000031253 - Security Analytics 10.5.0 & Assigning Users to multiple roles with query prefixes does not work

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031253
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics UI
RSA Version/Condition: 10.5.0 and
Platform: CentOS
O/S Version: 6
IssueWhen attempting to utilize query prefixes to limit what device types a user can see in Investigation -> Navigate window, a single device.type prefix works as expected, but when adding a second device.type prefix, no results are rendered.
Here is an example use case:
A user has a single role with the following query prefix such as: device.type = 'ciscosecureacs', this works as expected.
Next, add a second query prefex, such as device.type = 'forescoutcounteract'. When the second device.type is added, no search results are returned.
In tailing the /var/log/messages, it appears that an “AND” search operation is being performed, where as an “OR” operation would be appropriate.
CauseThis has been deemed as flawed functionality by RSA Engineering.  
ResolutionThis issue is slated to be fixed in 10.5.1 (service pack 1) for Security Analytics 10.5.
WorkaroundNo workaround exists for this issue, only 1 query prefix may be used in 10.5.0 and