You can create user roles in Change Guardian and assign them permissions. Assigning roles helps you control users access to functionality, data access based on fields in the incoming events, or both. Each role can contain any number of users. Users belonging to the same role inherit the permissions of the role they belong to. You can set multiple permissions for a role.
Following sections provide information about configuring users and roles:
Change Guardian has the following roles by default:
Administrator: A user in this role has administrative rights in Change Guardian. Administrative rights include the ability to perform user administration, data collection, data storage, search operations, rules, report, dashboard, and license management.
You cannot modify or delete the administrator role.
Change Guardian Administrator: A user in this role can view all event data including raw data.
Event Dispatcher: A user in this role can send only events and attachments to the Change Guardian server.
Operator: A user in this role can manage alerts, share alert and event views, run reports, view reports, rename reports, and delete report results.
PCI Compliance Auditor: A user in this role has access to view events that are tagged with at least one of the regulation tags such as PCI, SOX, HIPAA, NERC, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005. You can view system events, view the Change Guardian configuration data, and search data targets.
User: A user in this role can manage dashboards, run reports, view reports, rename reports, and delete report results.
Roles allow you to define what a user can manage and what data they can view. You can grant permissions to the role and then assign the user to the role.
To create a role, log in to the Administration Console and click Users > Users and Roles. Under Roles, click Create. Review the following additional roles that you can assign to the new role:
Edit knowledge base: Allows users to view and edit the knowledge base in the Alert Details page
Manage Tags: Allows all members to create, delete, and modify tags, and associate tags to different event sources
Manage roles and users: Allows non-administrative users to administer specific roles and users
Proxy for Authorized Data Requestors: Allows users to accept searches from remote data sources
Send events and attachments: Allows users to send events and attachments to the server
NOTE:You can manually assign this permission to a user who needs to forward events to the server.
View and execute event actions: Allows members to view events and execute actions on the selected events
View detailed internal system state data: Allows members to view detailed internal system state data by using a JMX client
View knowledge base: Allows users to view the knowledge base in the Alert Details page
To create users, see Creating Users.
Change Guardian provides a set of password validation rules that help you maintain a complex password for all local user passwords. You can select the desired validation rules as applicable for your environment.
You can configure the password validation rules in the /etc/opt/novell/sentinel/config/passwordrules.properties file. The validation rules apply only to the local user passwords but not LDAP user passwords. For existing users, validation rules apply only after the users update their password.
By default, all the validation rules are disabled and commented with #
. To enable validation rules, uncomment the rules, specify the values for the rules, and save the file.
The following table describes the password complexity validation rules:
Table 4-1 Password Complexity Rules
|
Validation Rule |
Description |
|---|---|
|
MINIMUM_PASSWORD_LENGTH |
Specifies the minimum number of characters required in a password. |
|
MAXIMUM_PASSWORD_LENGTH |
Specifies the maximum number of characters allowed in a password. |
|
UNIQUE_CHARACTER_LENGTH |
Specifies the minimum number of unique characters required in a password. For example, if the UNIQUE_CHARACTER_LENGTH value is 6 and a user specifies the password as "aaaabbccc", Change Guardian does not validate the password because it contains only 3 unique characters a, b, and c. |
|
LOWER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of lowercase characters required in a password. |
|
UPPER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of uppercase characters required in a password. |
|
ALPHABET_CHARACTERS_COUNT |
Specifies the minimum number of alphabetic characters required in a password. |
|
NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of numeric characters required in a password. |
|
NON_ALPHA_NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of non-alphanumeric or special characters required in a password. The rule considers only the following non-alphanumeric characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " < , > . / ? |
|
RESTRICTED_WORDS_IN_PASSWORD |
Specifies the words that are not allowed in a password. The restricted words are case-insensitive. You can specify multiple words separated by a comma. For example, RESTRICTED_WORDS_IN_PASSWORD= admin, password, test |
When you add a user in the Change Guardian, it creates an application user. You can assign roles when you create the user.
To create a user, log in to the Administration Console and click Users > Users and Roles. You can use special characters to set the user name. However, the user name should be within 30 characters.
If you want the server to authenticate the user against the internal database, select the default authentication method Local. However, if you want the server to authenticate the user against an LDAP directory, select Directory. Directory is enabled only if you have configured the Change Guardian server for LDAP authentication. For more information, see Configuring LDAP for Authentication.
NOTE:For local user password, ensure that the password adheres to the password complexity validation rules. For more information, see Understanding Password Complexity.