Why Two Different Users May See Different Asset/Vulnerability Counts

Let’s assume a scenario where our user Ashley is assigned a custom user role called “Linux Platform Team”. Within this user role, Ashley is granted 78 risk meters, which are populated by 24 different connectors. These connectors all run on different schedules, bringing new data for all of the assets in the 78 risk meters on a highly dynamic basis.

Now let’s say Ashley is working on remediating some vulnerabilities with the customer’s administrator, who we’ll call Nick. Nick is assigned the admin role in Cisco Vulnerability Management, so he can see all assets and vulnerabilities in all risk meters.

Ashley and Nick hop on a screen share to identify certain vulnerabilities that need fixing. Ashley immediately notices that the number of assets and vulnerabilities that she sees when she logs into Cisco Vulnerability Managementdiffers from the counts that Nick can see in his account. Sounds like a bug or RBAC configuration error, right? Not exactly. The explanation comes down to the use of custom user roles.

System roles (Admin, Write/Normal, Read-Only) will see their asset and vulnerability counts change throughout a day as different connectors report new data.

However, users with custom roles (e.g. Ashley) are restricted only to view assets that belong to certain risk meters. These users will not see the same dynamic updates in available asset counts due to how these assets are filtered by the role-based access control rules in place for a given role.

Essentially, a nightly batch job checks for any new assets that should be visible to a role and designates them as visible for those user roles (this same process also removes any assets that were previously visible to a custom user role have been removed from Cisco Vulnerability Management or no longer fit the risk meter search criteria). Once this nightly job has run, there should be an agreement in asset count between an Admin and custom role user but as soon as a subsequent connector run brings in a new asset that belongs to a risk meter assigned to a custom role, this asset would not be visible to a custom role user until the nightly job run to bring them into alignment.

Additionally, while this nightly job is scheduled to start daily on 8:00 UTC, the exact time when it updates assets related to Ashley's role (or any user with a custom role) can vary, depending to the amount and size of jobs it must process, so there isn't a specific time that one could check daily to see the alignment in asset counts.

Illustrative Example

Here is a (heavily-simplified) example of how assets are assigned to custom roles upon import into Cisco Vulnerability Management, which will hopefully illustrate this process better:

(Note: timestamps here are hypothetical for the sake of this example)

Users: Nick (admin), Ashley (custom role “Linux Platform Team”)

Risk Meter: "All Linux Servers"

6 AM: The nightly batch is run to align any new asset additions/removal to this risk meter -- Ashley and Nick both see 33,000 assets in this risk meter, and these counts should remain in alignment until new assets are added or removed to this risk meter by new connector runs, leading to...

2 PM: A connector run is completed, which imports 10 new assets now belonging to the “All Linux Servers” risk meter -- Nick sees 33,010 assets but Ashley still sees 33,000 assets, since the nightly job has yet to run

6 AM (next day): The nightly batch is run to align any new asset additions/removal to this risk meter -- Nick and Ashley will now both see 33,010 assets in the “All Linux Servers” risk meter*.

*caveat: As there could be connector runs already in progress during the nightly job that assigns new assets visible to custom roles, the asset counts as seen by Nick and Ashley would differ with Nick seeing the new assets from the in-progress run but Ashley would have to wait until the next nightly job).

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.