Use scope-based access control (SBAC) to define which devices, and associated resources (e.g. alerts and vulnerabilities) a user can access within Device Security. Unlike role-based access control (RBAC), which defines what actions a user can perform within Device Security, SBAC defines which devices those actions can be taken on. For Device Security in Strata Cloud Manager, SBAC scopes follow the sites structure within Device Security. Users are granted access to all sites by default.

Make use of SBAC when your organization needs to segment administrative visibility by geography, business unit, or operational boundary. Common scenarios include large enterprises where regional or country-level teams manage separate network segments, healthcare or manufacturing environments where different plant or campus administrators need isolated views of their facilities, and managed service provider environments where analysts must be limited to the devices and sites belonging to specific customers. You can also use SBAC when your organization must comply with data governance requirements, such as restricting access to data generated in a particular country or region, or when privacy regulations require that personnel in one location cannot access personally identifiable information tied to users or devices in another.

Enforce scope-based access control in Device Security through SettingsIdentity & Access Management (IAM)ScopesDevice SecurityStrata Cloud Manager. From there, superuser administrators create named Device Security scopes, where each scope object defines a set of sites using the organization tree built within Device Security. You define a scope by selecting groups, sites, or both. Granting access to a group includes all sites within that group, and granting access to a site includes all devices assigned to that site. Administrators then assign one or more scopes to a user from the Identity & Access Management interface in Strata Cloud Manager. Once a scope is assigned, Device Security enforces it automatically: the user sees only the devices, alerts, vulnerabilities, risk factors, and data associated with the devices in their scope. As such, users can only view and act on devices within their assigned scopes, and those devices are defined by the sites configured within their assigned scopes.

When a user has multiple scopes assigned, Device Security applies the union of those scopes, so the user sees the combined set of devices defined across all their assigned scopes. When a user has no scope assigned, they retain access to all data in the tenant based on their RBAC role, which preserves backward compatibility for existing deployments.

An important distinction applies to unscoped tenants versus tenants with empty scopes. A tenant that has no scopes configured is treated as unscoped, and all users retain full, tenant-wide access based on their RBAC role. A tenant with empty scopes means that the tenant contains scopes, but the scopes have no assigned sites. A user assigned to a scope object with no site selection sees no device data at all. This distinction ensures that misconfigured or partially configured scopes preserve a least-privilege outcome rather than inadvertently granting broad access.