Data-level access management

  • Updated

In addition to controlling content, features, and platform configuration permissions, Panaseer can also restrict access to data available within the platform.

This is to ensure users only have access to data that is relevant to their function. Admin users can control who sees data, enabling sensitive data to be targeted to the appropriate audience.

Data access restriction is enabled by configuring roles to be used by specific groups of users.

Key benefits of data access control

Data access permissions provide a number of key benefits:

  • Custom data restrictions: Set policies to restrict access to all data, data by entity type, or specific data rows.
  • Enhanced permissions management: Use Panaseer’s existing filtering to create precise permissions.
  • Dashboard access control: Easily identify the permissions required to view specific dashboards.
  • Advanced access control models: PBAC and ABAC provide more granular control compared to RBAC.
  • Streamlined management: Reduce complexity, maintenance, and costs while increasing the flexibility of access control across the platform.

Managing data access permissions

The following assumes some knowledge of groups, roles, and users in Panaseer. To learn about these see Groups, Roles, and Users.

Data access control is configured in the same way as other element types within Panaseer.

To change data permissions first create a role or use an existing role and edit the Create, Read, Update, Delete (CRUD) permissions in the Data section under Content permissions.

 

Access management - Permissions

Locating the data permissions settings 

These instructions assume you already have users, groups, and roles setup within your platform.

Data access control and security areas

Data access is controlled by security area. A security area is essentially a dataset (stored in a table) that pertains to a particular domain of your cybersecurity landscape. For example, Vulnerability or Application Security.

Data from a security area is used in corresponding metrics.

The use of security areas means that you can logically restrict permissions to certain types of data (and therefore metrics) depending on the role being used.

Security Areas are listed in the metric catalog.

Navigate to Metrics > Browse the catalog, and you will see the list of security areas in the filters.

security areas filters

Security areas as shown in the metric catalog filters.

Similarly, when editing data access within a role, you are presented with a list of matching security areas.

As with any Panaseer element, a security area may have subtypes of data than you can assign permissions to.

For example, the screenshot below shows the types of items that fall under the Inventory dataset.

inventory types

Types of item within the Inventory table.

Changing data permissions for a role

You can edit data permissions for a role in the same way as other elements.

You will need the required permissions to be able to edit role permissions.

To edit data permissions:

  1. Navigate to Settings > Access Management and select Roles.
     
  2. Choose a role from the list of titles by clicking on its row. In this example, we’re selecting Full Data Access (Read-only).

    role options

    This takes you to the configuration page for the role.
     
  3. One the role page in the Permissions tab, locate the entry for Content Permissions > Data.
    In our example role, you can see that only Read access has been granted to Data.

    content permissions options
     
  4. Click the Edit Permissions button to begin editing.
     
  5. Expand the Data entry by clicking on the Data row, then click on the All Platform Data row and then the Security Area row.

    content permissions security area
     
  6. You’ll see the Create, Read, Update, Delete checkboxes according to your access management permissions. Simply check or uncheck the required boxes to change the permissions.

    Inventory has subtypes, and you can either use the global Inventory level permission or drill down to the subtypes for more granular permissions.

  7. When you’ve done editing click Confirm and Save to apply the changes.
    You’ll see pop-up with details of your changes. Click Submit to accept the changes.

Restricting data within security areas

You can go further with permissions by limiting the data that is available to security area permissions according to a filter. For example, you could limit the data to a particular county or business unit.

To filter the data:

  1. In the role’s Permissions tab, click twice to expand the Data entry to Security Area and click Add data permissions.

    content permissions
     
  2. This opens a dialog with a list of available columns. Click a column name to add a filter.

    adding data permissions menu
  3. You can filter using the tab headings in the main panel on the right. There are different filter types according to the datatype.

    For example, the Business Unit column lets you select from existing values using Browse values or use Add Values to specify filter values in a CSV to upload. You can then check filter values in Show selected.
     
  4. To apply the filter, click OK.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.