Assigning Local Only authentication

Local Only authentication is a setting that is used when external authentication is enabled on IBM® QRadar®. Setting Local Only authentication to true for a user ensures that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

Before you begin

Only an Administration Manager or a System Manager with the Manage Local Only authentication role can manage Local Only authentication.

About this task

When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Any user or authorized service that has the Administration Manager user role inherits this new capability. To add the Manage Local Only Authentication role, see Creating a user role.

The following table shows the different permissions for when the Local Only authentication is enabled or disabled.

Table 1. Managing Local Only Authentication permission
Manage Local Only Authentication Setting capability User Authorized Service
Enabled
  • Create and modify users with any local only setting
  • Create or delete a user or authorized service with any user role
  • Modify a user or authenticated service role to assign or remove the Manage Local Only Authentication setting capability
  • Assign user roles to any user when their original role is deleted
  • Delete user roles with any capability
  • Create users without the Local Only setting enabled
  • Create or delete users or authorized services with any user role
  • Modify a user or authenticated service role to assign or remove the Manage Local Only Authentication setting capability
  • Cannot modify a user's Local Only setting
Not enabled
  • Can create new users with the same Local Only setting as their own
  • Can create or delete users or authorized services with user roles that do not contain the Manage Local Only Authentication setting capability
  • Cannot modify a user's Local Only setting
  • Cannot modify a user or authenticated service role to assign or remove the Manage Local Only Authentication setting capability
  • Cannot assign user roles with the Manage Local Only Authentication setting capability when their original role is deleted
  • Cannot delete user roles with the Manage Local Only Authentication setting capability
  • Create users without the Local Only setting enabled
  • Can create or delete users or authorized services with user roles that do not contain the Manage Local Only Authentication setting capability
  • Cannot modify a user's Local Only setting
  • Cannot modify a user or authenticated service role to assign or remove the Manage Local Only Authentication setting capability
Important:
  • If users or authorized services must not inherit Manage Local Only authentication role, then a new user role must be assigned.
  • The default administration account is automatically set to Manage Local Only authentication.
  • Only an Administration manager or a System manager with the Manage Local Only authentication role can create or delete a user role with Manage Local Only authentication.

Procedure

  1. On the Admin tab, click Users.
  2. Locate the user to be assigned Local Only authentication and switch the Local Only authentication to On.
    The user can use only Local Only authentication to log in.