|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4
O/S Version: EL6
|Tasks||This article provides an example of how to configure external users with different roles in Security Analytics 10.4 using trusted connections.|
In this example, there are three classes of users:
There is one SA Server that is leveraging Active Directory for users and groups in this scenario.
Further configuration details:
|Resolution||Follow the steps below to configure the users.|
1) Ensure that each of your devices is set up to use Trusted Connections. This is done in the Security Analytics UI under Administration-> Services and clicking on the relevant devices. By not defining a password we are using trusted connections.
2) Define Custom Roles based on the Analyst Roles. Here I copied the analyst roles and created three new roles - LogAnalyst, PacketAnalyst and LogsAndPacketsAnalyst.
3) Add external groups Mapping to map External Active Directory Users to these groups
4) Now create the Roles on the Relevant Devices. For example, click on View -> Security for the Packet Concentrator.
5) Create the relevant Role with the same Role name as above and give the role permissions of sdk.content, sdk.meta and storedproc.execute.
6) Replicate this Role to other devices in the same family. Eg Log Devices should have LogAnalyst Role replicate to them, Packet Devices should have PacketAnalystRole Replicated to them. LogsAndPacketsAnalyst role should be replicated to both Logs and Packet Devices.
7) Log in and test the relevant user. Each user can only gain access the devices on which they have permission. Eg
Packet user can access Packet Concentrator
However, when the packet users tries to query the Log Concentrator or any other device that does not have the Packet Analyst Role assigned they will get the error message "Failed to Retrieve Meta Keys"