Symantec Security Information Manager 4.5 Administrator's Guide

Transcription

1 Symantec Security Information Manager 4.5 Administrator's Guide

2 Symantec Security Information Manager 4.5 Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.5 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation Stevens Creek Blvd. Cupertino, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

5 Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support Section 1 Chapter 1 Section 2 Chapter 2 Product overview Introducing Symantec Security Information Manager About Symantec Security Information Manager What's new in Information Manager How Symantec Security Information Manager works About events, conclusions, and incidents Example: Information Manager automates incident management during a Blaster worm attack Incident identification Threat containment, eradication, and recovery Follow-up Where to find more information about Information Manager Accessing Help for the console Managing roles, permissions, users, and organizational units Managing roles and permissions Creating and managing roles About the administrator roles How to plan for role creation Creating a role Editing role properties Deleting a role Working with permissions About permissions Modifying permissions from the Permissions dialog box... 44

8 8 Contents Chapter 3 Chapter 4 Section 3 Chapter 5 Managing users and user groups About managing users and passwords Creating a new user Creating a user group Editing user properties Changing a user s password Specifying user business and contact information Managing role assignments and properties Managing user group assignments Specifying notification information Modifying user permissions Modifying a user group Deleting a user or user group Managing organizational units and computers About organizational units Managing organizational units Creating a new organizational unit Editing organizational unit properties About modifying organizational unit permissions Deleting an organizational unit Managing computers within organizational units Creating computers within organizational units Editing computer properties Distributing configurations to computers in an organizational unit Moving a computer to a different organizational unit Modifying computer permissions Deleting a computer from an organizational unit Managing your correlation environment Configuring the Correlation Manager About the Correlation Manager About the Correlation Manager Knowledge Base About the default rules set About the Default Processing rule Working with the Lookup Tables window Enabling and disabling rules Creating a custom rule... 91

9 Contents 9 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Defining a rules strategy About defining a rules strategy About creating the right rule set for your business Understanding rules components Understanding Correlation Rules About Rule conditions About Rule Types Event Criteria About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Understanding event normalization About event normalization About normalization (.norm) files Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) About Effects values About Mechanisms values About Resources values EMR examples Working with the Assets table About the Assets table How event correlation utilizes Assets table entries Importing assets into the Assets table About vulnerability information in the Assets table About using a vulnerability scanner to populate Assets table About locked and unlocked assets in the Assets table Using the Assets table to help reduce false positives About filtering events based on the operating system About using CIA values to identify critical events About using Severity to identify events related to critical assets About using the Services tab About associating policies with assets to reduce false positives or escalate events to incidents

10 10 Contents Chapter 11 Chapter 12 Section 4 Chapter 13 Chapter 14 Chapter 15 Default Processing rule About the Default Processing rule Collector-based event filtering and aggregation About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules Filtering events generated by specific internal networks Filtering common firewall events Filtering common Symantec AntiVirus events Filtering or aggregating vulnerability assessment events Filtering Windows Event Log events Configuration options Configuring the appliance after installation About the Information Manager Web configuration interface Accessing the Security Information Manager configuration page Changing network settings Specifying date and time settings Specifying a network time protocol server Changing the password for Linux accounts Shutting down and restarting the appliance Configuring Symantec Security Information Manager About configuring Symantec Security Information Manager Adding a policy Specifying networks Identifying critical systems Forwarding events to an Information Manager appliance About forwarding events to an Information Manager appliance About registering with a security directory Registering security products

11 Contents 11 Registering with a security domain Forwarding events Forwarding events from a SESA Event Logger Chapter 16 Chapter 17 Chapter 18 Managing Global Intelligence Network content About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing Global Intelligence Network content status Receiving Global Intelligence Network content updates Exporting Global Intelligence Network content Importing Global Intelligence Network content Running LiveUpdate About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface Running LiveUpdate from the Information Manager console Working with Symantec Security Information Manager Configurations Introducing the Symantec Security Information Manager configurations Manager configurations Increasing the minimum free disk space requirement in high logging volume situations Manager Components Configurations Modifying administrative settings Manager connection configurations Configuring Information Manager Directories Agent Connection Configurations Configuring Agent to Manager failover Agent configurations Managing the Manager Setting up blacklisting for logon failures

