VN-03 · Authorized Asset Discovery
Status: Delivered (authorization and policy layer). Active scanner execution (Nmap/SNMP/WMI) and passive ingestion (DHCP/ARP/NetFlow) are deferred. Roles needed: Tenant admin (manage policy), operator/auditor (read-only)
What the client asked for
"Rogue device detection is tenant-scoped and comes from authorized tenant environment sources: agent-based discovery, active discovery such as Nmap/SNMP/WMI where explicitly authorized, and passive discovery such as DHCP/ARP/NetFlow."
The key word is authorized: discovery must be governed by an explicit, tenant-owned scope, never unbounded scanning.
What this proves
A tenant admin can define and review the authorized discovery scope (which ranges/sites/methods are allowed), and the system records and enforces that authorization. Operators and auditors can see the policy but not widen it.
How it works (at a glance)
Validate via Swagger (Try it out)
Open /api/docs, click Authorize, paste a tenant-admin token. Use the
request schema shown in Swagger for each body.
| # | Action | What you should see |
|---|---|---|
| 1 | POST /api/v1/discovery/policies (site, allowed method, scope) | 200; the policy with its authorized scope echoed back |
| 2 | GET /api/v1/discovery/policies | Your tenant's policy listed |
| 3 | POST /api/v1/discovery/authorizations referencing the policy | An authorization record bounded to the policy scope |
| 4 | GET /api/v1/discovery/status | Discovery status scoped to the authorized policy |
| 5 | Re-Authorize with an operator/auditor token, retry step 1 | 403 — read-only; they cannot create or widen scope |
Contract & tests: /api/v1/discovery/* in the OpenAPI deliverable; discovery
authorization service tests. Active scanner (Nmap/SNMP/WMI) and passive-collector
(DHCP/ARP/NetFlow) execution is Phase 2 — this proves the authorization model.
Where to look in the portal
Assetsthen the Discovery policy controlsAudit
Validation walkthrough
| # | Action | What you should see |
|---|---|---|
| 1 | Log in as tenant admin, open Assets | A discovery policy / status section is visible |
| 2 | Create or update a discovery policy (site, allowed method, scope) | The policy is saved and shown with its authorized scope |
| 3 | Open Audit | A discovery policy create/update entry exists for your tenant |
| 4 | Log in as operator and open the same view | You can read the policy and status but cannot create or widen it |
| 5 | Log in as auditor and open the same view | Read-only; no policy mutation controls are shown |
| 6 | Confirm assets that appear come from authorized sources | Agent-reported assets are present; there is no control implying unauthorized/unbounded scanning |
Pass / fail checklist
- Tenant admin can create/update a discovery policy with an explicit scope
- The policy and its authorized scope are shown in the console
- Policy changes are recorded in
Audit - Operators and auditors see the policy read-only and cannot widen scope
- No control implies unbounded or unauthorized scanning
- Discovery policy is visible only within the owning tenant
Intentionally not in Phase 1
- Execution of active scanners (Nmap, SNMP, WMI) and passive collectors (DHCP, ARP, NetFlow). Phase 1 delivers the authorization and scope model plus agent-based asset reporting; the scanner runtime is later work.
- Full network topology mapping.
Evidence to capture
- Screenshot of the discovery policy with its authorized scope.
- Screenshot of the policy-change audit entry.
- Screenshot showing operator/auditor read-only view.