Aware 2.0 - Creating a Data Access Set

Updated

This article contains information on creating and managing Data Access Sets (DAS) for Role-Based Access Control (RBAC), including methods to enable default DAS, create custom DAS, and considerations for modifying DAS associated with Signal policies.

 

Before implementing Role-Based Access Controls (RBAC), identify the roles your organization needs based on your users, their tasks, and the data they will access.

 

Implementing RBAC involves three steps. While these steps can be completed in any order, we recommend following this sequence:

  1. Create your Data Access Set.
  2. Create your users.
  3. Create your roles.

 

Creating your Data Access Sets (DAS)

A Data Access Set limits data visibility by configuring what users in a Role can see. It acts like a folder with rules to filter content, ensuring only specified data is available for Signal policies, events, and Searches. A Data Access Set can include entire content platforms, Azure Active Directory groups, or be focused on specific sources like a single Slack channel.

 

Method 1 - Enable Default Data Access Set

  1. Navigate to System Settings > Account Configuration.
  2. Scroll to Access Control Settings.
  3. Click the slider to Enable Default Data Access set.
  4. Aware’s Default Data Access Set includes all integrated data sources in your tenant and stays updated with all integrations. When enabled, it helps manage data access for roles in your Aware environment without limiting the creation of custom Data Access Sets.

 

 

If you plan to grant access to only a few users, this option may suit you. It's a simple way to set up Data Access Sets without needing the full creation features. Once enabled, it cannot be reversed.

 

Method 2 - Creating a Data Access Set directly

  1. Navigate to System Settings > Roles.
  2. Select New Data Access Set from the Actions dropdown menu.
  3. Enter a Data Access Set name.

 

 

  • Name must be unique
  • Maximum of 100 characters
  • Special characters are allowed with no restrictions
  • Not case sensitive
  1. Enter a Data Access Set description.
  • Maximum of 255 characters
  • Special characters are allowed with no restrictions
  1. Select one or more collaborative content platforms whose data you want accessible in a data set
  2. For each selected content platform, click Choose Platforms or Choose what is included to further filter the data going into the data set. You can filter by sources, such as General, Public, or Private Channels in Slack

 

If you do not select Choose Platforms or Choose what is included, all sources within the selected collaborative content platforms, except for platform groups, are automatically included as filters for the data from those platforms.

 

  1. You can also filter by platform group within a content platform by searching for its name
  • Click Choose Groups in the Choose Platform Groups (Optional) section.
  • Type the name of the group in the Find groups by name search field.
  • Select Add for the group that you want to add to the Data Access Set listed in Selected Groups.

 

  • You can add additional platform groups by searching by name and selecting the appropriate group.
  • Click Save Group when all platform groups have been selected.
  • The selected platform groups will be listed in the Included Microsoft Entra ID Groups section of the New Data Access Set screen.
  • You can also select specific Microsoft Entra ID Groups to add to the Data Access Set. Adding a Microsoft Entra ID Group will limit the scope of data available to use in Aware applications for associated Roles.
  • To select a group, click Choose groups in the Choose Microsoft Entra ID Groups (Optional) section.
  • Type the name of the group in the Find groups by name search field. As you type characters, groups that match the characters will be listed.
  1. Select Add for the group you wish to add to the Data Access Set. The group is listed in Selected Groups.
  2. You can add additional Microsoft Entra ID groups by typing their name in the Find groups by name search field and selecting Add for each group that you want to add to the Data Access Set.
  3. When all Microsoft Entra ID groups have been selected, click Add Groups. The selected Microsoft Entra ID groups will be listed in the Included Microsoft Entra ID Groups section of the New Data Access Set screen.

 

 

  1. Click Save Data Access Set.

 

 

Method 3 - Creating a Data Access Set while creating a Role

You can also create a Data Access Set while you are creating a Role.

  1. Navigate to System Settings > Roles > +New Role.
  2. Enter Role Name
  • Must be unique
  • Maximum of 100 characters
  • Not case sensitive
  • Special characters are allowed and there are no restrictions on the characters
  • Required field
  1. Enter Role Description
  • Maximum of 255 characters
  • Special characters are allowed and there are no restrictions on the characters
  • Not case sensitive
  • Does not need to be unique
  • Optional field, but very helpful in determining which roles to assign to users
  1. Click Permissions.
  2. Select which Signal or Search & Discover permissions you want to assign to the role.