12 12 Contents Section 5 Chapter 19 Chapter 20 Chapter 21 Managing appliance data Managing the directory service About LDAP backup and restore Backing up the security directory Restoring the security directory Managing event archives About event archives Event archive viewer Specifying event archive settings Creating local event archives Viewing event archives About the event archive viewer right pane Manipulating the event data histogram Viewing event details Filtering event data Querying event archives Creating query groups Using the search templates Creating custom queries Editing queries Importing queries Exporting queries Publishing queries Deleting queries Maintaining the Symantec Security Information Manager database About data maintenance Checking database status About the health monitor service Backing up and restoring the database Enabling and scheduling automated backups Initiating a backup Restoring the database from a backup image Specifying a third-party backup solution About purging event summary and incident data Adjusting parameters for daily automated purges Adjusting the thresholds for size-based purges Initiating a purge

13 Contents 13 Reviewing maintenance history Section 6 Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Appendices Ports used by Information Manager Ports used by Information Manager Installing and configuring a Symantec Direct Attached Storage D10 device About the Symantec Direct Attached Storage D About using third-party DAS devices with Information Manager Installation overview Installation prerequisites Installing the DAS Rack mounting the Symantec Direct Attached Storage D10 device Installing the PERC 5/E adapter Configuring Information Manager to use the DAS Managing security certificates About managing security certificates Managing security certificate information for the appliance Antivirus Rules About the antivirus rules Additional antivirus rules examples Policy Compliance rules About the Policy Compliance rules Vulnerability Assessment rules About the Vulnerability Assessment rules Additional Vulnerability Assessment rules examples

14 14 Contents Appendix G Appendix H Appendix I Appendix J Appendix K Appendix L Firewall rules About the Firewall rules Network IDS (NIDS) rules About the Network IDS (NIDS) rules Host IDS (HIDS) rules About the Host IDS (HIDS) rules System Monitor rules About the System Monitor rules Windows event rules About the Windows event rules Event filters About the event filters Custom event filters example IIS RealSecure Smurf Attack false positive filter example Index

15 Section 1 Product overview Introducing Symantec Security Information Manager

16 16

17 Chapter 1 Introducing Symantec Security Information Manager This chapter includes the following topics: About Symantec Security Information Manager How Symantec Security Information Manager works About events, conclusions, and incidents Example: Information Manager automates incident management during a Blaster worm attack Where to find more information about Information Manager About Symantec Security Information Manager Symantec Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention

18 18 Introducing Symantec Security Information Manager About Symantec Security Information Manager Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise: Normalization and correlation of events from multiple vendors to recognize threats from all areas of the enterprise. Event archives to retain events in both their original and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Symantec Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritorizes incidents based upon the security policies associated with the affected assets. A powerful event archive viewer that lets you easily mine large amounts of event data and perform network operations on the machines and users that are associated with each event. A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions. Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise. What's new in Information Manager 4.5 Information Manager 4.5 provides large scale event management, an updated console, and a Web Services interface to Information Manager data. Large scale event management Information Manager 4.5 now supports attached storage for event archives. Attached storage archives provide for increased event data capacity and large scale data mining. Information Manager 4.5 provides the following event management features:

