Role Settings

FortiSIEM provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative responsibilities across multiple admins.

A role defines two aspects of a user's interaction with the FortiSIEM platform:

  • Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.
  • What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs.

    To perform any action with FortiSIEM, a user must be assigned a role with the required permissions. The roles listed in this table are default roles.
    RolePermissions
    DB AdminFull access to the database servers part of the GUI and full access to logs from those devices.
    ExecutiveView access to the Business Service dashboard and personalized My Dashboard tabs, but reports can be populated by logs from any device.
    Full AdminFull access to the GUI and full access to the data. Only this role can define roles, create users and map users to roles.
    Help DeskAccess to the Admin, CMDB, and Dashboard tabs, with view and run permissions for the Analytics and Incidents tabs.
    Network AdminFull access to the network device portion of the GUI and full access to logs from network devices.
    Read Only AdminView access to all tabs and permission to run reports.
    Security AdminFull access to Security aspects of all devices.
    Server AdminFull access to the Server part of the GUI and full access to logs from those devices.
    Storage AdminFull access to the Storage device part of the GUI and full access to logs from those devices.
    System AdminFull access to the Server/Workstation/Storage part of the GUI and full access to logs from those devices.
    Unix Server AdminFull access to the Unix Server part of the GUI and full access to logs from those devices.
    Windows Server AdminFull access to the Windows Server part of the GUI and full access to logs from those devices.

The following section describes the procedures to create custom roles and permissions:

Adding a new role

You can create a new role or use an existing role by selecting an existing role and clicking the Clone button.

  1. Go to ADMIN > Settings > Role.
  2. Click New.
  3. Enter a Role Name and Description.
  4. Enter the Data Conditions for this role. 

    This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.
  5. Enter the CMDB Report Conditions for this role. Choose a device from the drop-down list.

    This restricts access to the reports for devices, users, and monitors that are available to the user with this role.  
  6. Select the Data Obfuscation options for this role:
    • System Event/CMDB Attribtues to anonymize IP, User and Email or Host Name in the events.
    • Custom Event Attributes to anonymize custom event attributes. Search or click + to include multiple attributes.

    Note: If Data Obfuscation is turned on for a FortiSIEM user:

    • Raw events are completely obfuscated - user cannot see any part of the raw message.
    • Cannot perform search on obfuscated event attributes.
    • CSV Export feature is disabled.
    • If an integer event attribute is obfuscated, then the GUI may not show those obfuscated fields. Normally, integer fields are not obfuscated.

  7. Select the UI Access conditions for this role.
    This defines the user interface elements that can be accessed by users with this role. By default, the child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. The options for these settings are in the All Nodes drop-down list:
    • Full - No access restrictions.
    • Edit - The role can make changes to the UI element.
    • Run - The role can execute processes for the UI element.
    • View - The role can only view the UI element.  
    • Hide - The UI element is hidden from the role. 
  8. Click Save.
Hiding Network Segments

If a Network Segment is marked as hidden for a user role, users with that role will not be able to see any of the devices whose IP addresses fall within that network segment, even if the CMDB folder(s) containing those devices have not been hidden.

Modifying a role

Complete these steps to modify a cloned or user defined role. (You cannot directly modify a system defined role):

  1. Select the role from the table.
  2. Click the required option:
    1. Edit to modify any role setting.
    2. Delete to remove a role.
    3. Clone to duplicate a role.
  3. Click Save.

Viewing User Roles for AD Group Mappings

To see the AD groups that the user is a member of, go to CMDB > Users > Member Of.

The User Roles are explicitly shown in CMDB > Users > Access Control.