Establishing role-based permissions for SCAP
To import Security Content Automation Protocol (SCAP) content, create and run SCAP Compliance Jobs, and view results, administrators must be assigned a role that includes the necessary permissions.
To facilitate division of responsibilities, you can assign all required permissions to one role or divide them between several roles. See Managing-access for more details.
The following permissions control SCAP activities:
Define permissions for | Controls the ability to |
|---|---|
ScapContentFile.* | Import SCAP benchmarks and access the CPE and OVAL files after import. |
XccdfBenchmark.* | Access the XccdfBenchmark file after import. (This permission set is a subset of ScapContentFile.* permissions.) |
SCAPComplianceJob.* | Create, Edit, Modify Targets, Modify Schedules, Modify Properties, Execute Job permissions for SCAP Compliance Jobs. |
Server.Read, Server.Audit | Create SCAP Jobs against servers. |
DepotFolder.* | Import objects into the Depot and access objects after import. |
Sample Permission Sets
A role with the following permissions has full SCAP abilities:
DepotFolder.*
DepotGroup.*
ExecutionTask.*
JobFolder.*
JobGroup.*
SCAPComplianceJob.*
SCAPContentFile.*
Server.Read
Server.Audit
ServerGroup.*
XCCDFBenchmark.*
A role with the following permissions can import and view SCAP benchmarks but not delete them, and it does not have the ability to create SCAP Compliance Jobs:
DepotGroup.*
XccdfBenchMark.Read
XccdfBenchmark.Create
ScapContentFile.Create
ScapContentFile.Read
A role with the following permissions can create SCAP Compliance Jobs:
DepotGroup.Read
XccdfBenchmark.*
SCAPContentFile.*
Server.Read
Server.Audit
ServerGroup.*
JobFolder.*
ScapComplianceJob.*