19 Introducing Symantec Security Information Manager About Symantec Security Information Manager 19 Optimized event storage Event data is now stored in compressed archives rather than in a relational database. The archive format allows for increased event capacity and high performance data queries. Raw event data In addition to normalized event data, you can now archive event data in its original format. The original format event data provides a historical context for security incidents. Flexible storage options Information Manager now has a logical volume manager that provides support for direct attached storage (DAS), storage area network (SAN), and network-attached storage (NAS). Event and incident viewer The Information Manager console provides a powerful graphical viewer for intuitive data mining. You can query event, incident, summary, and state data. The viewer has built-in network operations, such as ping and whois, to help you identify the machines and users that are referenced in the events and incidents. You can also add your own custom tools to the viewer. Enhanced reporting Event and incident reports are now accessible from the Information Manager web configuration interface. You can schedule report generation and post the reports to the web interface or the reports to users. Advanced data summarization for reporting Information Manager now processes events as they enter the system and stores summary records in a database. This feature allows for optimized reporting over very large amounts of data. Console enhancements The Information Manager console has been updated with the following new features: Rules Editor You can now configure rules that trigger when an expected event does not occur, or when a slow or low volume attack takes place. You can assign notification services to rules and organize rules into logical groups.

20 20 Introducing Symantec Security Information Manager How Symantec Security Information Manager works System view Incident management Event forwarding Antivirus statistics Reporting tile Detachable console pages You can now view a graphical representation of your Information Manager deployment. The system view shows the status of each appliance and collector in your enterprise and includes event collection and event forwarding statistics. You can now merge multiple incidents to create a new incident and assign multiple incidents to the same ticket. You can selectively forward events from one appliance to another, using the same event filtering interface that you use to configure reports and archives. You can now view Antivirus statistics on the Global Intelligence Network Integration Manager Utilities page. The improved report editor allows greater report layout flexibility. You can now "tear-off" console pages to view multiple pages simultaneously. Access and notification services Information Manager now provides programmatic access to individual Information Manager appliances. Using a standards-based Web Service, developers can securely access and update the data that is stored on an appliance. You can use the Web Service to publish event, asset, incident, and ticket information to external applications, such as help desks and dashboards. You can also use the Web Service to import Information Manager asset information from external asset management and inventory applications. For more information about how to integrate Information Manager with other enterprise applications, see the Symantec Security Information Manager Developer's Guide. How Symantec Security Information Manager works Event collectors gather events from Symantec and third-party point products, such as firewalls, Intrusion Detection Services (IDS), and antivirus scanners. The events are filtered and aggregated, and the Information Manager agent forwards both the raw and the processed events to the Information Manager appliance. The agent is a Java application that provides secure communications between the event collectors and the Information Manager appliance.

21 Introducing Symantec Security Information Manager About events, conclusions, and incidents 21 The Information Manager appliance stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident. The Information Manager appliance also contains the following components: A downloadable installation program for the Information Manager console. A relational database to store incidents, conclusions, and related events. Event archives to store raw and normalized event data. An LDAP directory to store Information Manager deployment and configuration settings. About events, conclusions, and incidents Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for patterns that indicate potential threats. An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions mapped to a single incident. For example, if a single attacker causes a number of different patterns to be matched, those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a machine that suffers from a number of different vulnerabilities, these are all grouped into a single incident. Or, if a number of different machines report the same virus, Information Manager creates a single outbreak incident. Example: Information Manager automates incident management during a Blaster worm attack Symantec Security Information Manager tracks the entire incident response cycle through the following phases: Incident identification Threat containment, eradication, and recovery Follow-up

