Aller au contenu

Asset Groups vs Manual Tags

Boost supports two ways to categorize assets: Asset Groups and Manual Tags. While they can look similar in the UI (both appear as labels), they serve different purposes and should be used differently to keep your asset inventory consistent and easy to manage.

When to Use Asset Groups

Use Asset Groups to represent organizational structure — who owns or manages something.

Asset Groups are best for team-aligned categorization, such as:

  • Team ownership (e.g., AppSec, Platform, Payments)
  • Organizational units (e.g., Engineering, Infrastructure, Data)
  • Operational responsibility (e.g., SRE, DevOps, Security Operations)

In other words, Groups answer: “Which team is responsible for this asset?”

Recommended usage:

  • Assign groups at the Organization level when ownership applies broadly.
  • Assign groups at the Repository/Asset level only when ownership is specific or different from the parent.

When to Use Manual Tags

Use Manual Tags to describe asset attributes — what the asset is, what it contains, or how it should be treated.

Manual Tags are best for asset-level metadata such as:

  • Repository / system classification (e.g., critical, legacy, high-risk)
  • Environment (e.g., non-prod, staging, sandbox)
  • Data classification (e.g., pii, financial, customer-data)
  • Operational context (e.g., outsourced, third-party, externally-managed)
  • Technology or system type (e.g., payment-gateway, etl, mobile-backend)

Manual Tags answer: “What is this asset, and what attributes matter for security and reporting?”

Recommended usage:

  • Use tags consistently across dashboards and findings filters to support reporting and prioritization.
  • Apply multiple tags to a single asset when needed (e.g., critical + pii + outsourced).

Quick Comparison

  • Asset Groups → Ownership and org structure (teams)
  • Manual Tags → Asset characteristics (attributes)

To keep categorization clean:

  • Use Groups to model your internal org/team structure (stable over time).
  • Use Manual Tags to model security and operational attributes (can evolve as systems change).
  • Avoid using Manual Tags for team names (e.g., don’t tag repos payments-team — use a Group instead).
  • Avoid using Groups for classifications like pii or critical—use Manual Tags for those.

Example

A repository could be categorized like this:

  • Group: Payments Team
  • Manual Tags: critical, pii, production

This makes it easy to answer both:

  • “Who owns it?” → Payments Team
  • “How should we prioritize it?” → critical + pii + production