Role-Based Access Control (RBAC) User Guide

Role-based access control (RBAC) enables an administrator to tailor access to Chronicle features based on an employee's role in your organization.

Before you begin

RBAC reads the group information from the SAML response from the following case-insensitive default attribute names:

  • group
  • idpgroup group
  • memberof

If you use a custom attribute name, it must be provided to your Chronicle first to enable you to modify your RBAC settings.

Modify RBAC settings

To navigate to the RBAC profile and settings pages, click the icon on the top right corner to open the drop-down menu and select Settings.

Settings

Settings

Profile

The Profile page displays the information from the user's profile (user ID, group ID, roles assigned) and some additional information about their organization (customer ID, Google Cloud project number, Google Cloud project ID).

Time zone

You can change the time zone associated with your profile by clicking Edit next to Time Settings. Select the appropriate time zone and click Save. This changes the time displayed on most of the user interface to match the selected time zone.

Users & Groups

The Users & Groups page enables an administrator to configure RBAC.

  1. Click the Users & Groups link in the left navigation pane. A list of users and groups are displayed on the USERS AND GROUPS page with the columns: USER/GROUP, TYPE and ASSIGNED ROLE.

    Users and Groups

    Users and Groups

  2. Click ASSIGN NEW to open the Assign Role pop-up window. From this window you can complete the following tasks:

    • Assign a new user or users to a role.
    • Assign a new group or groups to a role.

    The available roles are:

    • Default
    • ViewerWithNoDetectAccess
    • Viewer
    • Editor
    • Administrator

    Once you have added your user or group IDs and selected the appropriate role from the ASSIGN ROLE drop-down menu, click ASSIGN.

    As you assign roles, be aware of the following:

    • When adding users or groups, make sure they exist in your identity provider (IdP). When deleting users or groups, make sure you retain at least one user or group that has the Administrator role and is in your IdP; otherwise, you'll lose administrator access.
    • User and group IdP ID's are case sensitive.
    • You cannot change the assigned role of an existing user or group using this dialog. See the steps that follow for how to change roles and delete users and groups.
    • Chronicle manages the mapping between users and groups and roles.
    • Use caution if the user or group ID contains special characters that, depending on the text source, might use UTF-8 encoding. Once you click ASSIGN, Google recommends that you verify that the new assignment has been saved correctly.

    Assigning Roles

    Assigning Roles to Users and Groups

  3. You can change the role of an existing user or group by selecting a new role from the drop-down menu corresponding to that user or group in the ASSIGNED ROLE column.

    Change Roles

    Changing the Assigned Role for a User or Group

  4. You can change the default role assigned to new users and groups from the role drop-down menu in the top right corner.

  5. You can delete a user or a group by clicking on the trash-can icon which appears on the far right side of the user or group row as you hover over it.

    If you delete users and groups that are administrators, and the only remaining administrators are not in your IDP, you will lose administrator access.

    Delete User or Group

    Deleting a User or Group

Roles and Permissions

Roles

Roles are associated with a set of product permissions. Assigning a role to a user grants the user the permissions associated with that role.

Chronicle includes the following predefined roles:

  • Administrator—Manages the role-based access control policies for your enterprise. Can also edit or view any Chronicle page.
  • Editor—Can edit Chronicle pages, including the ability to create and edit rules for the Detection Engine.
  • Viewer—Can view any Chronicle page, but cannot make any changes.
  • ViewerWithNoDetectAccess—Can view all Chronicle pages that do not include detections (principally the Rules and Reference Lists pages).

RBAC applications include the following:

  • Create and assign roles based on the job responsibilities.
  • Create and assign roles based on tenancies or organizations.
  • Assign temporary roles to analysts for investigating an issue.

Permissions

Permissions provide the authorization needed to perform a single controlled action in Chronicle, including (see the user interface for the complete list of permissions):

  • View rule
  • Modify rule
  • Edit feedback
  • Edit reference list
  • View RBAC permissions

If a user does not have permissions for an action, the associated functionality is disabled. For example, if the user has the Viewer role, they are unable to create a new rule (the NEW button is disabled in the Rules Editor), duplicate a rule (the Duplicate option is disabled), or modify an existing rule.

To view the roles and permissions available to users and groups, complete the following:

  1. Click the Roles link in the left navigation pane.

  2. Select a role from the Roles column to view the permissions granted for that role. The permissions associated with each role cannot be changed.

    Roles

    Roles

The default role for newly added users and groups is Viewer. If you select one of the other roles (for example, Editor), the SET AS DEFAULT control becomes available. This enables you to make that role the default instead.