22 22 Introducing Symantec Security Information Manager Example: Information Manager automates incident management during a Blaster worm attack Incident identification The Blaster worm attack begins with a series of sweeps to ports 135, 445, and Using the default rules, Information Manager detects each of these sweeps as suspicious, and creates a conclusion for each. At the same time, events from intrusion detection software such as Symantec IDS, lead to other conclusions that are related to the source IP address. Information Manager may also create further conclusions if the source IP address for the attack is on the IP watch list. This list is updated automatically to provide up-to-date protection from computers that are known to be used in attacks. Based upon all of these conclusions that are related to the same IP address, Information Manager generates a security incident. A security analyst would find out about the new incident by alert, or while monitoring the Incidents tab in the Information Manager console. The incident contains all the information that the analyst needs to determine the source and target of the attack. Threat containment, eradication, and recovery When Information Manager alerts the security analyst about the incident, the analyst can use Information Manager to better understand the scope of the problem and to investigate eradication options. Information Manager facilitates the containment phase by providing the event data with the incident declaration. Rather than wading through countless log files, the analyst knows which events triggered the security incident, and which systems are affected. The incident also includes recommended corrective action from Symantec Global Intelligence Network Threat Management System. This enables the security analyst to quickly identify the corrective actions. The analyst can now create a ticket that describes the tasks necessary to eradicate the threat. The ticket includes the incident information, the event details and the recommended corrective actions. Ticket information can be made accessible to an external help desk via the Information Manager Web Service. Follow-up Once the threat has passed, the analyst can further analyze the impact of the incident. The analyst can fine-tune the correlation rules, event filters, and firewall rules to prevent the threat from occurring again. The analysts can also mine the event archive data if necessary and create reports that document the scope of the incident and the security team's efforts to resolve it.

23 Introducing Symantec Security Information Manager Where to find more information about Information Manager 23 Where to find more information about Information Manager For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at: In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following: Accessing Help for the console Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager Installation Guide Information Manager provides context-sensitive help for the console and for each of the views that are available in the View menu. To access Help for the console In any window, press F1.

24 24 Introducing Symantec Security Information Manager Where to find more information about Information Manager

25 Section 2 Managing roles, permissions, users, and organizational units Managing roles and permissions Managing users and user groups Managing organizational units and computers

26 26

27 Chapter 2 Managing roles and permissions This chapter includes the following topics: Creating and managing roles Working with permissions Creating and managing roles A role is a group of access rights for a product in a domain. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role. You create new roles in the Symantec Security Information Manager console. When you click Roles on the System page of the console, you can perform the following tasks: Creating a role Editing role properties Deleting a role Note: Only members of the SES Administrator role and the Domain Administrator role can add or modify roles. See About the administrator roles on page 27. About the administrator roles When you install Information Manager, the following default roles are created:

28 28 Managing roles and permissions Creating and managing roles SES Administrator Domain Administrator This role has full authority over all of the domains in the environment. This role has full authority over one specific domain in the environment. How to plan for role creation If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. If you have multiple domains, for example, one for each geographic region of your company, each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user does not need to be assigned to any other roles. Because roles control user access, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the kinds of roles that you must create. The users who perform these tasks determine which users should be members of each role. Ask yourself the following questions: Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role. Who administers your security network by creating management objects such as users and organizational units? These users must be members of roles that provide management access and the ability to access the System view. What products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System page only. Who is responsible for monitoring events and incidents?

29 Managing roles and permissions Creating and managing roles 29 These users must be members of event viewing roles for the products for which they are responsible. Users who will monitor events must have access to the Events page. Users who will monitor incidents must have access to the Events page and the Incidents page. Who responds to problems and threats? These users must have access to the Events page and the Incidents page. Users who will create and manage help desk tickets must also have access to the Tickets page. Table 2-1 lists common roles in a security environment and the responsibilities that belong to each role. Table 2-1 Role name Typical roles and responsibilities Responsibilities Domain Administrator System Administrator Defines user roles and role authority. Manages Information Manager. Verifies that events are flowing into the system and that the system is functioning normally. User Administrator Creates correlation rules and collection filters. Performs user and device administration. Incident Manager Views all incidents, events, reports, and actions. Report Writer Views incidents, events, and reports for assigned devices. Reviews and validates incident response. Provides attestation of incident review and response by administrators to GAO and others. Report User Rule Editor Views events and reports for assigned devices. Creates, edits, and deploys roles. For information about the access requirements of each role, see Table 2-2. Creating a role You create all roles using the Role Wizard in the Information Manager console. Only a user who is a member of the Domain Administrator role or the SES Administrator role can create roles. See How to plan for role creation on page 28.

