Role-Based Access Control (RBAC) User Guide

Role-based access control (RBAC) enables an administrator to tailor access to Chronicle features based on an employee's role in your organization.

Before you begin

RBAC reads the group information from the SAML response from the following case-insensitive default attribute names:

  • group
  • idpgroup group
  • memberof

If you use a custom attribute name, it must be provided to your Chronicle first to enable you to modify your RBAC settings.

Modify RBAC settings

To navigate to the RBAC profile and settings pages, click Settings in the navigation bar.

Profile

The Profile page displays the information from the user's profile (user ID, group ID, roles assigned) and some additional information about their organization (customer ID, Google Cloud project number, Google Cloud project ID).

Customer ID

Your customer ID is located in the Organization Details section of the Profile page.

Time zone

You can change the time zone associated with your profile by clicking Edit next to Time Settings. Select the appropriate time zone and click Save. This changes the time displayed on most of the user interface to match the selected time zone.

Users & Groups

The Users & Groups page enables an administrator to configure RBAC.

  1. Click the Users & Groups link in the left navigation pane. A list of users and groups are displayed on the Users and groups page with the columns: User/Group, Type, and Assigned role.

  2. Click Assign new to open the Assign role dialog. From this dialog you can complete the following tasks:

    • Assign a new user or users to a role.
    • Assign a new group or groups to a role.

    The available roles are:

    • Default
    • ViewerWithNoDetectAccess
    • Viewer
    • Editor
    • Administrator

    Once you have added your user or group IDs and selected the appropriate role from the ASSIGN ROLE drop-down menu, click ASSIGN.

    As you assign roles, be aware of the following:

    • When adding users or groups, make sure they exist in your identity provider (IdP). When deleting users or groups, make sure you retain at least one user or group that has the Administrator role and is in your IdP; otherwise, you'll lose administrator access.
    • User and group IdP IDs are case sensitive.
    • You can't change the assigned role of an existing user or group using this dialog. See the steps that follow for how to change roles and delete users and groups.
    • Chronicle manages the mapping between users and groups and roles.
    • Use caution if the user or group ID contains special characters that, depending on the text source, might use UTF-8 encoding. Once you click Assign, Google recommends that you verify that the new assignment has been saved correctly.

  3. You can change the role of an existing user or group by selecting a new role from the drop-down menu corresponding to that user or group in the Assigned role column.

  4. You can change the default role assigned to new users and groups from the role drop-down menu in the top right corner.

  5. You can delete a user or a group by clicking on the trash-can icon which appears on the far right side of the user or group row as you hold the pointer over it.

    If you delete users and groups that are administrators, and the only remaining administrators are not in your IDP, you will lose administrator access.

Roles and Permissions

Roles

Roles are associated with a set of product permissions. Assigning a role to a user grants the user the permissions associated with that role.

Chronicle includes the following predefined roles:

  • Administrator—Manages the role-based access control policies for your enterprise. Can also edit or view any Chronicle page.
  • Editor—Can edit Chronicle pages, including the ability to create and edit rules for the Detection Engine.
  • Viewer—Can view any Chronicle page, but cannot make any changes.
  • ViewerWithNoDetectAccess—Can view all Chronicle pages that do not include detections (principally the Rules and Reference Lists pages).

RBAC applications include the following:

  • Create and assign roles based on the job responsibilities.
  • Create and assign roles based on tenancies or organizations.
  • Assign temporary roles to analysts for investigating an issue.

Permissions

Permissions provide the authorization needed to perform a single controlled action in Chronicle, including (see the user interface for the complete list of permissions):

  • View rule
  • Modify rule
  • Edit feedback
  • Edit reference list
  • View RBAC permissions

If a user does not have permissions for an action, the associated functionality is disabled. For example, if the user has the Viewer role, they are unable to create a new rule (the New button is disabled in the Rules Editor), duplicate a rule (the Duplicate option is disabled), or modify an existing rule.

To view the roles and permissions available to users and groups, complete the following:

  1. Click the Roles link in the left navigation pane.

  2. Select a role from the Roles column to view the permissions granted for that role. The permissions associated with each role cannot be changed.

The default role for newly added users and groups is Viewer. If you select one of the other roles (for example, Editor), the Set as default control becomes available. This enables you to make that role the default instead.