Last updated on July 28, 2020
VMware Secure State (VSS) provides a powerful authorization and segmentation capability that we call Projects. Using Projects, you ensure the appropriate access and control of information is available to your users while the information security team is able to centrally govern security policy and administer the service. This is particularly important for organizations with multiple teams with different initiatives and thus accounts. The application or operation teams can self-service access to understand and act on the security and compliance of their cloud resources. This document dives into the architecture and key concepts of Projects as well as walks through how to use it.
Cloud Providers have been moving customers towards segmenting cloud resources deployed at the account/ subscription boundary. With this in mind, Projects allows security teams to group accounts and assign users access so they can self-serve the security insights and take necessary actions taken on the information.
Prior to Projects, VMware Secure State can be organized in one flat Organization. Now the Organization sits above Projects. Projects are an element for grouping cloud accounts and assign access to the insights generated by VSS. Projects are created under the Organization context. Below is a figure representing an organization containing three projects. In this example, there are seven accounts in total in the Organization.
Projects can be assigned cloud account(s). A cloud account can be assigned to only one Project in an Organization. Accounts in a project can be a mix from different cloud providers. Cloud accounts not assigned to a Project are automatically assigned to the Default Project owned by the Organization context.
The Default Project is auto created when the organization tenant is provisioned. Its main purpose is for holding accounts not assigned to a named project. The main actions available are to view and move accounts. You cannot assign access or switch into the Default project via the Project switcher.
The Project switcher in the web console allows you to change the context (i.e. the Organization or specific Project). This will change what data is available to the user. This can be found on the right end of the VMware Secure State menu.
Users are invited to VSS or granted access through Identity Federation managed in VMware Cloud Services Platform. A user can be given access to the Organization or to one or more Projects. Users assigned to the Organization context, inherits access to Projects with the same role. For example, user Jane in the figure below, has access to the Organization with role Viewer. She therefore will be given access to all Projects with the same role without needing to be explicitly assigned access to a project. If Jane requires elevated permissions in a Project, then she must be explicitly assigned access with the role. Below, Jane also has Admin access in App1: Dev-Test.
A user with a more permissive (i.e. Admin) in the Organization context cannot be given a less permissive role at a Project (i.e. Viewer) . If the user has one or more roles assigned, they will be given permissions based on the union of the roles assigned.
To simplify role assignment, users can be added to a group. That group can be assigned a role and access to the Organization or project. In the example figure above, the Operation group has been assigned Admin for App1: Production. This group does not have access to App1: Dev-Test or the Organization.
Roles are a grouping of permissions that once assigned to a user or user group define what actions are available to the user. There are three specific user roles available on VMware Secure State. Depending whether you are in the Organization or a Project context, the roles permits different actions.
Admin role is the power user on the service. Admins have full create and edit capability for the feature available.
Analyst role is intended for users who are primarily responsible for investigation and disposition of security findings. Analyst have limited administration capabilities.
Viewer role is intended for the read-only user.
There are also roles in Cloud Services Platform you must be aware of. All users will be either assigned the role of Organization Owner or Organization Member. Project only users should be assigned Organization Member role. Users who will be responsible for user access must have Organization Owner role.
Service Roles assigned on Identity & Access Management under VMware Cloud Services (CSP) will grant the user Organization context access. If you intend the user to be a Project only user, do NOT grant a Service Role from the CSP console: https://console.cloud.vmware.com/csp/gateway/portal/#/consumer/usermgmt/users. Project only users will need to be given access to a project with a specific role through VMware Secure State here: https://www.securestate.vmware.com/projects.
Depending on the context whether, Organization or a Project, capabilities vary. The Organization is typically owned by a central administrative or security team. They are responsible for onboarding accounts onto VSS, managing projects, and enforcing the organization’s security requirements. The table below lays out what is possible at the Organization versus Project context.
Expanding on the table above:
Rules are centrally managed by the Organization and applies the identically to each Project. Similarly, custom rules created would apply to all accounts.
