4.2 Creating Roles

Roles allow you define what a user can manage and what data they can view. Permissions are granted to the role, and then the user is assigned to the role.

4.2.1 Creating a Role

  1. From Sentinel Main, click Users.

  2. Select a tenant from the Tenant drop-down list to assign a tenant to the role.

    Users created under this role will have access to view events from the selected tenant.

  3. Click Create in the Roles section to create a new role.

  4. Use the following information to create the role:

    Role name: Specify a unique name for the role. A role name should not exceed 40 characters.

    Description: Specify a description of the role.

    Users with this role can: Select the permissions that a role grants to users assigned to the role.

    • View all event data: Select this option to allow users to view all the data in the Sentinel system. If you select this option, you must select one or more of the following permissions:

      • Manage Correlation Engine/Rules: Allows users to manage Correlation rules and all data associated with these rules. The Correlation feature is displayed in the Sentinel Main interface only if this permission is selected.

      • Manage and View Security Intelligence Dashboards: Allows user to view, create, and manage the Security Intelligence dashboards and the data displayed in the dashboards. The Security Intelligence option is displayed in the Sentinel Main interface only if this permission is selected.

      • View Security Intelligence Dashboards: Allows user to view the Security Intelligence dashboards and the data displayed in the dashboards. The Security Intelligence option is displayed in the Sentinel Main interface only if this permission is selected.

    • View the following data: Select this option to allow users to view only selected data in the Sentinel system.

      • Only events matching the filter: Allows users to view only the events returned by the specified search query. For example, if you set the filter value to sev:5, users with this permission can view only events of severity five in a search.

        For more information about using filters, see Configuring Filters in the Sentinel User Guide.

        Select one or more of the following permissions to use when viewing the filtered data:

      • Search Data Targets: When this permission is set on a role, all members of that role can perform searches on Sentinel systems that are in a distributed location.

        For more information on distributed searching and reporting, see Section 21.0, Configuring Data Federation.

      • View asset data: Allows users to view asset data.

      • View asset vulnerability data: Allows users to view vulnerability data.

      • View data in the embedded database: Allows users to view the data in the embedded database.

      • View people browser: Allows users to view the data in the Identity Browser.

      • View system events: Allows users to view the Sentinel system events.

    • Allow users to access reports: Select this option to allow users to access and manage reports.

      • Manage reports: Allows users to create, modify, run, and delete reports.

      • Import reports: Allows users to import reports.

      • Run reports: Allows users to only run reports.

    • Allow users to manage alerts: Select this option to allow users to view and manage alerts. Select either of the following options:

      • Manage all alerts: Allows users to view and edit all the alerts and configure alert creation.

      • Manage only alerts that match the following criteria: Allows users to view and edit the alerts that match the specified criteria. This permission also allows users to configure alert creation.

    • Create and use Alert Views:Allows non-administrator users to create private alert views and view shared alert views. For more information, see Creating an Alert View in the Sentinel User Guide.

      After you select this permission, you can assign the following permissions:

      • Share Alert Views: Allows users to share their alert views as follows:

        • Non-administrator users of the default tenant can share their alert views with other users.

        • Users of a non-default tenant can share their alert views with other users of the same tenant.

      • Edit Alert Views: Assigns the Share Alert Views permission and allows users to edit shared alert views as follows:

        • Non-administrator users of the default tenant can edit shared alert views.

        • Users of a non-default tenant can edit shared alert views except public alert views.

    • Create and use Event Views: Allows non-administrator users to create private event views and view shared event views. For more information, see Viewing Events in the Sentinel User Guide.

      After you select this permission, you can assign the following permissions:

      • Share event views:Allows users to share their event views as follows:

        • Non-administrator users of the default tenant can share their event views with other users.

        • Users of a non-default tenant can share their event views with other users of the same tenant.

      • Edit Event Views: Assigns the Share Event Views permission and allows users to edit shared event views as follows:

        • Non-administrator users of the default tenant can edit shared event views.

        • Users of a non-default tenant can edit shared event views except public event views.

