Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability Response personas and granular roles

Vulnerability Response personas and granular roles

Before you can successfully remediate vulnerabilities with the Vulnerability Response application, you must assign personas and roles to your users and groups in Setup Assistant.

One of the first configuration steps required for the Vulnerability Response application is to assign roles to users and groups. Roles define what users and groups can see and do in Vulnerability Response, Performance Analytics for Vulnerability Response, and all third party integrations with Vulnerability Response.

If you have already assigned roles using Setup Assistant and you want to manage granular role assignments for all users and groups from the User Administration module, see Manage persona and granular roles for Vulnerability Response.

Note: If you are an upgrade customer, access for the users and groups you assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions prior to v10.3 has not changed. Users and groups remain assigned with these roles until you change them. However, starting with v10.3, you may prefer assigning granular roles for more control over what users can do and see in the Vulnerability Response application.

Persona roles and granular roles starting with v10.3

Key terms

Role: Roles define what users and groups can see and do in the Vulnerability Response application.
Group: A set of users who share certain roles and a common purpose.
Persona role: A pre-configured role in the application that is made up of multiple granular roles. The persona roles in Setup Assistant, Vulnerability Admin, Vulnerability Analyst, Remediation Owner, Configuration Item Manager, and Exception Manager, are designed to correspond to common job titles for managers, analysts, and service owners in an IT organization or vulnerability remediation group.
Inherited roles: A term that describes roles that users automatically acquire when they are assigned other roles. For example, any users or groups assigned with the sn_vul.remediation_owner persona role also inherit the sn_vul.read_assigned,sn_vul.write_assigned granular roles.
Access control list (ACL): Access control lists restrict access to data by requiring users to pass a set of requirements before they can interact with it.

Persona roles in Setup Assistant starting with v10.3

Starting with v10.3, you assign groups and users to persona roles in Setup Assistant.

Note: In Setup Assistant, the system admin role (admin) is required for the tasks in the first section, assigning roles and installing integrations. After you assign persona roles in Setup Assistant and install integrations, you may prefer to assign a user or group with the sn_vul.vulnerability_admin role to finish any remaining tasks in Setup Assistant and to manage the Vulnerability Response application.

The following table lists Vulnerability Response roles prior to v10.3 and compares them to the persona roles installed with the application starting with v10.3.


Prior to v10.3.	Starting with v10.3
If you assigned sn_vul.admin	You may prefer to assign sn_vul.vulnerability_admin - Vulnerability Admin to users or groups. Users with this role have complete access to the Vulnerability Response (VR) application and its records. Users with this role configure all VR applications and rules and install third party integrations.
If you assigned sn_vulnerability_write for users and groups.	You may prefer to assign sn_vul.vulnerability_analyst - Vulnerability Analyst to users and groups. Users and groups with this role view and update all records for VI remediation.
If you assigned sn_vul.remediation_owner	You may prefer to assign sn_vul.remediation_owner - Remediation Owner to users and groups. Users and groups with this role remediate vulnerabilities assigned to them or to a group they belong to. Groups or users with this role view and update the records assigned to them or to a group they belong to.
If you assigned sn_vul.admin for management of unmatched configuration items (CI)s	You may prefer to assign sn_vul.ci- CI Manager to users and groups. Users and groups with this role manage unmatched configuration items (CIs) not found in the Configuration Management Database (CMDB). Groups or users with this role update discovered items.
If you assigned sn_vul.admin for deferrals and exception approvals.	You may prefer to assign sn_vul.exception_approver - Exception Approver to users and groups. Users and groups with this role approve exceptions, deferrals, and closures of vulnerability groups and vulnerable items.
If you assigned sn_vul.vulnerability_read to provide visibility into vulnerability management.	You may prefer to assign read access to specific areas in the application by task. For example, assign sn_vul.read_all so a user can view all VR records. For read access to view vulnerability group rules, assign sn_vul.read_group_rules. Users and groups with this role do not update records.

Granular roles and persona roles

One way to think about persona roles is to consider how their descriptions may relate to job descriptions for various IT or vulnerability remediation positions in your organization. The following figure illustrates a possible job description for a remediation specialist in IT, and how the tasks associated with this job relate to the tasks of a remediation owner persona role in the Vulnerability Response application.

Jobs in company compared to personas in Vulnerability Response — Figure 1. Job descriptions and a persona role

Both the job description and the remediation owner persona role could be defined as a series of remediation tasks. In the preceding image, a job description and a persona role in green blocks sit atop the tasks that describe them. In this example, some of the typical job requirements for a specialist in a remediation group correspond directly to the tasks that make up the remediation owner persona in Vulnerability Response: Review and update records, track the remediation status of vulnerabilities, prioritize items for remediation, and apply fixes and patches with IT.

Sometimes, however, the jobs in your organization may not directly correspond to the tasks that make up one of the five persona roles in the Vulnerability Response application. For various reasons, such as protecting sensitive data, or complying with regulations, you must limit the broad access some of the persona roles provide to your users and groups. Or, conversely, you are required to provide users and groups with more access so they can perform their jobs. Using granular roles, you can easily customize roles and control the access users and groups have to Vulnerability Response, Performance Analytics for Vulnerability Response, and third party integrations.

