Advanced Analytics RBAC V2 Best Practices
Advanced Analytics RBAC V2 Best Practices
This topic contains several best practices when applying RBAC V2 to your Netskope Advanced Analytics (NAA) reports.
Important
If you change RBAC Role Scope in the Netskope Admin UI or change user/groups in your Active Directory, it can take five hours for the changes to take effect in NAA RBAC queries.
- When view-only is selected for the admin role, ‘Data Explorer’ is disabled. To learn more: Exploring Data in Reports
- Under the ‘Scope’ tab: Users, User Group, and OU are supported (the ‘does not’ condition only applies to User Groups). NOTE: Transaction Events does not have ‘OU’ fields and will not support OU in this case.
- Support for Matches and Does Not Match in the User group section only works for immediate members of the group. For example, if user1 is a member of group1, group1 is a member of group2, and group2 is member of group3 then specifying group3 in scope does not apply RBAC scope to user1.
- Scope by Organization Unit works for exact matches only.
- Network locations (added for RBAC V2) is not supported.
- Instance is supported.
- The free form query (i.e. query entries) is not supported.
- When multiple conditions are supplied (i.e. ‘Box Instance’ and User group A), ‘OR’ conditions is used; events generated from Box instances or from User Group A are displayed on the UI. This limitation also applies to Skope IT.
- Admins may want to restrict access to sensitive data for users with different roles. Data attributes available for obfuscation in NAA include the following fields:
- user: Acting User, From User, Hostname, Matched User, Owner, Shared With, To User
- userip = User IP
- source = Source Country, Source Location, Source Region, Source Region/State, Source Zipcode
- file = DLP File Name, File Path, Object Name
- app = Application, Domain, Instance ID, Referer, Site, URL