|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4, 10.5, 10.6
O/S Version: EL6
|Tasks||This article provides an example of how to configure external users with different roles in Security Analytics 10.x using trusted connections.|
In this example, there are three classes of users:
- SALogs - Users in this AD Group can only view Logs (example user is called logs)
- SAPackets - Users in this AD Group can only view Packet related Meta (example user is called packets)
- SAPackets - Users in this AD Group can view both Logs and Packet related Meta (example user is called logsnpackets)
There is one SA Server that is leveraging Active Directory for users and groups in this scenario.
Further configuration details:
- One SA Server
- One Broker which aggregates from a Packet Concentrator and a Log Concentrator
- One Packet Concentrator
- One Log Decoder and Collector hybrid
|Resolution||Follow the steps below to configure the users.|
- Ensure that each of your devices is set up to use Trusted Connections. This is done in the Security Analytics UI under Administration-> Services and clicking on the relevant devices. By not defining a password we are using trusted connections.
- Define Custom Roles based on the Analyst Roles. Here I copied the analyst roles and created three new roles - LogAnalyst, PacketAnalyst and LogsAndPacketsAnalyst.
- Add external groups Mapping to map External Active Directory Users to these groups
- Now create the Roles on the Relevant Devices. For example, click on View -> Security for the Packet Concentrator.
- Create the relevant Role with the same Role name as above and give the role permissions of sdk.content, sdk.meta and storedproc.execute.
- Replicate this Role to other devices in the same family. Eg Log Devices should have LogAnalyst Role replicate to them, Packet Devices should have PacketAnalystRole Replicated to them. LogsAndPacketsAnalyst role should be replicated to both Logs and Packet Devices.
- Log in and test the relevant user. Each user can only gain access the devices on which they have permission. Eg Packet user can access Packet Concentrator
However, when the packet users try to query the Log Concentrator or any other device that does not have the Packet Analyst Role assigned they will get the error message "Failed to Retrieve Meta Keys"