Create SVM 'Read-Only' user with restricted visibility
The Software Vulnerability Manager allows the creation of regular unprivileged sub-user accounts which can be allowed to see only selected amount of hosts based on the available restrictive options available in the account configuration.
The following message received by SVM customer illustrates the problem users would often experience when they approach configuration of a specific read-only account with limited visibility:
"I want to add a new user that can only see the computers for his department in CSI (Software Vulnerability Manager). When I added him initially he saw the All Hosts smart group. And when I added the filter to specific clients he can't see any hosts at all.
Am I reading the limitations wrong?
Is there any way to disable the visibility of the "All hosts" group in the SVM interface? Can I see only the hosts I restricted my sub-account to? We want to create a user that has the following abilities:
1. No admin rights for the user
2. Restriction to see only the hosts or specified on the account.
3. The all hosts smart group, all software All Advisory. should not be visible"
Such configuration is possible in the Software Vulnerability Manager and it is well documented in the online technical user manual of the product. The following sentence explains the correct approach to configuring a sub-account with restrictions applied to individual hosts:
"Please note that Host names must be entered with the langroup(domain) in the format hostname.langroup."
For example, let's take an internal test domain named RD12.LAB
A host named W8 would have its FQDN as W8.RD12.LAB as most people would assume to use.
Here's how you should do it instead in the SVM:
- Use the NetBIOS name of the host
- Use the NetBIOS name of the domain
- Remove the TLD extension (.com/.lab/.anything)
Account Configuration Steps:
- Use the "Restrict to Individual Hosts" option in the new account configuration.
- Therein you should type the hostname as W8.RD12.
- Enable 'Read-Only' and give this account access only to 'Results'
- This will enable it to audit the scan data of the W8.RD12 host.
Use the below screen example to adjust:
Any other configuration different than hostname.langroup would be incorrect, and it would result in different outcomes after you log in with the new sub-account user.