Advanced Analytics RBAC V2 Best Practices

This topic contains several best practices when applying RBAC V2 to your Netskope Advanced Analytics (NAA) reports.

• When view-only is selected for the admin role, ‘Data Explorer’ is disabled. To learn more: Exploring Data in Reports
• Under the ‘Scope’ tab: Users, User Group, and OU are supported (the ‘does not’ condition only applies to User Groups). NOTE: Transaction Events does not have ‘OU’ fields and will not support OU in this case.
• Support for Matches and Does Not Match in the User group section only works for immediate members of the group. For example, if user1 is a member of group1, group1 is a member of group2, and group2 is member of group3 then specifying group3 in scope does not apply RBAC scope to user1.
• Scope by Organization Unit works for exact matches only.
• Network locations (added for RBAC V2) is not supported.
• Instance is supported.
• The free form query (i.e. query entries) is not supported.
• When multiple conditions are supplied (i.e. ‘Box Instance’ and User group A), ‘OR’ conditions is used; events generated from Box instances or from User Group A are displayed on the UI. This limitation also applies to Skope IT.
• Admins may want to restrict access to sensitive data for users with different roles. Data attributes available for obfuscation in NAA include the following fields:
  • user: Acting User, From User, Hostname, Matched User, Owner, Shared With, To User   
  • userip = User IP   
  • source = Source Country, Source Location, Source Region, Source Region/State, Source Zipcode
  • file = DLP File Name, File Path, Object Name   
  • app = Application, Domain, Instance ID, Referer, Site, URL