30 30 Managing roles and permissions Creating and managing roles To create a role 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Roles. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Role Wizard, click Next. 5 In the General panel, do the following, and then click Next: In the Role name text box, type a name for the role. In the Description text box, type a description of the role (optional). 6 In the Products panel, do one of the following actions: To give the role members access to all of the listed products, click Role members will have access to all products, and then click Next. To limit the role members' access to certain products, click Role members will have access to only the selected products. From the Products list, enable (check) at least one product, and then click Next. Consider the tasks that role members will perform as you select products from the list. 7 In the SIM Permissions panel, do one of the following actions: To give role members all permissions that apply to Information Manager, click Enable all Permissions, and then click Next. To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, enable at least one permission, and then click Next. 8 In the Console Access Rights panel, do one of the following actions: To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and then click Next. To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one console access right, and then click Next. See Modifying console access rights on page In the Organizational Units panel, do one of the following actions: To give role members access to all organizational units, click Role members will have access to all organizational units, and then click Next.

31 Managing roles and permissions Creating and managing roles 31 To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational units tree, select at least one organizational unit to associate with this role, and then click Next. When you select an organizational unit that has additional organizational units below it, users of the role are given access to those organizational units as well. If you add an organizational unit to a role, users who are role members and who have event viewing access can see events generated by security products that are installed on the computers that belong to that organizational unit. Role members can see events only from computers in organizational units that have been added to their roles. 10 In the Appliances panel, do one of the following actions: To give role members access to all of the Information Manager appliances in your security environment, click Role members will have access to all appliances, and then click Next. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next. Members of the role will be able to modify configurations on the selected appliances. The role members will also be able to view event archives that reside on the selected appliances. 11 In the Members panel, do one of the following actions: To add users to the role now, click Add. In the Find Users dialog box, add one or more users, and then click OK. In the Members panel, click Next. To continue without adding users to the role, click Next. You can add users to the role later by editing the role s properties. See Making a user a member of a role on page 32. You can assign users to a role only if you have already created those users. See Creating a new user on page In the Role Summary panel, review the information that you have specified, and then click Finish. The list at the bottom of the panel shows the role properties that are created. A green check mark next to a task indicates that it was successfully accomplished. 13 Click Close.

32 32 Managing roles and permissions Creating and managing roles Editing role properties After you create a role, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles. You can edit the properties of a role by selecting the role in the right pane or from any dialog box that lets you display the role s properties. To edit role properties 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 Use the tabs of the Editing Role Properties dialog box to make changes to the role. 4 To save changes and close the dialog box, click OK. For information about editing specific role properties, see any of the following sections: Making a user a member of a role Modifying console access rights Modifying product access Modifying SIM permissions Modifying access permissions in roles Making a user a member of a role When a user logs on to Information Manager, the user s role membership determines his or her access to the various products and event data. There are the following ways to assign a user to a role: Assign each user individually to one or more roles. Assign users to groups, and then assign user groups to roles. Note: Before you assign users and user groups to roles, you must create users and user groups in the database. See Creating a new user on page 49.

33 Managing roles and permissions Creating and managing roles 33 To make a user a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, on the Members tab, click Add Members. 4 In the Find Users dialog box, in the list of available users, click a user name (or Ctrl + click multiple user names), and then click Add. The user name appears in the Selected users list. You can also search for a particular user by entering the logon name, last name, or first name on the left side of the dialog box. Then click Start Search. All of the users who meet the criteria you entered will appear in the available users list. 5 To view or edit the properties of a user, click the user name, and then click Properties. 6 In the User Properties dialog box, view or make changes to the properties, and then click OK. 7 In the Find Users dialog box, click OK. 8 In the Editing Role Properties dialog box, click OK. To make a user group a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, on the Members tab, click Add Members From Groups. 4 In the Find User Groups dialog box, in the list of available user groups, click a user group name (or Ctrl + click multiple user names), and then click Add. The user group name appears in the Selected user groups list. 5 To view or edit the properties of a user group, click the user group name, and then click Properties. 6 In the User Group Properties dialog box, view or make changes to the properties, and then click OK.

