Entity classification and tags can be inherited from other entities using entity relationships. Any relationship between two entities can be configured to propagate control assignments, control results, risk, tags, or criticalities. The system is designed to make circular references impossible. Entities cannot inherit what they propagate.
To specify the propagation associated with an entity relationship, navigate to Configuration > Entity Configuration > Relationships. Click on a relationship to display the Relationship Type dialog.
Control results and risks are propagated, but only within a particular program. Propagating control results or risks across programs can be performed manually. If a control profile is specified, the system uses the control profile and ignores the control assignment.
When propagating criticality, select the value to use:
- The "from" entity's criticality.
- The highest criticality between the "from" and the "to" entity.
- The lowest criticality between the "from" and the "to" entity.
If your program owner configures each entity with different criticality values and then establishes a parent-child relationship type between entities in such a way that the parent entity propagates either criticality or tags, and control results to child entities. It is recommended to first run the Update Objects job before you include entity pairs in an assessment. By doing so, you can ensure that all the child entities inherit the criticality value of the parent entity and that when you run the assessment, the control results will propagate effectively.
Adding entities and then creating a new relationship with an existing entity relationship type requires running the Update Objects job to propagate the scores effectively to the newly added entities.
A child entity inherits the security risk score if you configure the parent entity to propagate the risk score.