Configuration Recommendation for Business Units

Document created by Leif Kremkow on Aug 30, 2012Last modified by Leif Kremkow on Apr 30, 2018
Version 7Show Document
  • View in full screen mode


In large enterprise deployments of QualysGuard, Business Units are often used to create autonomous user groups. Users with the Manager role start creating the the Asset Groups for use by the Business Units, typically with users in the Unit Manager role.


Often, Unit Managers then find that they are unable to edit the Asset Groups of their perimeter. See for example "Business Unit Manager cannot edit any of the Asset Groups".


This is often a side effect of how the Business Units were configured but it is not the normal or recommended behavior for QualysGuard.


This article presents a best practice for Business Unit creation that will grant full configuration flexibility to both Managers and Unit Managers within their respective perimeters.



Consider the following configuration:

sample Business Unit configuration


There are two business units, one for France and one for Germany. Jack Doe, who is the Manager for the subscription, has created 4 objects: 2 Asset Groups ("DE" and "FR") and two Business Units ("Business Unit FR" and "Business Unit DE").


The "Asset Group FR" becomes the Asset Group that is used to define the full perimeter for "Business Unit FR". Likewise, "Asset Group DE" defines the full perimeter for "Business Unit DE".


The Business Unit Managers Jenny Doe and Jessica Doe then follow the company's naming convention to create the Server and Workstation Asset Groups for their perimeter. They do this based on the IP addresses that were made available to them from the Manager, as defined by the Asset Groups "FR" and "DE".


Given this set-up, the Manager is free to use or change the Asset Groups of the Business Units, even if they belong to Jane or Jessica. Such as:

  • add IPs to the Asset Group "FR_servers", provided the IP was first added to "FR" Asset Group,
  • remove IPs from the Asset Group "DE_workstations",
  • run a report against "FR_servers" and "DE_servers" to compare.


The Unit Managers in turn are free to edit (add/remove) IPs to their Asset Groups as they see fit.


If, on the other hand, the Manager Jack Doe were to have created the Asset Group "FR_servers" and then assigned it to "Business Unit FR", then the user Jane Doe would not be able to edit it, i.e. remove IPs or add IPs. All maintenance of the Assets in the Business Units would then inevitably become the responsibility of the Manager, Jack Doe.


Edit 15May2015: New illustration to show that Asset Groups are now visible from within the Business Units.

Edit 27Apr2018: Corrected incoherences in the illustration (thanks Russ Sanderlin of ImagineX Consulting for pointing them out).

4 people found this helpful