34 34 Managing roles and permissions Creating and managing roles 7 In the Find User Groups dialog box, click OK. 8 In the Editing Role Properties dialog box, click OK. When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. Modifying console access rights Console access rights control what users who are members of a role can see when they log on to the Information Manager console. You can modify the console access rights you assigned when you created a role. Console access rights make the various features of the console visible to role members when they log on. To modify console access rights 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the Console Access Rights tab, do one of the following actions: To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console access rights. To limit what members of the role can see when they display the Information Manager console, click Role members will have only the selected console access rights. From the list that appears, enable or disable console access rights as desired. The following table describes the tiles (that is, pages in the Information Manager console) that are available. Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Lets members view the Assets page in the console. Lets members view the Dashboard page in the console. Lets members view the Events page in the console. Lets members view the Incidents page in the console. Lets members view the Intelligence page in the console.

35 Managing roles and permissions Creating and managing roles 35 Show Reports Tile Show Rules Tile Show Statistics Tile Show System Tile Show Tickets Tile Lets members view the Reports page in the console. Lets members view the Rules page in the console. Lets members view the Statistics page in the console. Lets members view the System page in the console. Lets members view the Tickets page in the console. Table 2-2 lists the console access rights that are needed by users who perform specific functions. 4 Click OK. Modifying product access The Products tab lets you select the products to which role members have access. To modify product access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 On the Products tab, do one of the following actions: 4 Click OK. To give the role members access to all of the listed products, click Role members will have access to all products. To limit the role members' access to specified products, click Role members will have access to only the selected products. Enable (check) or disable (uncheck) access to individual products in the list. Consider the tasks that role members will perform as you select products from the list. Table 2-2 lists the product access that is needed by users who perform specific functions. Modifying SIM permissions Use the SIM Permissions tab to enable or disable several types of Information Manager permissions that are assigned to a role.

36 36 Managing roles and permissions Creating and managing roles To modify SIM permissions 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the SIM Permissions tab, do one of the following actions: 4 Click OK. To assign all SIM permissions to the role, click Enable all Permissions. To limit the permissions assigned to the role, click Enable specific Permissions. Then click the check boxes as needed to enable or disable permissions for the role. Table 2-2 lists the permissions that are needed by users who perform specific functions. Modifying appliance access The Appliances tab lets you select the appliances to which role members have access. The selections on this tab determine the appliances that the role members can see in the following console locations: The Testing tab on the Rules page, for use when testing a particular rule. The left pane of the Events page. The Appliance Configurations tab on the System page. To modify appliance access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 On the Appliances tab, do one of the following actions: To give role members access to all Information Manager appliances in the network configuration, click Role members will have access to all appliances. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next.

37 Managing roles and permissions Creating and managing roles 37 Modifying access permissions in roles Roles include permissions that determine the types of access (for example, Read and Delete) that role members have to objects that appear in the console. Role-specific permissions are assigned to the objects when you create each role. You can change the access permissions for the following types of objects: Container objects that were created when you installed Information Manager, such as organizational units. New objects that you create within the container objects. When you view the properties of a role, you can see and modify the permissions for the role by selecting tabs in the Editing Role Properties dialog box. Warning: Modifying permissions is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See Working with permissions on page 42. Table 2-2 describes the access requirements of typical enterprise security roles. Table 2-2 Access requirements for roles Role Products SIM permissions Console access Access permissions SES Administrator and Domain Administrator All All All None required System Administrator Information Manager Allow Asset Edits Move Computers Show Dashboard Tile Show Intelligence Tile Show Statistics Tile Read and Search on Public/System Query groups Show System Tile User Administrator All Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Show Assets Tile Show Dashboard Tile Show Intelligence Tile Show Rules Tile Show System Tile Read and Search on Public/System Query groups Read and Write on Users and User Groups Read and Write on Rules and Roles

38 38 Managing roles and permissions Creating and managing roles Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Incident Manager Information Manager Create Incidents Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services