10.1 Overview

You can create different users roles and assign them different permissions depending on their role. Each role can contain any number of users. Users belonging to a same role inherit the permissions of the role they belong to. You can set multiple permissions for a role.

Figure 10-1 Users and Roles configuration page

This section has the following information:

10.1.1 Default Roles

The Novell Sentinel Log Manager has the following roles by default:

Administrator: A user in this role has administrative rights in the Sentinel Log Manager system. You cannot delete the default admin user, but you can delete other users added to the Administrator role. Administrative rights include the ability to perform the user administration, data collection, data storage, rules and report management, search operations and license management.

You cannot modify or delete the Administrator role.

Compliance Auditor: A user in this role has access to view events that are tagged with at least one of the regulation related tags such as PCI, SOX, HIPAA, NERC, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005, view system events, view the Sentinel Log Manager configuration data, and search remote targets.

Database Administrator: A user in this role has access to events coming from database event sources. The type of the event source (DB) is determined by the collector parsing the data from the event source. A user with this role can view data that matches filter rv32:"DB" and search remote targets.

Network Administrator: A user in this role can administer network infrastructure devices, such as routers, switches, VPN, etc. A users in this role has access to events coming from devices in the category NETD or VPN (as determined by the Collector parsing the data) or from event sources with the Network tag. Set the Network tag on network infrastructure related event sources to allow users in this role to view the events. A users with this role can view data that matches filter rv32:"NETD" OR rv32:"VPN" OR rv145:"Network" and search remote targets.

Network Security Administrator: A user in this role can administer network security infrastructure devices, such as firewalls, IDSs, and web proxies. A user in this role has access to events coming devices in the category AV, FW, or IDS (as determined by the Collector parsing the data) or from event sources with the NetworkSecurity tag. Set the NetworkSecurity tag on network infrastructure related event sources to allow users in this role to view the events. A user with this role can view data that matches filter rv32:"AV" OR rv32:"FW" OR rv32:"IDS" OR rv145:"NetworkSecurity" and search remote targets

Report Administrator: A user in this role has the ability to run reports, view, rename and delete report results, add and delete report templates and report results, run reports on configuration database, export all reports and save search result as report. A Report Administrator can also tag report templates and report results. The Report Administrator can search report templates and report results based on these tags.

Sentinel Log Manager System Monitor: A user in this role has the ability to monitor the Sentinel Log Manager system for errors or outages. A user in this role has access only to events coming from Sentinel Log Manager systems. A user in this role can also access data coming from event sources that the Sentinel Log Manager is dependent on. For example, you can tag operating systems on which the Sentinel Log Managers and Collector Managers are running on with a SentinelLogManager event source tag so that the users in this role can monitor problems with operating systems. A user with this role can view data that matches filter rv145:"SentinelLogManager", view system events and search remote targets.

Unix Administrator: A users in this role has access to events from operating system event sources that are not Windows machines.The type of the event source is determined by verifying the Collector parsing data and also by verifying if a Windows tag is present. A user in this role can view data that matches filter (rv32:"OS" NOT (("Microsoft?Active?Directory*" NOT msg:"Microsoft?Active?Directory*") OR ("Microsoft?Windows*" NOT msg:"Microsoft?Windows*"))) NOT rv145:"Windows" and search remote targets.

User: A user with this role has the ability to run reports, view, rename, and delete report results.

Windows Administrator: A user with this role can administer Windows machines. A users in this role has access to data generated by Windows event sources. The type of the event source is determined by verifying the Collector parsing the data. If data from a Windows event source is not being processed by the Active Directory or Windows collector, then add the Windows tag to event sources to indicate that Windows data is being collected from the event source. This enables the Windows Administrator to access the data. A user in this role can view data that matches filter (rv32:"OS" AND (("Microsoft?Active?Directory*" NOT msg:"Microsoft?Active?Directory*") OR ("Microsoft?Windows*" NOT msg:"Microsoft?Windows*"))) OR rv145:"Windows" and search remote targets.

10.1.2 Filtering Data

You can either allow a user to view all the events or view only the selected events:

  • To allow a user to view all the events select the View all Data radio button.

  • To allow users to view only selected data, then select the View the following Data radio button, the select one or more of the following options:

    • To allow a user to view events that match a filter, specify the Lucene search query in the text box. You can click the Tips link to understand how to construct valid Lucene search query. For example, if you set the filter value to sev:5, the user can view only events of severity five in a search.

    • To allow a user to view the Sentinel Log Manager configuration data, select View Sentinel Log Manager configuration data.

    • To allow a user to view system events, select View System Events.

10.1.3 Setting Permissions

You can assign the following permissions to the role:

  • Manage Reports: When this permission is set on a role, all members of that role can run reports, view, rename and delete report results, add and delete report templates and results. For more information on reports, see Section 6.0, Reporting.

  • Manage Tags: When this permission is set on a role, all members of that role can create, delete and modify tags, and associate tags to different event sources. For more information on tags, seeSection 8.0, Configuring Tags.

  • Search Remote Targets: When this permission is set on a role, all members of that role can perform searches on event sources that are in a distributed location. For more information on distributed searching and reporting, see Section 7.0, Searching and Reporting Events in a Distributed Environment.

  • Proxy for Authorized Search Initiators: When this permission is set on a role, the members of this role can accept searches from remote targets.