Skip to content
  • There are no suggestions because the search field is empty.

How to use query prefixes to restrict user permissions to meta in RSA Security Analytics

Issue

Assuming that meta restriction should be applied to a user; for example, restricting a checkpoint administrator to seeing only checkpoint device logs in the SA UI, whether it is in the investigation module or any other module.

The use of a query prefix can help to achieve this goal.

Below is an example of a configuration that would restrict a user to see only checkpoint devices in the Security Analytics UI.

Resolution

Procedure

  1. In the Security Analytics UI, select Administration > System > Security.
  2. The Security panel is displayed with the Users tab open.
  3. When adding a new user or editing an existing user, select the Attributes tab.
  4. In the Attributes tab, add the following to the SA Core Query Prefix field: 
device.type = 'checkpointfw1'
  1. (Optional) If you want to revert to the previous value, click Reset Form.
  2. Click Save to save the changes.
Any query can be added to any user in this manner, to help restrict or focus the user's Investigations. This query will be prepended to ALL queries performed by this user until it is removed. The user will not be able to remove this Query Prefix unless they have access to the user accounts within the Security area. The SA Core Query Prefix can even be applied to administrator accounts.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.4.x,10.5.x,10.6.x,11.x
Platform: CentOS
O/S Version: EL6/EL7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue