Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vanta integration: allow scoping by team #19312

Closed
1 task
spokanemac opened this issue May 28, 2024 · 15 comments
Closed
1 task

Vanta integration: allow scoping by team #19312

spokanemac opened this issue May 28, 2024 · 15 comments
Assignees
@eashaw
Labels
#g-digital-experience https://fleetdm.com/handbook/digital-experience #soc2

Comments

@spokanemac
Copy link
Contributor

Goal

User story
As an Admin using Fleet and Vanta,
I want to scope Vanta to exclude specific teams within Fleet
so that I can ignore test VMs that reside on compliant laptops.

For help creating a user story, see "Writing a good user story" in the website handbook.

How?

  • TODO add a Team resource type

Context

20240528_113019_Integrations - Vanta
@spokanemac spokanemac added #g-digital-experience https://fleetdm.com/handbook/digital-experience #soc2 labels May 28, 2024
@spokanemac
Copy link
Contributor Author

@eashaw For additional background, we're running into this issue, for example: fleetdm/confidential#5866⁠⁠⁠⁠⁠⁠⁠ . These VMs reside on laptops that are in compliance.

cc: @JoStableford

@mike-j-thomas
Copy link
Member

@spokanemac, we need to look into this. I don't think this can be done on the Vanta side. Additional configuration would have to be done on fleetdm.com. We need to know the IDs of the teams to be excluded. Putting in "Not yet" for now. We'll see if we can fit it into the next sprint.

@JoStableford
Copy link
Contributor

Hey @mike-j-thomas , I believe it would be a feature request to Vanta to add "teams" as a method of scoping resources. Currently the method of scoping looks to be based on users or computer type, but looking at other integrations via Vanta it seems highly likely that adding teams as a method would be a viable option (and something a Fleet customer using Vanta for compliance would need to manage their compliance without having to manually exclude).
I know @eashaw originally worked on the Vanta integration, so would likely know best if that's the case, but BizOps/IT is happy to put through the request with Vanta directly.

@mike-j-thomas
Copy link
Member

@eashaw will look into it 👍

@JoStableford
Copy link
Contributor

@Sampfluger88 @eashaw Just a check up as part of our Vanta security and compliance routine. Can we get an estimate on when this FR will be prioritized?

@JoStableford
Copy link
Contributor

@Sampfluger88 Prompting again on the need to address the Fleet <> Vanta configuration to enable scoping of resources by team (eg: excluding the "compliance exceptions" team from scoping into Vanta).

@Sampfluger88
Copy link
Member

@eashaw can you give me an estimate on this so we can prioritize this for SOC 2?

@eashaw
Copy link
Contributor

eashaw commented Aug 1, 2024

@Sampfluger88

If we wanted to do this for only our Vanta integration: 2 points
This would involve:

  • Creating a modified version of the Vanta sync script that only runs for our integration and excludes hosts using hardcoded team IDs.
  • Updating the Vanta sync script to not run for our integration

If we wanted to do this for all Vanta integration users: 8 points
This would involve:

  • Updating the /connect-vanta page to let users provide a list of team IDs that they want to exclude from the integration
  • Updating the /connect-vanta page to be behind a login wall to allow users to change the details of their Vanta integration as they add/remove teams
  • Adjusting the login/signup flow to not send users who sign up/in to connect their vanta accounts into the start questionnaire
  • Updating the website's database tables to associate Vanta connection records with user accounts.
  • Updating the Vanta sync script to exclude hosts on the provided list of team IDs

@mikermcneil
Copy link
Member

cc @hollidayn

@mike-j-thomas
Copy link
Member

mike-j-thomas commented Oct 8, 2024
edited
Loading

@Sampfluger88, where are we up to with this? Do you think we should start with updating our Vanta integration (2-point option) (Note, the work for the 2-point option wouldn't be able to carry over to the larger 8-point option.)

@Sampfluger88
Copy link
Member

Let's discuss today, can I crash the last half of your 1:1 @mike-j-thomas and @eashaw?

@mike-j-thomas
Copy link
Member

@Sampfluger88 sure thing 👍

@eashaw eashaw mentioned this issue Nov 4, 2024
Merged
eashaw added a commit that referenced this issue Nov 5, 2024
@eashaw @iansltx
Website: Update Vanta script for Fleet's integration (#23514)
3bfbc56 
Related to: #19312

Changes:
- Updated the send-data-to-vanta script to exclude hosts on a specific
team when it runs for Fleet's Vanta integration.

---------

Co-authored-by: Ian Littman <[email protected]>
@Sampfluger88
Copy link
Member

@eashaw should these devices still be failing if they're in the "Compliance exclusions" team?

image

@eashaw
Copy link
Contributor

eashaw commented Nov 5, 2024

@Sampfluger88 Yes, I think so. We're not reporting the status of devices on that team to Vanta as of the 12 PM (Central) run of the Vanta integration script. We may need to remove those devices from Vanta.

@fleet-release
Copy link
Contributor

Integrate Vanta's scope,
Excluding teams to cope,
Test VMs find hope.

@allenhouchins allenhouchins mentioned this issue Mar 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eashaw eashaw

Labels
#g-digital-experience https://fleetdm.com/handbook/digital-experience #soc2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mikermcneil @spokanemac @eashaw @JoStableford @mike-j-thomas @fleet-release @Sampfluger88