 

For Signal, the following permissions are available:

 

  • Signal Admin: Allows complete Data Access as well as access to all Policies and Rules in Signal.
  • Manage Policies: Enables the creation, editing, and deletion of Signal policies. This also grants Manage Rules and View Policies and Rules permissions. Policy creators can invite other Creators and Event Managers, view user permissions, modify roles (e.g., upgrade Event Managers to Creators), and manage the list of Creators and Event Managers for their policies.
  • Manage Rules: Allows creating, editing, and deleting of rules associated with authorized Signal policies. Selecting this also sets the View Policies and rules permission.
  • Manage Events: Enables actions like tombstoning, deleting, and exporting on events linked to authorized Signal policies. This selection also grants permissions to view Policies and Rules and Events. Event Managers can manage events for invited policies but cannot create or view policies they aren't invited to, nor can they send invites.
  • View Policies and Rules: Allows viewing of Signal policies and their associated rules. This permission can be set independently.
  • View Events: Allows viewing of events associated with authorized Signal policies. Selecting this also sets the View Policies and Rules permission.

 

For Search & Discover, the following permissions are available:

  • Search and Discover Admin: Allows complete Data Access as well as access to all searches.
  • Manages Searches: As a Search Manager, you automatically have Manage Searches and View Searches permissions. This allows you to create new searches for authorized Data Access Sets and view or rerun accessible searches, but you can't mark or export results. An Aware Admin can grant you Manage Search Results permission or promote you to Search Admin, Search Result Manager, or Search Viewer.
  • Manage Search Results: If you're a Search Result Manager, you automatically have Manage Search Results and View Searches permissions. This lets you view, mark, and export results for authorized searches. However, you can't create, update, or rerun searches. An Aware Admin can grant you Manage Searches permission or assign you as a Search Admin, Search Manager, or Search Viewer.
  • View Searches: If your role is a Search Viewer, you have View Searches permission by default. By itself, this allows you to view search that you are authorized to access, along with its results. However, you cannot create a new search, rerun prior searches, or mark or export results of prior searches. An Aware Admin can add Manage Search Results and/or Manage Searches permission, or make you a Search Admin, Search Manager, or Search Result Manager.
  1. Select Data Access.
  2. Click Add Data Access Set.
  3. Click New Data Access Set.
  4. Enter a Data Access Set Name.
  • Name must be unique
  • Maximum of 100 characters
  • Special characters are allowed with no restrictions on characters
  • Not case sensitive
  1. Enter a Data Access Set description.
  •  Maximum of 255 characters
  • Special characters are allowed with no restrictions on characters
  1. Select one or more collaborative content platforms whose data you want accessible in the data set.
  2. Click Choose Platforms or Choose what is included to filter data for each selected content platform. You can filter by sources like General, Public, or Private channels in Slack.

 

If you do not select Choose Platforms or Choose what is included, then all sources within the selected collaborative content platforms, except for platform groups, are automatically included as filters for the data from those platforms.

 

  1. You can also filter by platform group within a content platform by searching for its name.
  • Click Choose groups in the Choose Platform Groups (Optional) section.
  • Type the name of the group in the Find groups by name search field.
  • Select Add for the group that you want to add to the Data Access Set. The group is listed in Selected Groups.
  • You can add additional platform groups by searching by name and selecting the appropriate group.
  • When all platform groups have been selected, click Save Groups.
  • The selected platform groups will be listed in the included Microsoft Entra ID Groups section of the New Data Access Set Screen.
  1. You can also select specific Microsoft Entra ID Groups to add to the Data Access Set.
  • To select a group, click Choose groups in the Choose Microsoft Entra ID Groups (Optional) section.
  • Type the name of the group in the Find groups by name search field. As you type characters, groups that match the characters will be listed.
  • Select Add for the group that you wish to add to the Data Access Set. The group is listed in Selected Groups.
  • You can add additional Microsoft Entra ID groups by typing their name in the Find groups by name search field and selecting Add for each group that you want to add to the Delta Access Set.
  •  When Microsoft Entra ID groups have been selected, click Add Groups. The selected AAD Groups will be listed in the Included Microsoft Entra ID Groups section of the New Data Access Set screen.
  • Click Save Data Access Set.

 

Changing a Data Access Set

The following outlines important considerations when modifying a Data Access Set linked to a Signal Policy.

  1. Changing a Data Access Set means potentially changing who has access to the policy as well as what permissions they have with that policy (e.g. one user may be in two different roles that have Signal permissions - perhaps one is "event viewing only" but the other includes the ability to export events).
  • Prior to updating a Data Access Set on a policy, the user should inventory the users, roles, and permissions associated with the current and future Data Access Set prior to making the change.
  • When changing a Data Access Set for an existing Signal Policy, historical events will remain unchanged. If this isn't acceptable, the user should create a new policy.
  • It's possible changing a Data Access Set can impact Rule audience scope - rules which are impacted (meaning the audience definition conflicts with the DAS definition)

 

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.