Creating a Workspace Agency

Workspace Agency Overview

A workspace agency can help improve security operations efficiency without requiring additional personnel. With a workspace agency, you can:

Manage multiple workspaces centrally.
View asset risks, alerts, and incidents in one place.
Enable cross-account security operations.

For details about workspace agencies, see Table 1.

**Table 1** Unified management functions supported by workspace agencies
Function	Feature	Description
Centralized security operations	Situation Overview	This area shows the security evaluation results from multiple workspaces managed by the workspace agency view. For more details, see Checking the Situation Overview.
	Large Screen	Security data from multiple workspaces can be displayed and managed on one large screen. For details, see Overall Situation Screen and Monitoring Statistics Screen.
	Security Reports	This area displays all security reports of workspaces managed by the agency view. You can view the security reports by workspace. The name of the workspace a security report belongs to is displayed next to the security report name. For more details, see Checking a Security Report.
Unified asset management	Resource Manager	This area displays all assets of workspaces managed by the agency view. Assets are managed centrally. You can identify the workspace an asset belongs to based on the Workspace Name column in the asset list. For more details, see Overview.
Unified risk prevention	Baseline Inspection	You can aggregate the baseline check results from multiple workspaces into an agency view for centralized management. For more details, see Viewing Baseline Check Results, Starting an Immediate Baseline Check, and Check Result Feedback. You can identify the workspace a check item belongs to based on the Workspace Name column in the check result list.
	Vulnerabilities	You can aggregate vulnerability information from workspaces managed by the agency view and view them centrally. For more details, see Overview. You can identify the workspace to which a vulnerability belongs based on the Workspace Name column of the vulnerability.
	Security Policies	You can aggregate security policies from multiple workspaces into an agency view for centralized management. For more details, see Adding a Security Policy and Managing Security Policies. On the Risk Prevention > Security Policies page of the workspace agency view, you can identify the workspace a security policy belongs to based on the Workspace Name column in the security policy list.
Unified threat operations	Incidents	You can aggregate incidents from multiple workspaces into an agency view for centralized management. For more details, see Viewing Incidents, Adding and Editing an Incident, and Closing and Deleting an Incident. On the Threats > Incidents page in the workspace agency view, you can identify the workspace an incident belongs to based on the Workspace Name column in the incident list.
	Alerts	You can aggregate alerts from multiple workspaces into an agency view for centralized management. For more details, see Viewing Alert Details, Converting an Alert into an Incident or Associating an Alert with an Incident, Closing and Deleting an Alert, Adding and Editing an Alert, and one-click blocking or unblocking. On the Threats > Alerts page in the workspace agency view, you can identify the workspace an alert belongs to based on the Workspace Name column in the alert list.
	Indicators	You can aggregate indicators from multiple workspaces into an agency view for centralized management. For more details, see Viewing Indicators and Adding and Editing an Indicator. On the Threats > Indicators page in the workspace agency view, you can identify the workspace an indicator belongs to based on the Workspace Name column in the indicator list.
Log Audit	Overview	You can learn about the overall log audit status in a statistical period by workspace.
	Security Data	You can view and manage data spaces by workspace.
	Cloud Service Access	You can view and manage log data by workspace. For more details, see Enabling Log Access.
Modeling Analysis	Intelligent Modeling	You can view and manage resources by workspace.
Security Orchestration	Playbooks	You can view and manage playbooks by workspace. For details, see Overview.
	Layouts	You can view and manage layouts by workspace. For more details, see Managing Layouts and Viewing a Layout Template.
	Plugins	You can view and manage plugins by workspace. For details, see Viewing Plugin Details.

Workspace Hosting Process

The process of hosting a workspace is as follows.

**Table 2** Workspace hosting process
Procedure	Description
Step 1: Create an Agency View	You need to create an agency view to manage the delegation that other users give you for workspace hosting.
Step 2: Create an Agency	You can create agencies to authorize other users to manage your workspaces in a project. In this way, asset risks, alerts, and incidents across workspaces can be centrally managed for security operations.
Step 3: Authorize an Agency	You need to grant permission to other users to manage your workspaces and they need to accept your delegation to attach your workspaces to their workspaces. After you create an agency, authorize the user you specified in the agency to manage your workspaces. Choose Workspaces > Agencies > Workspaces Managed by Me and accept workspaces that need to be managed by you centrally. The accepted workspaces will be attached to your workspaces.

