000029201 - How to configure external users with different roles using trusted connections in RSA Security Analytics 10.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 27, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000029201
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: EL6
TasksThis article provides an example of how to configure external users with different roles in Security Analytics 10.x using trusted connections.

In this example, there are three classes of users:
  • SALogs - Users in this AD Group can only view Logs (example user is called logs)
  • SAPackets - Users in this AD Group can only view Packet related Meta (example user is called packets)
  • SAPackets - Users in this AD Group can view both Logs and Packet related Meta (example user is called logsnpackets)

There is one SA Server that is leveraging Active Directory for users and groups in this scenario.

Further configuration details:

  • One SA Server
  • One Broker which aggregates from a Packet Concentrator and a Log Concentrator
  • One Packet Concentrator
  • One Log Decoder and Collector hybrid
ResolutionFollow the steps below to configure the users.
  1. Ensure that each of your devices is set up to use Trusted Connections. This is done in the Security Analytics UI under Administration-> Services and clicking on the relevant devices. By not defining a password we are using trusted connections.
    User-added image

  2. Define Custom Roles based on the Analyst Roles. Here I copied the analyst roles and created three new roles - LogAnalyst, PacketAnalyst and LogsAndPacketsAnalyst.
    User-added image

  3. Add external groups Mapping to map External Active Directory Users to these groups
    User-added image

  4. Now create the Roles on the Relevant Devices. For example, click on View -> Security for the Packet Concentrator.
    User-added image

  5. Create the relevant Role with the same Role name as above and give the role permissions of sdk.content, sdk.meta and storedproc.execute.
    User-added image

  6. Replicate this Role to other devices in the same family. Eg Log Devices should have LogAnalyst Role replicate to them, Packet Devices should have PacketAnalystRole Replicated to them. LogsAndPacketsAnalyst role should be replicated to both Logs and Packet Devices.
    User-added image

    User-added image

  7. Log in and test the relevant user. Each user can only gain access the devices on which they have permission. Eg Packet user can access Packet Concentrator

    User-added image

    However, when the packet users try to query the Log Concentrator or any other device that does not have the Packet Analyst Role assigned they will get the error message "Failed to Retrieve Meta Keys"

    User-added image