Privilege Zones is available under early access and is not enabled by default.
Key concepts
Review these key concepts before you explore Privilege Zones. You can find detailed explanations for each concept in the articles throughout this section.| Concept | Description | Used in Risk Analysis |
|---|---|---|
| Zone | A group of objects representing the hierarchy of control across all domains in an environment (based on access level) | ✅ |
| Label | A flexible way to categorize objects within a zone (or across zones) for easier searching and filtering | ❌ |
| Selector | A rule that associates objects with zones and labels, based on object types, relationships (expansion), or Cypher queries | ✅ |
| Tagging | The process of associating objects with zones and labels using selectors | ✅ |
| Certification | [BHE only] An optional process to interrupt automatic inclusion of additional objects in a zone by requiring manual certification of the additional objects | ✅ |
By default, you can create up to two additional zones to match your organization’s security model. If you need to create more zones, contact your account manager.
Features
The Privilege Zones page provides the following tabs:- Zones: A group of objects that represent the hierarchy of control across all domains in an environment based on access level
- Labels: A flexible way to categorize a group of objects in a single zone (or across multiple zones) for easier searching and filtering
- Certification [BHE only]: An optional process to interrupt automatic inclusion of additional objects in a zone by requiring manual certification of the additional objects
- History: An audit log of changes made to your zones and labels over time
Early access
The Privilege Zones feature is currently available under early access and is not enabled by default. To enable Privilege Zones:1
Open the Early Access Features page
In the left menu, click Administration > Early Access Features.
2
Enable the feature
Click Disabled next to Tier Management Engine to enable the feature.