Configure User Accounts for Use in Data PrivacyConfigure User Accounts for Use in Data Privacy
This topic provides the procedures for configuring user accounts that work with data obfuscation in NetWitness. In order for data obfuscation to work, accounts and permissions for several types of users must be configured.
- Customize the default Administrators system role in NetWitness to remove permissions that should be available only to the Data Privacy Officer.
- Add two new user accounts at the system level to depict a data privacy officer and a typical analyst.
- Add a user account at the service level with the aggregation role so that Decoders and Log Decoders can aggregate data to a Concentrator or Broker.
- On the Reporting Engine, configure two separate service accounts. One service account for general purpose reporting that does not include any sensitive data and the other account for privileged users with access to all data including sensitive data. This procedure is described in "Configure Data Source Permissions" in the Reporting Engine Configuration Guide.
Customize the Default Administrators User Role at the Service LevelCustomize the Default Administrators User Role at the Service Level
To separate the data privacy officer and administrator functions on each Decoder and Log Decoder, you need to remove the dpo.manage permission from a clone of the Administrators role.
- Go to (Admin) > Services, select a Decoder or Log Decoder, then select > View > Security.
- In the Services Security view, click the Roles tab, select Administrators and click .
In the Enter Role Name dialog, enter a new role name such as Non_DPO_Administrators and click Save. -
Select the new role.
The Role Information is displayed for editing.
-
Clear the box next to dpo.manage so that it is no longer checked and click Apply.
The permission to manage data privacy configuration is removed for the new role.
- In the Users tab, select each user who has the Administrators role, and change their role to the cloned role.
- Validate that the users with the modified Administrators role can login as with admin privileges.
- Validate that the users with the modified Administrators role cannot configure metadata and content restrictions in the Settings tab.
Add a User Account with the Aggregation User Role at the Service LevelAdd a User Account with the Aggregation User Role at the Service Level
To ensure that Decoders and Log Decoders can aggregate data to a Concentrator or Broker:
- Go to (Admin) > Services, select a Decoder or Log Decoder, then select > View > Security.
-
In the Users tab, add a user with the
Aggregation
role and click Apply.Note: "Aggregation Role" in the Hosts and Services Getting Started Guide provides details about the application of this user role.
Add Data Privacy Officer and Analyst Accounts on the NetWitness ServerAdd Data Privacy Officer and Analyst Accounts on the NetWitness Server
You need to add two new user accounts in NetWitness at the system level to depict a privileged data privacy officer and a typical analyst. If the environment is configured using the default trusted connections, you do not need to create the new user accounts on the Core services (Brokers, Concentrators, and Decoders). When a user is created in the NetWitness Server, that user can log on to the services.
Note: The role name is required to exist on both the server and the services, and the role name for all places must be identical. If you create a new custom role on the NetWitness Server, make sure to add it to all Core services as well.
-
Create a new user account for the data privacy officer:
-
Go to (Admin) > Security, select the Users tab and click .
The Add User dialog is displayed.
-
Create the new account with the following credentials.
Username = <new user name for logon, for example, DPOadmin>
Email = <new user's email, for example, DPOadmin@rsa.com>
Password = <new user's password for logging on, for example, RSAprivacy!@>
Full Name = <new user's full name, for example, DPO Administrator> - Click the Roles tab, , and select the Data_Privacy_Officers role for the new user.
- Select Save.
-
-
Create a new user account for the analyst with limited privileges:
-
In the (Admin) > Security view, click the Users tab. In the Users tab toolbar, click .
The Add User dialog is displayed.
-
Create the new account with the following credentials:
Username = <new user name for logon, for example, NonprivAnalyst>
Email = <new user's email, for example, NonprivAnalyst@rsa.com>
Password = <new user's password for logging on, for example, RSAprivacy!@>
Full Name = <new user's full name, for example, Nonprivileged Analyst> - Click the Roles tab, , and select the Analysts role for the new user.
-
Select Save.
-