Role Settings

FortiSIEM provides performance, availability, and environmental alerts, as well as change and security monitoring for network devices, servers and applications. It is difficult for one admin to monitor across the entire spectrum of available information. In addition, devices may be in widely distributed geographical and administratively disjointed locations. Role-based access control provides a way to partition the FortiSIEM administrative responsibilities across multiple admins.

A role defines two aspects of a user's interaction with the FortiSIEM platform:

  • Which user interface elements a user can see and the ability to use the associated Read/Write/Execute permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1 Network Admin role can see network devices but not their configurations.
  • What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics, while another Windows admin sub-role can see Windows authentication logs. The roles described in the following table are default roles.

Role Permissions
DB Admin Full access to the database servers part of the GUI and full access to logs from those devices.
Executive View access to the Business Service dashboard and personalized My Dashboard tabs, but reports can be populated by logs from any device.
Full Admin Full access to the GUI and full access to the data. Only this role can define roles, create users and map users to roles.
Help Desk Access to the Admin, CMDB, and Dashboard tabs, with view and run permissions for the Analytics and Incidents tabs.
Network Admin Full access to the network device portion of the GUI and full access to logs from network devices.
Read Only Admin View access to all tabs and permission to run reports.
Security Admin Full access to Security aspects of all devices.
Server Admin Full access to the Server part of the GUI and full access to logs from those devices.
Storage Admin Full access to the Storage device part of the GUI and full access to logs from those devices.
System Admin Full access to the Server/Workstation/Storage part of the GUI and full access to logs from those devices.
Unix Server Admin Full access to the Unix Server part of the GUI and full access to logs from those devices.
Windows Server Admin Full access to the Windows Server part of the GUI and full access to logs from those devices.

 

The following sections describe the procedures to create custom roles and privileges:

Adding a New Role

You can create a new role or use an existing role by selecting an existing role and clicking the Clone button.

  1. Go to ADMIN > Settings > Role > Role Management.
  2. Click New.
  3. Enter a Role Name and Description.
  4. Enter the Data Conditions for this role. 

    This restricts access to the event/log data that is available to the user, and will be appended to any query that is submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and Dashboard information.
  5. Enter the CMDB Report Conditions for this role. Choose a type from the drop-down list.
    This restricts access to the reports for devices, users, monitors, rule, report, task, identity, incident, audit that are available to the user with this role.  
  6. Select the appropriate Approver capability:
    • Select De-Obfuscation if this role can approve De-Obfuscation requests.
    • Select Report Schedule if this role can approve Report Schedule Activation requests.

    • Select Rule Activation/Deactivation if this role can approve Rule Activation/Deactivation requests.
    • Select Remediation if this role can approve Remediation requests. FortiSIEM recommends creating at least two user accounts with the Remediation approver role. See Adding Users for more information on creating a user account.
  7. Select the appropriate Activation capability:
    • Select Report Schedule if this role does NOT require approval for Report Schedule Activation.
    • Select Rule Activation/Deactivation if this role does NOT require approval for Rule Activation/Deactivation.
    • Select Remediation if this role does NOT require approval for Remediation Activation.
  8. Select the Data Obfuscation options for this role:
    • System Event/CMDB Attribtues to anonymize IP, User and Email, or Host Name in the events.
    • Custom Event Attributes to anonymize custom event attributes. Search or click + to include multiple attributes. To create a custom event attribute, see Adding an Event Attribute.

    Note: If Data Obfuscation is turned on for a FortiSIEM user:

    • - The value for that object marked for data obfuscation is obfuscated. For example, if IP is marked for data obfuscation, the IP address is obfuscated. In earlier versions of FortiSIEM, raw events were completely obfuscated.

    • CSV Export feature is disabled.

    Note: If Remediation is turned on, the requestor and approver users must have a valid email address, configured in the Email field in Contacts, in order for the requestor and approver to receive requests and approval information.

