Entity scoping is not Role-Based Access Control (RBAC).
Some may disagree with this, but it sets the stage for me to start off with this: RBAC differs from access control lists (ACLs) used in traditional discretionary access-control systems, in that RBAC systems assign permissions to specific operations with meaning in the organization, rather than to low-level data objects.
With this in mind, we are going to talk about entity scoping which is precisely aimed at setting security around low-level data objects. The basic premise here is that RBAC gives you access to a set of functionality, and Entity Scoping is what determines what objects you can perform those actions against. When used together, these two tools provide a powerful yet highly configurable security posture.
Results of Scoping
Entity Scoping is accomplished through the use of entity filters. These can be used to limit what objects an individual or group has access to. An easy example is that you only want Tier I Analysts to be able to see basic workstation machines, so you use entity filters to remove any server-class machines from their views.
In this example we can see that they have access to server entity types, so we are going to create a new filter, and remove their access to entities with those properties.
Once we access the Entity Filters settings, we can create a new entity filter. In this scenario, we will create a filter for the Device entity type.
Now we are going to set a new filter and assign it to Users. This will apply the filter to all users that access Remote Support. Beware though, if you have a scenario where you want some people to see something and others not, entity filters currently stack. If we set this filter on Users then all users will lose access to any device that does not have ‘Server’ in the devices operating system name.
Now that we’ve configured a filter, when we reload the Devices list, we can only see devices that match our settings.
We can do the same thing with all of the available entity types. In the example below, we configure a new entity filter for the User objects, and this one filters them down to showing only users that contain ‘test’ in the UserName.
Once we save the filter and refresh our page we are only able to see User entities that contain ‘test’ in the UserName as in the example below.
Utilizing these filters will allow you to apply granular access control to entities within Remote Support, and when you apply Role-Based Access Controls on top of the Entity Filters you have a very strong but flexible security configuration.
