Controls Default Tag

When creating controls, it is possible to assign to the controls a set of tags. The main tag fields are:

  • type
  • scope
  • family
  • custom1 to custom9

All the fields can store String values, the content is let open. The owner of the control can decide which tags to use and which values to write.

What are these tags for?

The values stored in these tags have no impact for calculating the controls results. Content on this fields are not parsed nor interpreted, they are not checked for consistency or to avoid collision.

However, these tags can become very useful to clearly identify a set or group of controls. For example, it can be useful to classify the controls into two groups: risk and quality. This will make it easy to query the results controls filtering by the value of the tags. It will be easy to answer to the question: "What are the controls that represent a risk ?".

What values are already used?

Some of the Brainwave facets deliver their own rules and controls. When these facets deliver views, pages or reports to display the results of the controls , it is common to use control tags in order to search, filter and classify.

If the value of the tags for the delivered controls is modified, then the views and pages associated may stop working correctly.

Some of the facets that use control tags: bw_ad_controls, bw_ad_schema, bw_controlsdashboard, bw_controls_browser, bw_groupsandaccounts_analytics.

Tag Field
Values already used


Entities keywords

account, group, identity, organisation, application, permission, repository, control, right, rights, manager, owner, owners


AD keywords

securitygroup, localadmin, gporights, gpo, AD


Categories keywords

risk, quality, privileged


Other keywords

onallaccounts, perroganisation, perrepository, perapplication, WAB, AWS, SoD

In which Add-Ons are these tags used?

Here you will find a non-exhaustive list of the main add-ons or facets that include controls and the tags that are used in their latest versions.


This facet is used mainly by the AD Booster and some other facets like bw_groupsandaccounts_analytics. It includes around a dozen of controls designed to find problems in Active Directory. The controls use the following tags:

  • family:AD
  • scope: quality, risk
  • type: securitygroup, account, group
  • custom1: onallaccounts


This facet is only used by the AD Booster. It extends bw_ad_controls by introducing advanced controls on Active Directory. The following tags are used:

  • family: AD
  • scope: privileged, quality, risk, localadmin, gporights
  • type: account, securitygroup, group


This facet include some controls and some pages to display the results? The following tags are used:

  • type: control
  • scope: repository, application, per organization


This add-on provides ready-to-use mashup dashboards. It includes some controls that use the following tags:

  • family: WAB


This add-on provides support for Amazon AWS services.The following tags are used:

  • family: AWS


This add-ons generates SoD controls based on an SoD matrix received as input. The tags used for the controls are to be defined for each project. However, the most commonly used tags:

  • family: SoD

Best Practices

If you want to tag your controls in order to filter them:

  • Avoid using the keywords mentioned above. Creating new controls with those tags might impact the functionalities of some existing facets
  • Think of making your tags unique, for example by adding a prefix like xx_risk
  • Combine multiple tags. For example family=AD AND scope=risk