  9. Select the UI Access conditions for this role.
    This defines the user interface elements that can be accessed by users with this role. By default, the child nodes in the tree inherit the permissions of their immediate parent, however you can override those default permissions by explicitly editing the permission of the child node. The options for these settings are in the All Nodes drop-down list:
    • Full - No access restrictions.
    • Edit - The role can make changes to the UI element.
    • Run - The role can execute processes for the UI element.
    • View - The role can only view the UI element.  
    • Hide - The UI element is hidden from the role. 
  10. Click Save.
Hiding Network Segments

If a Network Segment is marked as hidden for a user role, users with that role will not be able to see any of the devices whose IP addresses fall within that network segment, even if the CMDB folder(s) containing those devices have not been hidden.

Modifying a Role

Complete these steps to modify a cloned or user defined role. (You cannot directly modify a system defined role):

  1. Select the role from the table.
  2. Click the required option:
    1. Edit to modify any role setting.
    2. Delete to remove a role.
    3. Clone to duplicate a role.
  3. Click Save.

Example Role Setup

Setting Up an Incident Remediation Workflow Example

You will need at least one user as an incident remediation approver, and one user as a requester that requires approval for incident remediation. This example assumes you have incident remediation configured.

From here, take the following steps as an admin:

  1. Create a role for an incident remediation approver by taking the steps in Add a New Role and ensuring in step 6 that the role can approve incident remediation, which we'll call Approver.

  2. Create a user with the Approver role by taking the steps in Adding Users, and ensuring that step 3m is configured correctly, and that a valid email address is provided in step 3n.
    Note: A requester can select multiple approvers when making a request. For real world scenarios, Fortinet recommends creating a minimum of two approvers, in case an approver is unavailable.

  3. Create a requester user by taking the steps in Adding Users, and ensuring the following:

    • A non-admin role is assigned in step 3kii.
      Note: By default, a non-admin role requires approval for incident remediation. If you want to create/edit a non-admin role where a user does NOT need to get approval for incident remediation, you would add a checkmark to Remediation at Activation in step 7 in Add a New Role.

    • A valid email address is provided in step 3n.

  4. Log out of FortiSIEM, and log in as the requester user.

  5. Navigate to INCIDENTS > List by Time > and select an incident.

  6. Click on Actions, and select Remediate Incident.

  7. From the Remediation drop-down list, select a remediation script and select Run. A Create New Request window will appear with the message "No permission to run Remediation. Send a permission request."

  8. From the Approver drop-down list, select the user with the Approver role that you created.
    Note: The user may select multiple approvers in his/her request, not just one.

  9. In the Justification field, enter any comments and click Submit. This request will appear as "pending" in TASKS.

  10. Log out of FortiSIEM, and log in as the user with the Approver role. As the "Approver" user, you will see a message stating "You have pending requests. Please check Task > Approval.

  11. Navigate to TASKS and select Approval in the left panel.

  12. Select the Request ID of the request, and review it. You have the choice to "Approve" or "Reject" the request in the drop-down list, next to the Status column. In this situation, select "Approve".
    Note: See Approving a de-anonymization request for more information, including how FortiSIEM handles requests when multiple approvers are involved.

  13. An Approve Request windows appears, prompting for the expiry timeframe. If we want to make the approval window available for two days, you would select For, and input "2" for Days, then click OK. The Status column is updated with this information.

  14. Log out of FortiSIEM, and log in as the requester user.

  15. The requester user should have received an email from the user with the approver role, with the title "Remediation Request is approved".

  16. Navigate to TASKS. In the left panel, select Request. In the Status column, you will see that the request has been approved.

  17. Navigate to INCIDENTS > List by Time > and select the incident that was approved for remediation.

  18. Click on Actions, and select Remediate Incident.

  19. From the Remediation drop-down list, select a remediation script and select Run. The remediation script now runs.

Viewing User Roles for AD Group Mappings

To see the AD groups that the user is a member of, go to CMDB > Users > Member Of.

The User Roles are explicitly shown in CMDB > Users > Access Control.