    • Visualization: Visualization allows users in the role to view/hide/edit various options in the visual analytics page:

      • Discover: Discover option enables users to search and explore their data in the Sentinel.

        Select one of the followings permissions that enable users to manage Discover:

        • View: Enables users to view the visual analytics Discover options.

        • Hide: Enables users to hide the visual analytics Discover options.

        • Edit: Enables users to edit the visual analytics Discover options.

      • Dashboard: A Dashboard is a collection of panels that helps user to analyze their data by adding a variety of panels such as visualizations, maps, markdown, and more.

        Select one of the followings permissions that enable users to manage Dashboard:

        • View: Enables users to view the visual analytics Dashboard.

        • Hide: Enables users to hide the visual analytics Dashboard.

        • Edit: Enables users to edit the visual analytics Dashboard.

      • Management: Management is the option to manage all things including index patterns, advanced settings and more.

        Select one of the followings permissions that enable users to manage Management:

        • View: Enables users to view the visual analytics Management options.

        • Hide: Enables users to hide the visual analytics Management options.

        • Edit: Enables users to edit the visual analytics Management options.

      • DevTools: DevTools contains tools that helps user to interact with their data by executing the commands.

        Select one of the followings permissions that enable users to manage DevTools:

        • View: Enables users to view the visual analytics DevTools options.

        • Hide: Enables users to hide the visual analytics DevTools options.

    • Incidents: Select one of the followings permissions that enable users to manage incidents:

      • View incidents assigned to user: Allows a user to view any incident that is assigned to them.

      • View or create incidents an add events to incidents: Allows users to create incidents and add events to the incidents.

      • Create, modify and execute actions on assigned incidents: Allows users to create, modify, and execute actions on incidents that are assigned to them.

      • Manage all aspects of incidents: create, modify and delete: Allows users to manage all incidents.

    • Sharing: Allows users in the role to share filters, and reports with other users.

      This permission is not available for tenants.

    • Edit Home Dashboard: Assigns the Share Home dashboard permission and allows users to edit shared dashboards as follows:

      • Non-administrator users of the default tenant can edit shared dashboards.

      • Users of a non-default tenant can edit shared dashboards except public dashboards.

    • Share Home Dashboard: Allows users to share their dashboards as follows:

      • Non-administrator users of the default tenant can share their dashboards with other users.

      • Users of a non-default tenant can share their dashboards with other users of the same tenant.

    • Miscellaneous: Assign miscellaneous permissions as necessary:

      • Edit knowledge base: Allows users to view and edit the knowledge base in the Alert Details page.

      • Manage Tags: When this permission is set on a role, all members of this role can create, delete, and modify tags, and associate tags to different event sources. For more information about tags, see Configuring Tags in the Sentinel User Guide.

      • Manage roles and users: Allows non-administrator users to administer specific roles and users. For example, in a multitenancy environment, the MSSP administrator can delegate the responsibility of administering a tenant's roles and users to the tenant, thus reducing the load on the MSSP administrator.

      • Proxy for Authorized Data Requestors: When this permission is set on a role, the members of this role can accept searches from remote data sources. For more information, see Section 21.0, Configuring Data Federation.

      • Send events and attachments: Allows users to send events and attachments from Change Guardian and Secure Configuration Manager to Sentinel.

      • Share search filters: When this permission is set on a role, all members of this role can share search filters that they have created. For more information about sharing filters, see Configuring Filters in the Sentinel User Guide.

      • Solution Designer access: When this permission is set on a role, all members of this role can access Solution Designer. For more information, see Solution Designer.

      • View and execute event actions: When this permission is set on a role, all members of this role can view events and execute actions on the selected events. For more information, see Manually Performing Actions on Events in the Sentinel User Guide.

      • View detailed internal system state data: When this permission is set on a role, all members of this role can view detailed internal system state data by using a JMX client.

      • View knowledge base: Allows users to view the knowledge base in the Alert Details page.

  5. Click Save.

To create users for this role, see Creating Users.