Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000030349 - How to use query prefixes to restrict user permissions to meta in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 6, 2019

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000030349
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics Server, Security Analytics UI RSA Version/Condition: 10.4.x,10.5.x,10.6.x,11.x Platform: CentOS O/S Version: EL6/EL7
Issue	Assuming that meta restriction should be applied to a user; for example, restricting a checkpoint administrator to seeing only checkpoint device logs in the SA UI, whether it is in the investigation module or any other module. The use of a query prefix can help to achieve this goal. Below is an example of a configuration that would restrict a user to see only checkpoint devices in the Security Analytics UI.
Resolution	Procedure In the Security Analytics UI, select Administration > System > Security. The Security panel is displayed with the Users tab open. When adding a new user or editing an existing user, select the Attributes tab. In the Attributes tab, add the following to the SA Core Query Prefix field: device.type = 'checkpointfw1' (Optional) If you want to revert to the previous value, click Reset Form. Click Save to save the changes. Any query can be added to any user in this manner, to help restrict or focus the user's Investigations. This query will be prepended to ALL queries performed by this user until it is removed. The user will not be able to remove this Query Prefix unless they have access to the user accounts within the Security area. The SA Core Query Prefix can even be applied to administrator accounts.

Attachments

Outcomes

0 Comments