UEBA user roles for multitenancy
The User Entity Behavior Analytics (UEBA) app 3.6.0 and later supports multitenant environments in QRadar® 7.4.3 Fix Pack 6 and later.
In a multitenant deployment, you ensure that customers see only their data by creating domains that are based on their QRadar input sources. By creating security profiles and user roles, you can manage privileges for large groups of users within the domain. User roles ensure that users have access to only the information that they are authorized to see.
Note: UEBA 3.6.0 (and later) does not support multiple domains under one security profile. A security profile can only have one domain assigned to it in order for UEBA to work as expected.
For UEBA to work with QRadar, the QRadar Admin can create user roles that designate a "UEBA tenant admin" and any non-admin users or "UEBA tenant". Each role has distinct responsibilities and associated activities.
QRadar admin/MSSP admin
- Setting up the first "admin" instance and the other non-admin UEBA instances.
- Configuring non-admin instances with the appropriate tenant_admin token and instance identifiers
- Determining the size and installing Machine Learning for any instance that requires it. Note: The size of the Machine Learning instance must be the same for every instance. For example: If instance A uses a 5 GB Machine Learning instance, instances B and C must either use no Machine Learning or also 5 GB.
- Upgrading all apps or systems.
- Managing all system settings and rule configurations. Note: Rules are shared for every instance.
UEBA tenant admin
- Configuring UEBA Settings (specifically Application Settings)
- Configuring Machine Learning settings.
- Adding users to the trusted user list and deleting users.
- Setting the Machine Learning priority.
- Investigating users with QRadar Advisor with Watson.
- Configuring user imports.
- Creating domain filters.
- Creating and enabling custom machine learning models.
- Creating GDPR reports.
- On the
navigation menu (
), click
Admin.
- In the System Configuration section, click User Management, and then click the User Roles icon.
- Create a new role for the tenant admin user. For example, tenant_admin.
- Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
- Click Save.

UEBA tenant user
- View and analyze user data in UEBA.
- Internally investigate users.
- On the
navigation menu (
), click
Admin.
- In the System Configuration section, click User Management, and then click the User Roles icon.
- Create a new role for a tenant user. For example, tenant_user.
- Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
- Click Save.
