Data Privacy: Configure User Accounts for Use in Data Privacy

Document created by RSA Information Design and Development on Jul 26, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides the procedures for configuring user accounts that work with data obfuscation in Security Analytics.

In order for data obfuscation to work, accounts and permissions for several types of users must be configured.

  • Customize the default Administrators system role in Security Analytics to remove permissions that should be available only to the Data Privacy Officer.
  • Add two new user accounts at the system level to depict a data privacy officer and a typical analyst.
  • Add a user account at the service level with the aggregation role so that Decoders and Log Decoders can aggregate data to a Concentrator or Broker.
  • On the Reporting Engine, configure two separate service accounts. One service account for general purpose reporting that does not include any sensitive data and the other account for privileged users with access to all data including sensitive data. This procedure is described in the Configure Data Source Permissions topic in the Reporting Engine Configuration Guide.

Customize the Default Administrators User Role at the Service Level

To separate the data privacy officer and administrator functions on each Decoder and Log Decoder, you need to remove the dpo.manage permission from a clone of the Administrators role.

  1. In the Security Analytics menu, select Administration > Services and select a Decoder or Log Decoder > ic-actns.png > View > Security.
  2. In the Services Security view, click the Roles tab, select Administrators and click ic-duplicate.png.
    In the Enter Role Name dialog, enter a new role name such as Non_DPO_Administrators and click Save.
  3. Select the new role, and click ic-edit.png.
    The Role Information is displayed for editing.
  4. Click the box next to dpo.manage so that it is no longer checked and click Apply.
    The permission to manage data privacy configuration is removed for the new role.
  5. In the Users tab, select each user who has the Administrators role, and change their role to the cloned role.
  6. Validate that the users with the modified Administrators role can login as with admin privileges.
  7. Validate that the users with the modified Administrators role cannot configure meta and content restrictions in the Settings tab.

Add a User Account with the Aggregation User Role at the Service Level

To ensure that Decoders and Log Decoders can aggregate data to a Concentrator or Broker:

  1. In the Security Analytics menu, select Administration > Services and select a Decoder or Log Decoder > ic-actns.png > View > Security.
  2. In the Users tab, add a user with the Aggregation role and click Apply.

Note: The Aggregtion Role topic in Host and Services Configuration Guide provides details about the application of this user role.

Add Data Privacy Officer and Analyst Accounts on the Security Analytics Server

You need to add two new user accounts in Security Analytics at the system level to depict a privileged data privacy officer and a typical analyst. If the environment is configured using the default trusted connections, you do not need to create the new user accounts on the Security Analytics Core services (Brokers, Concentrators, and Decoders). When a user is created in the Security Analytics Server, that user can log on to the services.

Note: The role name is required to exist on both the server and the services, and the role name must be identical. If you create a new custom role on the Security Analytics Server, make sure to add it to all Security Analytics Core services as well.

  1. Create a new user account for the data privacy officer:
    1. In the Security Analytics menu, select Administration > Security. In the Users tab toolbar, click ic-add.png.
      The Add User dialog is displayed.
      105adduserdpo.png
    2. Create the new account with the following credentials.
      Username = <new user name for logon, for example, DPOadmin>
      Email = <new user's email, for example, DPOadmin@rsa.com>
      Password = <new user's password for logging on, for example, RSAprivacy1!@>
      Full Name = <new user's full name, for example, DPO Administrator>
    3. In the Roles and Attributes section, click the Roles tab, ic-add.png, and select the Data_Privacy_Officers role for the new user.
    4. Select Save.
  2. Create a new user account for the analyst with limited privileges:
    1. In the Security Analytics menu, select Administration > Security. In the Users tab toolbar, click ic-add.png.
      The Add User dialog is displayed.
    2. Create the new account with the following credentials:
      Username = <new user name for logon, for example,NonprivAnalyst>
      Email = <new user's email, for example, NonprivAnalyst@rsa.com>
      Password = <new user's password for logging on, for example, RSAprivacy2!@>
      Full Name = <new user's full name, for example, Nonprivileged Analyst>
    3. In the Roles and Attributes section, click the Roles tab, ic-add.png, and select the Analysts role for the new user.
    4. Select Save.
      105dposysrol.png
You are here: In-Depth Procedures > Configure User Accounts for Use in Data Privacy

Attachments

    Outcomes