7.7 Device Groups and RBAC

75 minutes · Module 7

Device Groups and RBAC

By the end of this subsection, you will be able to organize devices into groups for policy targeting and scope SOC analyst access using role-based access control.

Why device groups matter

Device groups control two things simultaneously: which security policies apply to which devices, and which analysts can see and act on which devices.

Purpose	Example
Policy targeting	Full-auto AIR on servers, semi-auto on workstations
ASR exclusions	Developer machines get exclusions for build tools; standard machines do not
RBAC scoping	Tier 1 sees workstation alerts only. Tier 2 sees everything.
Prioritization	VIP device group (C-suite laptops) gets priority investigation
Automation levels	Production servers on semi-auto, test servers on full-auto

Creating effective device groups

Method	How it works	Best for
Property-based	Matches on OS, domain, name pattern, or IP range	Broad, stable categories (all servers, all Windows 11)
Tag-based	Matches on tags assigned manually or via Intune	Cross-cutting concerns (VIP, PCI-scope, developer)

Recommended group structure for a 500-seat organization:

Group name	Method	Match criteria	AIR level	Notes
Servers-Production	Property	OS = WindowsServer* AND Name starts with SRV	Semi-auto (all)	Conservative — human reviews all
Workstations-Standard	Property	OS = Windows10 OR Windows11	Semi-auto (non-temp)	Moderate automation
VIP-Devices	Tag	Tag = “VIP”	Semi-auto (all)	C-suite, finance leads — priority triage
Developer-Machines	Tag	Tag = “Developer”	Semi-auto (all)	Extra ASR exclusions for build tools
Default	—	Everything not matched above	Semi-auto (all)	Catch-all

Group evaluation order matters

Devices are evaluated against groups in the order you define. The first matching group wins. Place specific groups (VIP-Devices) before broad groups (Workstations-Standard) to ensure VIP devices get their priority policy, not the generic workstation policy.

RBAC for SOC tiers

Role	View	Actions	Configure	Use case
Security Reader	Scoped to assigned groups	None	No	Tier 1 — read-only investigation
Security Operator	Scoped to assigned groups	Isolate, scan, collect package	No	Tier 2 — active response
Security Admin	All devices	All including live response	Yes	Tier 3 / SOC lead

Scope RBAC to device groups — always

Do not give all analysts access to all devices. A compromised Tier 1 account scoped to workstations can only see workstation data. Without scoping, that same compromised account sees servers, VIP devices, and the entire infrastructure. Least privilege applies to SOC analysts too.

Operational example: policy per group

Device group	AIR level	ASR exclusions	Investigation priority
Servers-Production	Semi-auto (all)	None — maximum protection	High — servers host critical data
Workstations-Standard	Semi-auto (non-temp)	None	Normal
VIP-Devices	Semi-auto (all)	None	Highest — C-suite compromise has maximum business impact
Developer-Machines	Semi-auto (all)	Visual Studio, Docker, Node.js processes	Normal
Default	Semi-auto (all)	None	Normal

The Developer-Machines group illustrates why groups exist: developers need ASR exclusions for build tools that look like malicious behavior (compiling executables, spawning processes from scripts). Without a separate group, you either exclude these tools for everyone (weakening security) or block them for developers (breaking their workflow).

Try it yourself

Design a device group structure for a 300-seat organization with: 50 Windows servers, 200 Windows workstations, 30 macOS devices, 20 developer workstations, and 10 executive laptops. Define the groups, match criteria, and AIR automation level for each.

Recommended groups (evaluation order):

1. VIP-Executives (tag = "VIP") — Semi-auto all, highest priority. 10 devices.

2. Servers-Production (OS = WindowsServer*) — Semi-auto all, no ASR exclusions. 50 devices.

3. Developer-Workstations (tag = "Developer") — Semi-auto all, ASR exclusions for VS/Docker/Node. 20 devices.

4. macOS-Devices (OS = macOS) — Semi-auto all. 30 devices.

5. Workstations-Standard (OS = Windows10 OR Windows11) — Semi-auto non-temp. 200 devices.

6. Default — catch-all. Semi-auto all.

Order matters: VIP before Standard ensures executive laptops get priority policy, not generic workstation policy.

Check your understanding

1. A device matches both "VIP-Devices" (tag-based) and "Workstations-Standard" (property-based). Which group applies?

Whichever group appears first in the evaluation order. Place VIP-Devices before Workstations-Standard to ensure VIP devices get priority policy. The first matching group wins — order your groups from most specific to most general.

Both — policies merge

Tag-based always takes priority

Group evaluation is ordered, not merged. A device belongs to exactly one group. Design your group order deliberately — specific groups first, then broad categories, then the default catch-all last.

← 7.6 Device Isolation and Response Actions 7.8 Device Compliance and Conditional Access →