This topic provides information about configuring data sources for Reporting Engine using the Sources tab of the Services > View > Config view.
With the addition of the Data Privacy feature to Security Analytics 10.6 and above, access to sensitive meta in SA Core services can be restricted by configuring separate data sources for Data Privacy Officer (DPO) users and non-DPO users, and limiting access to those data sources by assigning appropriate permissions.
In the Services Config view, you can add each Core service as two separate data sources: one with a service account having privileges equivalent to a DPO and the other with a service account having privileges equivalent to any other user. Then, to limit access to those data sources based on roles, you can assign read access or no access to those data sources for individual roles. To limit access to Warehouse data sources, you can do the same.
For more information, see Configure Data Source Permissions.
Note: A user assigned to the Data_Privacy_Officers role (or an equivalent custom role), can create an alert and configure a report or alert output actions in the Reporting module. In an environment where data privacy features of Security Analytics are enabled and one or more meta keys are configured as protected, these actions can result in the following:
- When an alert is created by a DPO user, any protected or sensitive meta involved in the alert is automatically available in Incident Management. This may inadvertently provide all the users of Incident Management module access to the sensitive meta values, regardless of their roles. One option to prevent this is to disable publishing into Incident Management from Reporting.
- When an Output Action is configured by a DPO user, either sensitive meta values, reports with sensitive meta values or both, may become available to target users or destinations of that Output Action, regardless of the role assigned to the target user.
It is strongly recommended that DPO users completely avoid creating alerts or configuring output actions for a report or alert in the Reporting module. If they do such configuration, the above implications must be carefully considered.
Security Analytics Core services (for example, Concentrator, Broker, or Archiver) support the ability to restrict meta data based on the configured user role. To make use of the data privacy feature for Reporting Engine, you can configure two separate service accounts against Core. One service account for general purpose reporting that does not include any sensitive data and the other account for privileged users with access to all data including sensitive data. The access to restricted meta data for the two service accounts is configured as part of the data privacy plan on each Core service.
In Reporting Engine, you can add each Core service as two separate data sources (one being the regular data source and the other a privileged data source) using the two separate service accounts. You can configure Reporting Engine to allow only users with privileged roles to access the sensitive data source. Hence, Reporting Engine can connect to a NWDB Data source in two ways:
- Using a service account with DPO role.
- Using a service account without a DPO role.
Note: You can also add two or multiple data sources for the same Core service.
After adding two data sources with different service accounts for the same Core service, you can configure data source permissions to manage access to these data sources. For more information, see Configure Data Source Permissions.
Note: If the content is changed to utilize the transformed meta key, the hash value of the original meta is displayed in its place when viewing reports, charts and alerts.
Add a NWDB Data Source with Different Service Accounts
To add a NWDB data source with different service accounts:
- In the Security Analytics menu, select Administration >Services.
- In the Services panel, select a Reporting Engine service.
The Services Config view of Reporting Engine is displayed.
Select the Sources tab.
The Services Config View is displayed with the Reporting Engine Sources tab open.
The Available Services dialog is displayed. All services are listed, including those that have already been added Reporting Engine.
Select the required service and click OK.
The Service Information dialog for the selected service is displayed.
Note: Security Analytics prompts you to provide a username and password for the selected service. To limit access to sensitive data, DPO users must use their credentials while adding the source instead of using the admin credentials. These credentials need to be applied to the host even if using trusted connections between the Security Analytics server and Security Analytics Core hosts.
Repeat the step for Non-DPO data source.
- Type the username and password for the required service account.
The required service is added as a data source to the Reporting Engine. Two data sources are added to Reporting Engine for the same Core device.
After adding multiple data sources with different service accounts for the same Core device, you can configure data source permissions to manage access to these data sources.