As part of the Elements Vulnerability Management (EVM) End-of-Life (EOL), EVM views were replaced with XM views and EVM subscriptions were migrated to Exposure Management for Business.
Following this change, the historical Vulnerability (Management) / VM Admin role no longer provides access to vulnerability findings lists UI. Access now requires the Exposure Management (Full Editing) role.Single scan results, as well as VM API endpoints returning vulnerabilities lists are not affected.
As a result, many ex-EVM administrators lost visibility to data they previously managed, causing customer confusion, partner escalations, and increased support load.
The Exposure Management (Full editing) role now grants access to all Exposure Management features, recommendations and findings, including vulnerability findings.
What have we done to address these limitations?
WithSecure performed a careful review of user rights, and we have granted the needed roles to existing users, where we can be sure that there is no impact on data security.
To streamline the transition from EVM to XM, we have granted:
- Exposure Management (Full editing) rights to all users with Vulnerabilities (Management) role, who already had the Elements IAM role. This was a one-time action.
- Exposure Management (Full editing) rights to Vulnerabilities (Management) users in organizations which do not have Identity Security onboarded. This was a one-time action.
Users who have had their roles updated will receive an automated email from WithSecure Elements advising them of this change.
What happens to the remaining users?
For the users where we could not grant the rights without risking an unwanted elevation of privileges, we will be contacting them by email to advise the next steps. These users will need to contact the person(s) within their organization who hold the Elements Identity and Access Management role, and request the XM Admin role.
For a full explanation of the User roles, please refer to the original announcement.