You can create different user roles and assign them different permissions. Each role can contain any number of users. Users belonging to the same role inherit the permissions of the role they belong to. You can set multiple permissions for a role.
Sentinel has the following roles by default:
Administrator: A user in this role has administrative rights in the Sentinel system. You cannot delete a user with this role. Administrative rights include the ability to perform user administration, data collection, data storage, search operations, and rules, report, dashboard, and license management.
You cannot modify or delete the administrator role.
Database Administrator: A user in this role has access to events coming from database event sources. The type of the event source (DB) is determined by the collector parsing the data from the event source. A user with this role can view data that matches filter rv32:"DB" and search remote targets.
Incident Administrator: A user in this role can manage incidents in the system and control incidents being handled by other users.
Network Administrator: A user in this role can administer network infrastructure devices, such as routers, switches, and VPNs. This role has access to events coming from devices in the category NETD or VPN (as determined by the Collector parsing the data) or from event sources with the Network tag. Set the Network tag on network infrastructure event sources to allow users in this role to view the events. A user with this role can view data that matches filter rv32:"NETD" OR rv32:"VPN" OR rv145:"Network", and can search remote targets.
Network Security Administrator: A user in this role can administer network security infrastructure devices, such as firewalls, IDSs, and Web proxies. This role has access to events coming from devices in the category AV, FW, or IDS (as determined by the Collector parsing the data) or from event sources with the NetworkSecurity tag. Set the NetworkSecurity tag on network infrastructure event sources to allow users in this role to view the events. A user with this role can view data that matches filter rv32:"AV" OR rv32:"FW" OR rv32:"IDS" OR rv145:"NetworkSecurity", and can search remote targets
PCI Compliance Auditor: A user in this role has access to view events that are tagged with at least one of the regulation tags such as PCI, SOX, HIPAA, NERC, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005, and can view system events, view the Sentinel configuration data, and search remote targets.
Report Administrator: A user in this role can run reports, view, rename and delete report results, add and delete report templates and report results, run reports on configuration database, export all reports, and save search results as a report. A Report Administrator can also tag report templates and report results. The Report Administrator can search report templates and report results based on these tags.
Search Proxy User: This is a system role for proxy users. This role allows other systems to search the local system.
Security Policy Administrator: A user in this role can implement the security policies within the system for users to access anomaly detection, correlation, incident remediation, and iTRAC workflows.
System Event Monitor: A user in this role can monitor the Sentinel system for errors or outages. This role has access only to events coming from Sentinel systems. A user in this role can also access data coming from event sources that Sentinel is dependent on. For example, you can tag operating systems on which Sentinel and the Collector Managers are running with a Sentinel event source tag so that the users in this role can monitor problems with operating systems. A user with this role can view data that matches filter rv145:"Sentinel", view system events, and search remote targets.
Unix Administrator: A user in this role has access to events from operating system event sources that are not Windows machines.The type of the event source is determined by verifying the Collector parsing data and also by verifying if a Windows tag is present. A user in this role can view data that matches filter (rv32:"OS" NOT (("Microsoft?Active?Directory*" NOT msg:"Microsoft?Active?Directory*") OR ("Microsoft?Windows*" NOT msg:"Microsoft?Windows*"))) NOT rv145:"Windows" and search remote targets.
User: A user with this role can manage dashboards, run reports, view and rename reports, and delete report results.
Windows Administrator: A user with this role can administer Windows machines. This role has access to data generated by Windows event sources. The type of the event source is determined by verifying the Collector parsing the data. If data from a Windows event source is not being processed by the Active Directory or the Windows Collector, add the Windows tag to event sources to indicate that Windows data is being collected from the event source. This enables the Windows administrator to access the data. A user in this role can view data that matches filter (rv32:"OS" AND (("Microsoft?Active?Directory*" NOT msg:"Microsoft?Active?Directory*") OR ("Microsoft?Windows*" NOT msg:"Microsoft?Windows*"))) OR rv145:"Windows" and search remote targets.