Ownerless global objects: Roles with a clean focus

In the current version (GOS 4, GVM 9) there are several pre-configured objects such as Scan Configurations, Port Lists, Report Format Plugins and Scanners.
These are visible and usable for everyone with access permission to the respective group.

We changed this by turning all global pre-configured objects into ownerless global objects. This makes them subject to the regular permission management.

Practical advantage illustrated by an example: A role dedicated to running policy scans only.

Step 1: Clone Role “User”, remove any permissions about creating a Scan Config, Scanner, Report Format or Port-List:

Step 2: If your Policy Scan Configs were not part of the role “User”, add permission to the new Role:

Step 3: Reduce the permissions inherited from role “User” to just the Policy Scan Configs:

And do similar restrictions to Port Lists, Report Format Plugins and Scanners. Watch out for the filter string I applied to quickly get to the concerned permissions.

Your dedicated role for policy scanning is established!

The role created above can not create new objects on its own. But if you give it permission
to further Policy Scan Configs, these can be used. Pay attention to allow only read access,
otherwise the role can turn a Policy Scan Configuration into something completely different.
To prevent this in general you could also remove the “modify_config” permission for that role.

This feature will be published with GOS 5, GVM-10.

Internal feature code: FS-171117-4531.

1 Like