Managing Compliance Job Permissions with EnableCompliancePropertySetInstance
The EnableCompliancePropertySetInstance parameter controls whether all roles associated with the user who initiates a compliance job are granted access to the property set instance created during the job. This setting is critical for managing access control and ensuring compliance with organizational security policies.
Parameter definitions
| Parameter name | Parameter type | Default value | Scope | Description |
|---|---|---|---|---|
| EnableCompliancePropertySetInstance | Boolean | true | Compliance configuration | When this parameter is set to true:
When this parameter is set to false: All roles associated with the user running the compliance job will be granted the propertyInstance.* permission, allowing broader access to the created instance. |
Security implications
- Enabled (true): The initiating user's all roles gain access to the property set instance. This can be suitable for environments where broad access is acceptable or required for auditing and compliance workflows.
- Disabled (false): The compliance job will fail with an access denied error if the initiating user’s roles do not have explicit permissions. This setting is recommended for environments with strict access control requirements.
To modify the setting
As a blasadmin user, you can set the parameter value to false to disable this setting and enforce stricter access control.
blasadmin -s <deployment> set compliance EnableCompliancePropertySetInstance false
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*