Configure Scope-Based Access Control

Table of Contents

Configure Scope-Based Access Control

Create scopes and assign them to users to restrict Device Security access to a defined subset of sites and devices.

Where Can I Use This?	What Do I Need?
Device Security (Managed by Strata Cloud Manager) (Legacy) IoT Security (Standalone portal)	One of the following subscriptions: Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical) Device Security X subscription

Configure scope-based access control (SBAC) for Device Security in Identity & Access Management (IAM) in Strata Cloud Manager, not within Device Security itself. The workflow has two parts: creating a scope that defines a set of sites, and then assigning that scope to users. Scope assignments take effect after a user logs out and then logs back in.

Before you configure SBAC, verify the following:

You manage your Device Security solution in Strata Cloud Manager.
You have the Superuser role in Strata Cloud Manager. Only superuser administrators can create, edit, and delete scopes and assign them to users.
You've fully configured your organization's sites and site groups in Device Security. Scopes depend on sites from this organization tree, so having sites reflect the levels of visiblity users need for their roles ensures that scopes grant proper access.

In Strata Cloud Manager, select System SettingsIdentity & Access ManagementScopes.

The Scopes tab lists all scope objects defined for your tenant service group (TSG).
Click Add Scope or select an existing scope to clone or edit.

If you want to start from an existing scope, you can select Actions (gear icon) next to the scope, and then choose whether to edit, clone, or delete the scope.
Enter a name and optional description for the scope, then Save.

Scope names must be unique within the TSG. We recommend using a name that identifies the geography, business unit, or team the scope is intended for.
In the Device Security section, select the access level for the scope.
Device Security supports the following access level options:
- All — The scope includes every site in the tenant, including sites added in the future. Use this option to give a user broad access.
- None — The scope contains no sites. A user assigned to this scope sees no device data. This differs from a tenant with no scopes configured, which grants all users full tenant access.
- Manual Selection — When you select Manual Selection, a Sites dropdown appears where you can select individual sites, site groups, or both. Selecting a site group includes all sites currently within that group, and any new sites added to the group in the future are automatically included. The row can only be expanded to select sites after Manual Selection has been checked.
Manual Selection From the drop-down, select the sites or site groups to include in the scope.

Selecting a site group includes all children within that site group.

The site count shown next to each site group reflects only its direct child sites and does not include sites nested within subgroups. Before assigning the scope to a user, verify your selection against the organization tree in Device Security to confirm all intended sites are included.
Save the scope.
Select System SettingsIdentity & Access ManagementAccess Management and refresh the page before proceeding.

You must refresh the Access Management page after creating a scope before the new scope appears in the scope assignment menu.
Select your tenant, select the users you want to assign the scope to, and click Assign Roles.

If you want to assign the scope to a single user, you can find the user in the table, and click Edit (pencil icon) next to the user's name to bring up View Identity for that user. Select Assign Roles.
Set the Apps & Services to Device Security and set the Scope to the scope that you configured for these users.

You can assign more than one scope to a user. When a user has multiple scopes, Device Security shows the user the combined set of devices from sites across every scope they are assigned to.

A user with no scope assigned retains access to all tenant data.
Ask the user to log out of Strata Cloud Manager and log back in.

Scope assignments do not take effect during an active session. The user must fully log out and log back in for Device Security to enforce the new scope.
Optional Edit a scope by returning to System SettingsIdentity & Access ManagementScopes and clicking the name of the scope you want to edit.

You can edit scopes that are currently assigned to users. The changes in permission may take up to an hour to take effect.
Optional Delete a scope by returning to System SettingsIdentity & Access ManagementScopes, selecting the scope you want to delete, and clicking Delete Scope.

You cannot delete a scope that is currently assigned to one or more users. To delete a scope, first remove it from every user it is assigned to.