FortiSIEM provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative responsibilities across multiple admins.
A role defines two aspects of a user's interaction with the FortiSIEM platform:
- Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.
- What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs. The roles described in the following table are default roles.
|DB Admin||Full access to the database servers part of the GUI and full access to logs from those devices.|
|Executive||View access to the Business Service dashboard and personalized My Dashboard tabs, but reports can be populated by logs from any device.|
|Full Admin||Full access to the GUI and full access to the data. Only this role can define roles, create users and map users to roles.|
|Help Desk||Access to the Admin, CMDB, and Dashboard tabs, with view and run permissions for the Analytics and Incidents tabs.|
|Network Admin||Full access to the network device portion of the GUI and full access to logs from network devices.|
|Read Only Admin||View access to all tabs and permission to run reports.|
|Security Admin||Full access to Security aspects of all devices.|
|Server Admin||Full access to the Server part of the GUI and full access to logs from those devices.|
|Storage Admin||Full access to the Storage device part of the GUI and full access to logs from those devices.|
|System Admin||Full access to the Server/Workstation/Storage part of the GUI and full access to logs from those devices.|
|Unix Server Admin||Full access to the Unix Server part of the GUI and full access to logs from those devices.|
|Windows Server Admin||Full access to the Windows Server part of the GUI and full access to logs from those devices.|
The following sections describe the procedures to create custom roles and privileges:
You can create a new role or use an existing role by selecting an existing role and clicking the Clone button.
- Go to ADMIN > Settings > Role > Role Management.
- Click New.
- Enter a Role Name and Description.
- Enter the Data Conditions for this role.
This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.
- Enter the CMDB Report Conditions for this role. Choose a type from the drop-down list.
This restricts access to the reports for devices, users, monitors, rule, report, task, identity, incident, audit that are available to the user with this role.
- Select the appropriate Approver capability:
- Select De-Obfuscation if this role can approve De-Obfuscation requests.
Select Report Schedule if this role can approve Report Schedule Activation requests.
- Select Rule Activation/Deactivation if this role can approve Rule Activation/Deactivation requests,
- Select the appropriate Activation capability:
- Select Report Schedule if this role needs approval for Report Schedule Activation.
- Select Rule Activation/Deactivation if this role needs approval for Rule Activation/Deactivation.
- Select the Data Obfuscation options for this role:
- System Event/CMDB Attribtues to anonymize IP, User and Email or Host Name in the events.
- Custom Event Attributes to anonymize custom event attributes. Search or click + to include multiple attributes.
Note: If Data Obfuscation is turned on for a FortiSIEM user:
- Raw events are completely obfuscated - user cannot see any part of the raw message.
- Cannot perform search on obfuscated event attributes.
- CSV Export feature is disabled.
- If an integer event attribute is obfuscated, then the GUI may not show those obfuscated fields. Normally, integer fields are not obfuscated.
- Select the UI Access conditions for this role.
This defines the user interface elements that can be accessed by users with this role. By default, the child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. The options for these settings are in the All Nodes drop-down list:
- Full - No access restrictions.
- Edit - The role can make changes to the UI element.
- Run - The role can execute processes for the UI element.
- View - The role can only view the UI element.
- Hide - The UI element is hidden from the role.
- Click Save.
Hiding Network Segments
If a Network Segment is marked as hidden for a user role, users with that role will not be able to see any of the devices whose IP addresses fall within that network segment, even if the CMDB folder(s) containing those devices have not been hidden.
Complete these steps to modify a cloned or user defined role. (You cannot directly modify a system defined role):
- Select the role from the table.
- Click the required option:
- Edit to modify any role setting.
- Delete to remove a role.
- Clone to duplicate a role.
- Click Save.
To see the AD groups that the user is a member of, go to CMDB > Users > Member Of.
The User Roles are explicitly shown in CMDB > Users > Access Control.