BP-2428: Environment targeted access control

[jeff-matthews]

Purpose

This pull request (PR) documents the new environment targeted access control (ETAC) feature as described in BP-2428.

Staging

https://specterops-bp-2428-etac.mintlify.app/manage-bloodhound/auth/environment-targeted-access-control

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bloodhound	🟢 Ready	View Preview	Mar 23, 2026, 3:18 PM

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 710cac37-6412-43c8-8f86-36de9fa19aa6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Documentation updates across six files add comprehensive information about Environment Targeted Access Control (ETAC) functionality in BloodHound Enterprise. Changes explain how ETAC restricts environment visibility while preserving baseline role permissions, and introduce a new dedicated ETAC configuration guide with navigation integration.

Changes

Cohort / File(s)	Summary
ETAC Documentation Foundation docs/manage-bloodhound/auth/environment-targeted-access-control.mdx, docs/docs.json, docs/manage-bloodhound/auth/overview.mdx	New comprehensive ETAC documentation page with configuration workflow, UI screenshots, and behavioral rules; navigation menu updated to include new ETAC guide; new "Configure ETAC" card added to auth overview.
Analysis Feature Clarifications docs/analyze-data/accept-findings.mdx, docs/analyze-data/explore/search.mdx, docs/analyze-data/posture-page.mdx	Added informational notes clarifying that ETAC restricts environment visibility in findings acceptance, search results, graph data, and posture displays without affecting underlying permissions.
Role Definitions Update docs/manage-bloodhound/auth/users-and-roles.mdx	Added note explaining ETAC constrains environment access for User and Read-only roles while baseline permissions remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop! The docs now clearly state,
What ETAC can moderate—
Environments we filter tight,
Yet permissions stay just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: documentation for the new Environment Targeted Access Control (ETAC) feature across multiple pages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BP-2428-etac

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeff-matthews]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/manage-bloodhound/auth/environment-targeted-access-control.mdx`:
- Line 30: Update the sentence that begins "On the **Explore** page, users can
access data from assigned environments only..." to read "shows a subset of
results from authorized environments only" (add the missing article "a") so the
full line becomes: On the **Explore** page, users can access data from assigned
environments only. If a search returns results from unauthorized environments,
the graph shows a subset of results from authorized environments only, and a
message indicates that role-based access filtering is applied.
- Around line 39-41: Update the Privilege Zones copy to remove the implication
that ETAC-scoped users have unrestricted management rights: change the phrase
"see and manage zones" on the Privilege Zones page to clarify they can "view
zones" and that any management actions are limited by their baseline role
permissions and only apply to objects from environments they are authorized for
(referencing the Privilege Zones page text, the ETAC/User/Read-only mention, and
the baseline role permissions lines).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e8bc3f70-8514-4dc5-aea0-edaf1904d62d

📥 Commits

Reviewing files that changed from the base of the PR and between f29d051 and 61c1a37.

⛔ Files ignored due to path filters (2)

• docs/images/manage/etac-controls.png is excluded by !**/*.png
• docs/images/manage/etac-hidden-objects.png is excluded by !**/*.png

📒 Files selected for processing (7)

• docs/analyze-data/accept-findings.mdx
• docs/analyze-data/explore/search.mdx
• docs/analyze-data/posture-page.mdx
• docs/docs.json
• docs/manage-bloodhound/auth/environment-targeted-access-control.mdx
• docs/manage-bloodhound/auth/overview.mdx
• docs/manage-bloodhound/auth/users-and-roles.mdx

[rtippitt-specterops]

Dropped a couple comments in line.

[jeff-matthews]

Thanks @rtippitt-specterops! I just pushed a change to address your comments.

[rtippitt-specterops]

We are removing the toast message on the PZ builder page that says "Permission Denied" Instead, we are adding the same filtering applied message to the top of the screen that is on the explore page.