This topic provides an overview of the access permissions the user may have depending on the user role to manage an alert. The Reporting module provides access control at the alert level. Only a user who has the right set of permissions can perform the tasks in the Reporting module. The access control is managed by the administrator from the Administration > Security > Roles tab.
Note: Reporting Engine Alert permissions are prefixed with 'RE' to distinguish it from Event Streaming Analysis (ESA).
When creating users and user roles, administrator must ensure that the roles created for specific tasks have access to all the permissions higher in the hierarchy of roles.
Alerts can be tied to a specific set of user roles so that when a user logs into Security Analytics, the only alerts they can access are alerts accessible by the role the user belongs. Users that belong to a user role with the ‘Read & Write’ access permission can define alerts. Further, the access can be tightened so that alerts are accessed only by those who have the ‘Read Only’ access.
At the alert level, you can set the following access permissions for the user roles in Security Analytics:
- Read & Write
- Read Only
- No Access
Access Control for an Alert
When you want to change the alert permissions, you must select an alert and set their access permissions using the Alert Permissions panel.
Before applying the Alert permissions, the default permission set for all the user roles is 'No Access' permission and the checkbox is unchecked, as shown in the figure.
If you want to change the access permission for a specific user role, you must set these at the alert level, as shown in the figure. Suppose, you want the Administrators to have access to a specific alert, you can set the permission 'Read & Write' in the Alert Permissions panel.
And, you can apply read-only permission to rules in the alerts by selecting the checkbox.
The two scenarios are explained in brief:
- Scenario 1: Permissions applied to Alert/ Rules based on the user role.
- Scenario 2: Read-only permission applied to Rules in the Alert.
|Role (Analysts)||Permissions applied to Alert/ Rules based on the user role||Permission (Read-only) applied to Rules in the Alert|
|Alert||Read & Write||Read & Write||Read & Write|
The Alert is assigned the role of a Security Analyst and permissions are set to Read & Write alerts.
For scenario 1, each of the levels has a permission set based on the user role. For scenario 2, the Read permission is set for the Rules except that the permission for the rules must not be higher than the permission for the Alerts.
Note: If the permission for the rules is higher than the permission for the Alerts, the permission is not applied. For example, if you set the permissions for the Alert as No Access and then specify the option Apply Read-only permission to Rules in the Alerts, the read-only permission is not set for the rules.
Access Control for an Alert When Multiple Alerts are Selected
When you want to change permissions of multiple alerts, you must select several alerts and set their access permissions using the Alert Permissions panel. The access permission that you choose is applied to all the selected alerts.
Login as a specific user and view the access details
When you login to the Security Analytics UI as a user having 'Read access' permission, all the alerts will be denoted with the symbol
() and when you click on the symbol the 'Read Only' callout is displayed on the Alert List panel.
When you login to the Security Analytics UI as a user not having 'Read & Write' access permission on an Alert, all the alerts will be denoted with the symbol () and the alerts appear grayed out on the Alert List panel.
The following figure shows the Alert List panel when logged in with minimal 'Read & Write' access permission.
Note: If a User (other than the super user) creates an alert there will be no access to that alert for the super user.
The following table lists the various columns in the Alert Permissions Panel: