RBAC roles in Xprotect
Xprotect features can be accessed using one of the following Role-based access control (RBAC) roles - Instance Admin, Policy Manager, Asset Manager, and Instance Observer. You must add users with One of these roles from the Users page on the ColorTokens Spectrum portal.
RBAC roles
Instance Admin
Instance Admin role is a Full-access role that grants privileges to all the features on the Xprotect UI. Instance Admins are the administrators for their Xprotect instances.
Policy Manager
Policy Manager is a role that grants Full-access to most of the policy-related features available on the Xprotect UI. For example, Policy Managers can perform all actions listed on the Policies and Alerts pages but have Read-only access to Hosts and Files pages. See RBAC role privileges for more details about the privileges for Policy Managers.
Asset Manager
Asset Manager is a role with Scoped, and Read-only to the features available on the Xprotect UI. Asset Managers can only manage the hosts in their scope; this is done by assigning the Scope tags to the user with this role when adding the user to Spectrum. See RBAC role privileges for more details about the privileges for Asset Managers.
You can also add Asset Manager accounts without assigning any Scopes. In this case, the Asset Manager can only access untagged hosts in the instance.
Instance Observer
The instance Observer role is a Read-only access role in Xprotect. Users with this role can see all the pages and objects in the instance but cannot perform any intrusive actions in the pages.
RBAC role privileges
In Xprotect, the following types of privileges are available for RBAC roles. Privileges listed here are associated with using the features available in the left navigation panel.
| Privilege | Description |
| Full access |
All features listed in a menu in the left-navigation panel can be viewed, configured, and edited |
| Read-only access |
All features listed in a menu in the left-navigation panel can only be viewed |
| Scoped Access |
All features listed in a menu in the left-navigation panel are scoped or restricted to the Scope tags assigned to the role. So, data for the Dashboard, Alerts, Files, and Reports menus is restricted to the hosts with the Scope tags. |
See the following table for the privileges assigned to the RBAC roles in Xprotect.
| Instance Admin |
Policy Manager |
Asset Manager |
Instance Observer |
|
| Dashboard |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Alerts |
Full access |
Full access |
Scoped access |
Read-only access |
| Hosts |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Policies |
Full access |
Full access |
Read-only access |
Read-only access |
| Commands |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Users |
Full access |
Read-only access |
Read-only access |
Read-only access |
| Files |
Full access |
Read-only access |
Scoped access |
Read-only access |
| Reports |
Full access |
Full access |
Scoped access |
Read-only access |
| Settings |
Full access |
Read-only access |
Read-only access |
Read-only access |