000031908 - Unable to investigate on a core appliance because of security role conflicts in RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031908
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Core Appliance, Security Analytics UI
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL5, EL6
 
IssueWhen adding a new Users and Roles in the Security Analytics UI, the user/role is not automatically replicated in each appliance.  Therefore, when trying to Investigate on a Concentrator with a user that only exists on the SA Server, an error will be reported.
See the example error below that was reported when a test user and group were added only to the Security Analytics UI and then that user attempted to perform an investigation against a core appliance.

2015-01-13 17:16:06,353 [XXXX] WARN com.rsa.netwitness.carlos.clients.nextgen.nw.NwClientPipeBase - 127.0.0.1:56003 received error: User test trusted login does not contain any matching groups group_test and cannot be authenticated

CauseThis issue is by design and is not a defect. Security Analytics 10.4 uses a trusted connections model for most UI -> Core connectivity.
This means that the UI is authoritative for users and you don't need to create them on core services, except for aggregation and Reporting Engine data source accounts.
However, the role must still be defined in both the UI and Core, and this does not happen automatically.
One only has to define a custom role once on a service and you should mostly be able to forget about it. 
There are plans in a future release to move to a fully-centralized model with no dependencies on service security.
ResolutionTo resolve the issue, manually create the user on each appliance against which the user will be investigating.
Reference the two pages below from the Security Analytics 10.4 User Guide for assistance in doing this.

You can refer to the below guides for Role and Users Management:

Attachments

    Outcomes