000030349 - How to use query prefixes to restrict user permissions to meta in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 6, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030349
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.4.x,10.5.x,10.6.x,11.x
Platform: CentOS
O/S Version: EL6/EL7
IssueAssuming that meta restriction should be applied to a user; for example, restricting a checkpoint administrator to seeing only checkpoint device logs in the SA UI, whether it is in the investigation module or any other module.

The use of a query prefix can help to achieve this goal.

Below is an example of a configuration that would restrict a user to see only checkpoint devices in the Security Analytics UI.


  1. In the Security Analytics UI, select Administration > System > Security.
  2. The Security panel is displayed with the Users tab open.
  3. When adding a new user or editing an existing user, select the Attributes tab.
  4. In the Attributes tab, add the following to the SA Core Query Prefix field: 

device.type = 'checkpointfw1'

  1. (Optional) If you want to revert to the previous value, click Reset Form.
  2. Click Save to save the changes.
Any query can be added to any user in this manner, to help restrict or focus the user's Investigations. This query will be prepended to ALL queries performed by this user until it is removed. The user will not be able to remove this Query Prefix unless they have access to the user accounts within the Security area. The SA Core Query Prefix can even be applied to administrator accounts.