Limitations and Constraints

The specifications of the workspace agency views and the number of workspaces are as follows:
- Constraints on workspace agency views: Only one workspace agency view can be created in a region for an account.
- Constraints on managed workspaces:
  - Single-region scenario: A maximum of 100 workspaces can be managed by a workspace agency view.
  - Cross-region scenario: A maximum of 10 workspaces can be managed by a workspace agency view.
  - If you want to use one agency view to manage workspaces in excessive of the limit, apply for capacity expansion.
- Restrictions: A maximum of 10 agencies can be created by an account.

If you select Organization for Initiated By while creating an agency, there are some limitations you need to know:
- If you select all accounts under all organizations for the agency, the agency will work for workspaces of new accounts of an organization.
- If you select all accounts of a specific organization for the agency, it takes a while for workspaces of new accounts of the organization to be synchronized to the agency.

Step 1: Create an Agency View

Log in to the management console.
Click in the upper part of the page and choose Security > SecMaster.
In the navigation pane on the left, choose Workspaces > Agencies.
On the Agency Views tab, click Create Agency View. The Create Agency View slide-out panel is displayed.

Configure parameters required for creating the agency view.

**Table 3** Parameters for creating an agency view
Parameter	Description
Agency View Name	Name of the agency view. Configuration constraints: Only letters (A to Z and a to z), numbers (0 to 9), and the following special characters are allowed: -_() A maximum of 64 characters are allowed.
Workspace Name	The workspace you want to associate with the agency view. The workspace you associate is the main workspace.
(Optional) Description	Description of the agency view. Enter a maximum of 512 characters.

Click OK.

The created agency view will be displayed on the Agency Views tab.

Step 2: Create an Agency

In the navigation pane on the left, choose Workspaces > Agencies.
On the Agencies page, click Create Agency in the upper right corner of the page.

On the Create Agency slide-out is displayed, configure agency parameters.

**Table 4** Parameters for creating an agency
Parameter		Description
Initiated By		Agency creator. Current Tenant Organization: If you use an administrator account of an organization or an agency account to log in to SecMaster, you can select a workspace under the organization for workspace hosting. The Organizations service is an account management service that enables you to consolidate multiple accounts into an organization so that you can centrally manage these accounts. For details about organizations, see the Organization User Guide.
Agency Created By	Workspace	A workspace to be managed by this agency.
Agency Accepted By	Account	Account name of the user who delegates the management permission to this agency. You can also enter the current account as the agency account, or obtain the account name as follows: You have logged in to the management console. Move the cursor to the username in the upper right corner and select My Credentials from the drop-down list. The API Credentials page is displayed by default. On the API Credentials page, obtain the Account Name.
Agency Accepted By	Agency View	An existing agency view.
Agency Details	Agency Name	Name of the agency. Configuration constraints: Only letters (A to Z and a to z), numbers (0 to 9), and the following special characters are allowed: -_() A maximum of 64 characters are allowed.
	Agency Duration	Select an agency duration. Only Permanent is supported.
	Agency Policy	Select an agency policy. An agency policy defines the operation permissions a user has for managed workspaces. You can select multiple agency policies at a time. You can query the meaning of a policy in IAM. To view the meaning, perform the following steps: You have logged in to the management console. In the service list, choose Management & Deployment > Identity and Access Management. In the navigation pane on the left, choose Permissions > Policies/Roles. On the Policies page, enter the policy name in the search box. View the meaning and scope of the policy.
	Description	Description of the agency. Enter a maximum of 512 characters.

Click OK.

Step 3: Authorize an Agency

In the navigation pane on the left, choose Workspaces > Agencies.
On the Agencies page, click the Workspaces Managed by Me tab. In the row containing the workspace you want to manage, click Accept in the Operation column.

If the system displays a message indicating that you are not authorized when you try to accept an agency, get authorization by referring to Authorizing SecMaster first.
In the displayed dialog box, click OK.

Follow-up Operations

Choose Workspaces > Management, click the name of the created agency view. You can view details about workspaces managed in the agency view.

Related Operations

Editing an agency view
1. Locate the row that contains the agency view, and click Edit in the Operation column.
2. On the Edit Agency View slide-out panel, modify the parameters and click OK.
Deleting an agency view
You can delete an agency view if you need to delete the agency workspace and agency information.
1. Locate the row that contains the agency view, and click Delete in the Operation column.
2. In the displayed dialog box, click OK.