Granting or Removing User Group Permissions

Where: Navigator > Resources > Users > user group

To grant permission to edit user groups:

1. Right-click the user group and select Edit Access Control.

2. In the ACL Editor, choose the User Groups tab.

   The User Groups tab lists all user groups for which members of the selected group have inspect (Read) or edit (Write) permissions, and lets you add/edit group permissions.

   

   Tip: This is where you grant or deny members of the group you are editing permissions to edit their own user groups. Depending on your own user permissions, some user groups may or may not be shown, and Read/Write checkbox options may or may not be editable.

3. Add or remove permissions on a user group as follows.

• To edit permissions on a user group shown in the current list, click the (R) read or (W) write checkbox next to a target resource to add or remove edit permissions on that user group.

  A checkmark means that this user group can edit permissions on the associated group. A blank checkbox means this group does not have edit permissions on it.

  

• To add permissions on a user group not shown in the current list, click Add.

  

  The resource selector dialog for the chosen resource is displayed. Select the groups you want to add permissions for and click OK.

  

   

  The user group you added is now listed on the User Groups tab and then you can edit its Read/Write permissions as needed.

  

• To remove a user group from the list (and remove all edit permissions on it), select the user group in the list and click Delete. (The Delete button is at the bottom of the User Groups tab).

4. Click OK on the User Group ACL Editor to save changes to User Group permissions.

To grant non-administrators permission to delete users:

By default, only administrators have permissions to delete users in a group. If you want to grant non-Administrator users permission to delete users within their group (Group1 used in this example), first provide Write access to the group by editing access to User Groups in the ACL Editor, as described in the previous procedure to grant permission to edit user groups.

After following the instructions, verify Group1's ACL Editor in the User Groups tab. Group1 should appear on the list, as shown:

Additional settings are required. One of them is setting a server property. The other setting is providing Write access to user Reports. This is because deleting users will also delete the resources they created, including query viewers, reports, and so on. Reports created by that user cannot be deleted unless delete permission for that user’s reports is also granted. The following steps provide instructions on the additional settings.

1. Read thoroughly the ESM Administrator’s Guide’s topic on Managing and Changing Properties File Settings. In the server.properties file, set the following property:

   user.allowmodification=true

2. Restart the Manager.

3. Log into the ArcSight Console as Administrator, and select the Users resource in the Navigator.

4. Select the group for non-administrators (Group1 as an example) who will be allowed to delete users in its own group.

5. Right-click Group1 and choose Edit Access Control to display the ACL Editor.

6. On the ACL Editor, click the Resources tab.

7. Select Report in the Resource drop-down menu, and click Add to display the Reports Selector popup.

8. In the Selector popup, select all users under Reports/Shared/Personal/ and select each user belonging to Group1. Click OK. All users are shown as Resources targets.

9. Click to set Read (R) and Write (W) permissions as desired.

10. Click Apply or OK to save your changes.

Members of Group1, even if they are not administrators, can now log into the ArcSight Console and delete users in their own group. To delete users, refer to Deleting a User.