You can create different user roles and assign them different permissions. Role assignment helps you control users access to functionality, data access based on fields in the incoming events, or both. Each role can contain any number of users. Users belonging to the same role inherit the permissions of the role they belong to. You can set multiple permissions for a role.
Following sections provide information about configuring users and roles.
Change Guardian has the following roles by default:
Administrator: A user in this role has administrative rights in the Change Guardian system. You cannot delete users in this role. Administrative rights include the ability to perform user administration, data collection, data storage, search operations, rules, report, dashboard, and license management.
You cannot modify or delete the administrator role.
Change Guardian Administrator: A user in this role can view all event data, including raw data.
Event Dispatcher A user in this role can send only events and attachments to the server.
Operator A user in this role can manage alerts, view Security Intelligence Dashboards, share alert and event views, run reports, view and rename reports, and delete report results.
PCI Compliance Auditor: A user in this role has access to view events that are tagged with at least one of the regulation tags such as PCI, SOX, HIPAA, NERC, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005, and can view system events, view the Change Guardian configuration data, and search data targets.
User: A user in this role can manage dashboards, run reports, view and rename reports, and delete report results.
Roles allow you define what a user can manage and what data they can view. Permissions are granted to the role, and then the user is assigned to the role.
From Administration Console, click Users in the toolbar.
Select a tenant from the Tenants list to assign a tenant to the role.
Users created under this role will have access to view events from the selected tenant.
Click Create in the Roles section to create a new role.
Use the following information to create the role:
Role name: Specify a unique name for the role. A role name should not exceed 40 characters.
Description: Specify a description of the role.
Users with this role can: Select the permissions that a role grants to users assigned to the role.
View all event data: Select this option to allow users to view all the data in the Change Guardian system. If you select this option, you must select one or more of the following permissions:
View the following data: Select this option to allow users to view only selected data in the Change Guardian system.
Only events matching the criteria: Allows users to view only the events returned by the specified search query. For example, if you set the filter value to sev:5, users with this permission can view only events of severity five in a search.
Search Data Targets: When this permission is set on a role, all members of that role can perform searches on Change Guardian systems that are in a distributed location.
View asset data: Allows users to view asset data.
View asset vulnerability data: Allows users to view vulnerability data.
View data in the embedded database: Allows users to view the data in the embedded database.
View people browser: Allows users to view the data in the Identity Browser.
View system events: Allows users to view the Change Guardian system events.
Allow users to access reports: Select this option to allow users to access and manage reports.
Manage reports: Allows users to create, modify, run, and delete reports.
Run reports: Allows users to only run reports.
Allow users to manage alerts: Select this option to allow users to view and manage alerts. Select either of the following options:
Manage all alerts: Allows the users to view and edit all the alerts and configure alert creation.
Manage only alerts that match the following criteria: Allows the users to view and edit the alerts that match the specified criteria. This permission also allows the role to configure alert creation.
Sharing: Allows users in the role to share real-time views, filters, and reports with other users.
Miscellaneous: Assign miscellaneous permissions as necessary:
Edit knowledge base: Allows users to view and edit the knowledge base in the Alert Details page.
Manage Tags: When this permission is set on a role, all members of this role can create, delete, and modify tags, and associate tags to different event sources.
Manage roles and users: Allows non-administrator users to administer specific roles and users.
Send Events and Attachments: Allows users to send events and attachments to the server.
NOTE:You must manually assign this permission to a user who needs to forward events to the server.
Proxy for Authorized Data Requestors: When this permission is set on a role, the members of this role can accept searches from remote data sources.
View and execute event actions: When this permission is set on a role, all members of this role can view events and execute actions on the selected events.
View detailed internal system state data: When this permission is set on a role, all members of this role can view detailed internal system state data by using a JMX client.
View knowledge base: Allows users to view the knowledge base in the Alert Details page.
Click Save.
To create users for this role, see Creating Users.
A complex password improves security by preventing password guessing attacks. Change Guardian provides a set of password validation rules that help you maintain a complex password for all local user passwords. You can select the desired validation rules as applicable for your environment.
You can configure the password validation rules in the /etc/opt/novell/sentinel/config/passwordrules.properties file. The validation rules apply only to the local user passwords and not LDAP user passwords. For existing users, validation rules apply only after the users update their password.
By default, all the validation rules are disabled and commented with #. To enable validation rules, uncomment the rules, specify the values for the rules, and save the file.
The following table describes the password complexity validation rules:
Table 4-1 Password Complexity Rules
|
Validation Rule |
Description |
|---|---|
|
MINIMUM_PASSWORD_LENGTH |
Specifies the minimum number of characters required in a password. |
|
MAXIMUM_PASSWORD_LENGTH |
Specifies the maximum number of characters allowed in a password. |
|
UNIQUE_CHARACTER_LENGTH |
Specifies the minimum number of unique characters required in a password. For example, if the UNIQUE_CHARACTER_LENGTH value is 6 and a user specifies the password as "aaaabbccc", the Change Guardian does not validate the password because it contains only 3 unique characters a, b, and c. |
|
LOWER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of lowercase characters required in a password. |
|
UPPER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of uppercase characters required in a password. |
|
ALPHABET_CHARACTERS_COUNT |
Specifies the minimum number of alphabetic characters required in a password. |
|
NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of numeric characters required in a password. |
|
NON_ALPHA_NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of non-alphanumeric or special characters required in a password. The rule considers only the following non-alphanumeric characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " < , > . / ? |
|
RESTRICTED_WORDS_IN_PASSWORD |
Specifies the words that are not allowed in a password. The restricted words are case-insensitive. You can specify multiple words separated by a comma. For example,RESTRICTED_WORDS_IN_PASSWORD= admin,password,test |
Adding a user in the Change Guardian system creates an application user who can then log in to Change Guardian. You also assign roles when you create the user.
From Administration Console, click Users.
Click Create in the Users section.
Specify the name and email address of the user.
The fields with an asterisk (*) are mandatory, and the user name must be unique.
A user name cannot exceed 30 characters, and you can use extended characters when you create it.
Select a role for the user.
Select the authentication type:
Local: Select this option for the server to authenticate the user log in against the internal database. By default, the Local option is selected.
Directory: The Directory option is enabled only if you have configured the Change Guardian server for LDAP authentication. Select this option for the server to authenticate the user log in against an LDAP directory.
(Conditional) If you specified Local for the authentication type in Step 5, specify any user name in the Username field and continue with Step 8.
(Conditional) If you specified Directory for the authentication type in Step 5, specify the user name according to the settings you used when you configured LDAP, then continue with Step 10.
Specify a password in the Password field.
NOTE:For local user password, ensure that the password adheres to the password complexity validation rules. For more information, see Understanding Password Complexity.
Re-enter the password in the Verify field.
The Title, Office #, Ext, Mobile #, and Fax. fields are optional. The phone number fields allow any format. Make sure you enter a valid phone number so that the user can be contacted directly.
Click Save.