|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.4.x,10.5.x,10.6.x,11.x
O/S Version: EL6/EL7
|Issue||Assuming that meta restriction should be applied to a user; for example, restricting a checkpoint administrator to seeing only checkpoint device logs in the SA UI, whether it is in the investigation module or any other module.|
The use of a query prefix can help to achieve this goal.
Below is an example of a configuration that would restrict a user to see only checkpoint devices in the Security Analytics UI.
- In the Security Analytics UI, select Administration > System > Security.
- The Security panel is displayed with the Users tab open.
- When adding a new user or editing an existing user, select the Attributes tab.
- In the Attributes tab, add the following to the SA Core Query Prefix field:
device.type = 'checkpointfw1'
Any query can be added to any user in this manner, to help restrict or focus the user's Investigations. This query will be prepended to ALL queries performed by this user until it is removed. The user will not be able to remove this Query Prefix unless they have access to the user accounts within the Security area. The SA Core Query Prefix can even be applied to administrator accounts.
- (Optional) If you want to revert to the previous value, click Reset Form.
- Click Save to save the changes.