Spirion (Identity Finder) - Understanding Tags in the Console
A brief overview of Tags in the Spirion Console, including best practices.
Important: With the new Spirion 12 management console, the naming convention for Top Tags changed to match the UDDS-based names used in other tools. Most new tags will be in Spirion 12, but if you need to create a new tag on Spirion 11, please follow the old convention for consistency.
The Spirion Console organizes endpoints into what are called "tags". A tag represents a logical grouping of endpoints, like a university department. There are a few different types of tags, and they are described below:
- Simple - A Simple tag is the most basic type of tag. Simple tags can contain endpoints as well as nested tags, much like a folder on your computer can contain sub folders.
- IP Range - An IP Range tag can be used to group endpoints belonging to a range of IP addresses. IP Range tags generate their contents automatically and cannot contain nested tags. IP Range tags are called also Dynamic Tags because the contents are generated and updated automatically. The use of Dynamic Tags is strongly discouraged due to bugs on Spirion 11 and the lack of testing on Spirion 12 at the time of this writing.
Departmental IT administrators interested in using the campus Spirion Console will be set up with a Simple tag for their department, as well as Windows and Mac Spirion installers that place endpoints in that tag automatically. While this setup will work fine for most administrators, it is possible to organize endpoints further with additional tags, as described below.
Before creating additional tags in the Console, it is important to consider tag naming conventions and tag visibility, and differences in Spirion 12 from the old convention used on Spirion 11.
In addition to a departmental Simple tag and customized installers, IT administrators using the campus Spirion Console will be given a "Role" for their department. Roles are used to separate user privileges, effectively blocking one department from viewing or administering another department's endpoints.
However, while you may only be able to see one or a few tags in your endpoint list, in reality there are dozens, if not hundreds, of tags. Administrators at the Office of Cybersecurity work with the complete list. Because of this, it is very important to name your tags, policies and reports in a standard style that reflects the department using them.
Cybersecurity strongly recommends new tags be created as nested tags of the Simple tag that was assigned to your department. If your new tags are created as nested tags of your Cybersecurity assigned Simple tag, naming convention does not matter. Because those tags will only be visible after expanding your Simple tag, it is clear who they belong to, regardless of their names.
If you prefer to have your additional tags at the "top level", Cybersecurity asks that you do so sparingly and follow the standard convention for the version of Spirion you are working with. Most new tags will be on Spirion 12.
- Spirion 12 Top Tags match the UDDS-based department name used in Amp, for example A54-SchoolOfNursing. If the department needed to create an additional Top Tag, it would append a descriptive word to the end, for instance A54-SchoolOfNursing-Macs. (Ideally, they would simply create a nested tag, Macs, inside the A54-SchoolOfNursing tag.)
- Spirion 11 simply used a form of the department name as a Top Tag name, and the format varied somewhat. If a new Spirion 11 Top Tag is necessary, it can be in any form as long as the department name is clear. Nursing-Macs or SchoolOfNursingMacs would both be acceptable.
Spirion 11 will be gone within a few months, so any tags created there are temporary. They will not port over to Spirion 12 automatically because of differences in naming conventions and nesting.
Creating a tag in the Spirion Console is very easy. From the Status tab:
- Create a nested tag - Click on the name of the "parent" tag in your Endpoint List. From the ribbon, click on the "Tag" drop down button and choose "Create Nested Tag". Enter the name of the new tag and choose "Simple" from the resulting window.
- Create a "top level" tag - From the ribbon, click on the "Tag" drop down button and choose "Create Tag". Enter the name of the new tag and choose "Simple" from the resulting window. Please remember to give your tag a descriptive name.
To delete a tag, click on the tag you wish to delete and click "Remove Tag" from the Tag drop down button in the Ribbon. Alternative, right-click the tag name and choose "Tag > Remove Tag".
To move an endpoint to a different tag, click on the endpoint you wish to move and click "Move to Tag" from the Endpoint drop down button in the Ribbon. Alternatively, right-click the endpoint name and choose "Endpoint > Move to Tag". NOTE: You cannot move an endpoint out of a dynamic tag, as their contents are generated automatically.