Skip to main content
While permissions define what a user can do, Asset Groups define where they can do it. This is a critical security feature that allows you to segment access across organizational boundaries and security contexts.

What Are Asset Groups?

An Asset Group is a scope definition that determines which assets (devices, integrations, sites, accounts) a role can access. Every role must be associated with an Asset Group.

Without Asset Groups

Broad Access. A user with devices.read could see ALL devices in the entire organization, regardless of context or sub-organization.

With Asset Groups

Scoped Access. A user with devices.read + “LATAM Asset Group” can only see devices in Latin American contexts.

Asset Group Components

Asset Groups define three levels of scope:
1

Organization Scope

Determines which organizations the role can access:
  • Current Organization Only: Access only the user’s primary organization.
  • Current + All Sub-Organizations: Access parent and all child organizations (Enterprise).
  • Specific Organizations: Access only explicitly listed entities.
2

Context Scope

Determines which security contexts within those organizations are accessible:
  • All Contexts: Unrestricted access to all environments.
  • Specific Contexts: Access only explicitly listed contexts (e.g., “production”, “LATAM”, “tier-1”).
3

Asset Rules

For fine-grained control, specify exactly which assets are accessible:
  • All Assets: Access all devices/integrations/sites in the context.
  • Specific Assets: Access only listed asset IDs (e.g., only firewalls, only specific integrations).

Common Asset Group Patterns

Org Scope: Current + All Subs | Context Scope: All | Asset Rules: All
Used for platform administrators who need unrestricted access.
Org Scope: Current Only | Context Scope: Specific (e.g., “EMEA”) | Asset Rules: All
Used for teams responsible for specific geographic regions or environments.
Org Scope: Current Only | Context Scope: All | Asset Rules: Specific Types (e.g., “Firewalls”)
Used for specialized teams that work only with specific security tools.

Creating Asset Groups

1

Navigate to Asset Groups

Go to Organization Settings → Asset Groups.
2

Define Scope

Select your Organization and Context levels as described above.
3

Define Rules (Optional)

Add specific asset-level restrictions if you need to limit access to individual devices or integration types.
4

Associate with Roles

When creating or editing a role, select the Asset Group to apply these scoping rules.
Roles without an Asset Group have unrestricted access to all assets. Always assign an appropriate Asset Group to maintain the principle of least privilege.