The granular roles define the tasks

The names for the granular roles in Vulnerability Response usually describe what users can do and see in the Vulnerability Response application. For example, in the previous image, users and groups with the Remediation owner persona assigned have the sn_vul.read_assigned and sn_vul.write_assigned granular roles. These granular roles permit users or groups to view and update vulnerable items and vulnerability group records that are assigned to them. To view descriptions of specific granular roles, as a user with the system admin role, navigate to User Administration > Roles and locate the role that you want. Roles that are automatically inherited when a role is assigned are listed. Also, when a role depends on other role assignments, any required roles are also listed.

In the following image, the granular roles of both the remediation owner persona role and the vulnerability analyst persona are illustrated. Note that the remediation owner persona does not include the read_all and write_all permissions of the vulnerability analyst persona. The granular roles, read_all and write_all, are required before users and groups can read and edit all of the vulnerable item and vulnerability group records. To customize these roles, simply add or remove granular roles to expand or limit access.

Personas — Figure 2. Granular roles and the remediation owner and vulnerability analyst personas

If you want your users and groups to have more access than the persona roles permit, you can add more granular roles to users and groups. Conversely, if you want to limit access for specific users and groups at the task level, you can remove granular roles.

Note: To assign and edit granular roles in the User Administration module, the system admin role is required.

Granular roles in the User Administration module

For an example of how to manage granular roles for a user or group, see Manage persona and granular roles for Vulnerability Response.

To assign persona roles, see Assign the Vulnerability Response persona roles using Setup Assistant.

Previous topic

Next topic

Release version

Vulnerability Response personas and granular roles

Before you can successfully remediate vulnerabilities with the Vulnerability Response application, you must assign personas and roles to your users and groups in Setup Assistant.

Persona roles and granular roles starting with v10.3

Key terms

Role: Roles define what users and groups can see and do in the Vulnerability Response application.
Group: A set of users who share certain roles and a common purpose.
Persona role: A pre-configured role in the application that is made up of multiple granular roles. The persona roles in Setup Assistant, Vulnerability Admin, Vulnerability Analyst, Remediation Owner, Configuration Item Manager, and Exception Manager, are designed to correspond to common job titles for managers, analysts, and service owners in an IT organization or vulnerability remediation group.
Inherited roles: A term that describes roles that users automatically acquire when they are assigned other roles. For example, any users or groups assigned with the sn_vul.remediation_owner persona role also inherit the sn_vul.read_assigned,sn_vul.write_assigned granular roles.
Access control list (ACL): Access control lists restrict access to data by requiring users to pass a set of requirements before they can interact with it.

Persona roles in Setup Assistant starting with v10.3

Starting with v10.3, you assign groups and users to persona roles in Setup Assistant.

The following table lists Vulnerability Response roles prior to v10.3 and compares them to the persona roles installed with the application starting with v10.3.


Prior to v10.3.	Starting with v10.3
If you assigned sn_vul.admin	You may prefer to assign sn_vul.vulnerability_admin - Vulnerability Admin to users or groups. Users with this role have complete access to the Vulnerability Response (VR) application and its records. Users with this role configure all VR applications and rules and install third party integrations.
If you assigned sn_vulnerability_write for users and groups.	You may prefer to assign sn_vul.vulnerability_analyst - Vulnerability Analyst to users and groups. Users and groups with this role view and update all records for VI remediation.
If you assigned sn_vul.remediation_owner	You may prefer to assign sn_vul.remediation_owner - Remediation Owner to users and groups. Users and groups with this role remediate vulnerabilities assigned to them or to a group they belong to. Groups or users with this role view and update the records assigned to them or to a group they belong to.
If you assigned sn_vul.admin for management of unmatched configuration items (CI)s	You may prefer to assign sn_vul.ci- CI Manager to users and groups. Users and groups with this role manage unmatched configuration items (CIs) not found in the Configuration Management Database (CMDB). Groups or users with this role update discovered items.
If you assigned sn_vul.admin for deferrals and exception approvals.	You may prefer to assign sn_vul.exception_approver - Exception Approver to users and groups. Users and groups with this role approve exceptions, deferrals, and closures of vulnerability groups and vulnerable items.
If you assigned sn_vul.vulnerability_read to provide visibility into vulnerability management.	You may prefer to assign read access to specific areas in the application by task. For example, assign sn_vul.read_all so a user can view all VR records. For read access to view vulnerability group rules, assign sn_vul.read_group_rules. Users and groups with this role do not update records.

Granular roles and persona roles

The granular roles define the tasks

Note: To assign and edit granular roles in the User Administration module, the system admin role is required.

Granular roles in the User Administration module

For an example of how to manage granular roles for a user or group, see Manage persona and granular roles for Vulnerability Response.

To assign persona roles, see Assign the Vulnerability Response persona roles using Setup Assistant.

How search works:

Topics are ranked in search results by how closely they match your search terms

Vulnerability Response personas and granular roles

Vulnerability Response personas and granular roles

Persona roles and granular roles starting with v10.3

Persona roles in Setup Assistant starting with v10.3

Granular roles and persona roles

The granular roles define the tasks

Granular roles in the User Administration module

On this page

Vulnerability Response personas and granular roles

Vulnerability Response personas and granular roles

Persona roles and granular roles starting with v10.3

Persona roles in Setup Assistant starting with v10.3

Granular roles and persona roles

The granular roles define the tasks

Granular roles in the User Administration module

Log in to personalize your search results and subscribe to topics