Suppressions for a finding can be requested by a Project user or Organization user. Only the Organization can disposition a suppression request. If a suppression is requested by a Project User, the Organization will receive the request and can approve or reject the suppression. Rule suppressions are currently applied organization wide and thus can only be requested by the Organization.
Alerts, Integrations, Reports can be created in a specific context, either Organization or a Project. When in the Organization context, the user can see all alerts, integrations, and reports created. Features are visible and can be modified in the Organization. To see or modify these features, you must be in the context it was created in. If in the Organization, you can create a report for all cloud accounts, but that report is available only if in the organization. If report or alert is created in a project, you will only see or manage when in the specific Project.
The Organization administers onboarding of cloud accounts and management of Projects, hence editing these features are only available in the Organization. Project Admins can see the cloud account details.
Projects are available in the base VMware Secure State platform. All cloud accounts added to the Default Project when onboarded onto the platform. The Default Project cannot be modified. You may decide not to use Projects by simply not provisioning and organizing your cloud accounts and onboarding users to the Organization. Here we will go through the Project setup process.
VMware Secure State offers two levels of access, Organization and Project. Organization users have access to both Organization and Projects.
Access for the Organization is set in the Identity & Access Management portion of CSP https://console.cloud.vmware.com/csp/gateway/portal/#/consumer/usermgmt/users.
To add users, under Active Users, click on ADD USERS.
Under Users, enter the email addresses of the users you would like to invite.
Now go to step 4.
To add users via a group, click on Groups then ADD GROUPS.
Then choose Create a new group and click Continue.
Specify a group Name and Description.
Click on ADD MEMBERS and add users.
Now assign an Organization Role. Select Organization Member unless the user will manage access, then choose Organization Owner. Note: If adding Project only users, assign the Organization Member role. And skip to step 6. Project assignment happens in a subsequent step.
Next, click on ADD SERVICE ACCESS choose VMware Secure State and choose a role.
Click ADD to send the invite.
First confirm you have the appropriate permissions to manage Projects. You must have access to the organization with a VMware Secure State Service role of Admin from VMware Cloud Services Identity & Access Management console.
Find Projects under the Settings menu in the main navigation.
If you’re new to Projects, you will only see the “Default Project” tile. Click into the tile to see all of the cloud accounts not yet associated to a Project.
Back on Project page, click on ADD PROJECT to create a Project.
Name your Project and click the check mark.
Add a Description by clicking on DESCRIPTION. Describe the purpose of the Project. This is an optional field.
Add a Resource. Resources are Cloud accounts. Cloud accounts must be beyond Draft status to be added to a Project.
Add Access to assign users access. Users must have setup accepted the invitation before you’re able to add users. If you are an organization user, you do not need to add yourself to the project, your permissions will be inherited from the Organization.
Note: Deleting a Project requires that you remove all resources before you will be allowed to delete a project.
Once setup, moving cloud accounts should not be a common activity. Moving accounts may impact Reports and Alerts that have been created in a named Project. That said moving a cloud account between projects is straightforward and can be done in few different places.
Note: You must have Admin role in the Organization to be able to manage Projects and Cloud accounts.
From the Default Project, you can select one or more accounts to move to a Project.
From a named Project, you can choose to move one or more accounts to a different Project.
In a named Project, you can choose to simply remove one or more accounts. If removed, those accounts would be move to the Default Project.
Removing Organization access and retaining Project access.
Search for the user and expand the next to the user. Observe “(Limited)” next to the Service Role. This indicates that the user has access to a Project. The other Service Role below does not have the limited label.
To remove Organization level access, select the user, and click EDIT ROLES.
Remove the service role and click SAVE.
Existing VMware Secure State APIs function do not require additional parameters. Users do not need to specify the Project when submitting requests. Here is the API getting started guide for and a link to API documentation: https://api.securestate.vmware.com/