTP endpoints and more), as well as association of cloud accounts with compliance rulesets and notifications (“Continuous Compliance” policies) should be assigned with “Integrations and Notifications” permission.

Use a Super User to edit users and roles and assign the new permissions.

 

If you have any questions or need help, please reach out to Support here

Offir Zigelman, Dome9 Product Team Lead
0 Kudos