User access, roles, and permissions
For accessing and completing tasks with IBM Security QRadar® Suite Software, users require specific roles and permissions. Review the different available roles, permissions, and the associated tasks that users can complete with the roles and permissions. These roles help you to set up users so that they can begin day to day operations.
Add users in your organization such as:
- IT or system administrators
- Managed Security Service Providers (MSSP)
- Security business leaders
- Security analysts
In QRadar Suite Software, the differences between users' job functions are represented by the different roles and permissions they are assigned when they are added to an account.
New users are added to a QRadar Suite Software account by a system administrator, a Provider account administrator, or a Standard account administrator and are assigned the appropriate role for each application or service.
Administrators with user management permissions can remove user access for some applications or services if needed. This access removal prevents users from seeing or accessing components that they are not entitled to.
Administration
The following QRadar Suite Software administration roles are supported.
| Administration | Permission |
|---|---|
|
Accounts management |
The account management role is available only in the System Administration account, which contains account management, account configuration, and user management roles. The Admin automatically has permission for account configuration and user management in the System Administration account. From the System Administration account, the Admin can view and manage multiple accounts for multiple users. Restriction:
The Admin is restricted from: • Editing their own permission in the accounts management role. • Seeing usernames or email details in another account if they are not a member of that account. • Editing account settings in another account if they are not a member of that account. |
| Account configuration | In a Standard account, the Admin can change the account settings (name, description, or
identity provider) for the account, select a threat intelligence plan, or set an organization
profile. A User can only view the account's settings. In a Provider account, the Admin can also create or delete Standard accounts for clients. The Standard accounts that are created by an Admin within a Provider account cannot be managed by an Admin from another Provider account. The Admin automatically has permission for user management in the Provider account. From the Provider account, the Admin can view and manage multiple client accounts for multiple users. Restriction:
As the Provider account Admin, go to Account management, select Standard account(s), and click Manage users. You cannot assign permissions for applications or services for any user other than the user you are logged in as. The workaround is to go to individual Standard accounts and assign the users permissions within those accounts. |
| User management | The Admin can add, view, or remove access for all other users in an account. The Admin can edit roles for all other users, except for the account management role. You must be a System Administration account admin to edit the account management role. |
| Integration data sources | An administrator can view, connect, and configure data sources for an account. They can also
create, update, and remove connected assets and risk data. A user can use data sources that are connected, configured, and to which they are granted access by a data sources administrator. They can read connected assets and risk data. |
|
Licensing & usage |
The Admin can view license information and enable or disable applications for an account. The Viewer can only view license information. |
Application and services
Application and services roles are defined and enforced at the QRadar Suite Software application or service level, the associated permissions vary by application or service.
The following IBM Cloud Pak® foundational services standard user roles are supported in QRadar Suite Software.
- Admin
-
This role is typically assigned to someone in the security operations job function, those users who are in charge of setting up integrations between systems and other configurations, or to those users who have an oversight role.
- User
-
This role is typically assigned to a security analyst, worker, or responder who uses an application or solution to protect your enterprise.
A user can be assigned to different roles in different applications where the user is entitled. For example, John is entitled to applications App 1 and App 2. You can assign John as an Admin in App 1 and as a User in App 2.
| Application or service | Permission |
|---|---|
|
IBM® Security Case Management |
For more information, see Access and permissions for Case Management. |
|
IBM Security Data Explorer |
|
|
IBM Detection and Response Center |
Select the User role to access Detection and Response Center. |
| IBM Security Orchestration & Automation |
For more information, see Access and permissions for Orchestration and Automation. |
|
IBM QRadar Proxy |
Administrators use QRadar Proxy to enter connection settings, including a background service token, that enable communication between QRadar Proxy and QRadar. Then, all users can enter their own credentials so that they can proxy the IBM QRadar User Behavior Analytics app or access QRadar content from the QRadar SIEM dashboard widgets and IBM Detection and Response Center. The proxying of QRadar apps is not supported when you connect to QRadar on Cloud. Users need either User or Admin access for QRadar Proxy to view the QRadar SIEM Analytics and QRadar SIEM Monitoring dashboards. |
|
IBM Security Risk Manager |
Select the Admin role to access Risk Manager and Risk Manager Advanced. Users need either User or Admin access for IBM Security Risk Manager to view the Risk Manager Insights dashboard. |
|
IBM Security Threat Intelligence Insights |
Select the Admin role to assign permissions to manage user accounts and access additional reports from IBM X-Force® Exchange. Both User and Admin roles can access the Threat Intelligence Insights application, view threat reports, create and share threats, and run an Am I Affected scan. The Account Configuration permission that is described in the Administration roles and permissions table is required to select a Threat Intelligence Insights plan and set up the organization's profile to customize the account's threat intelligence feed. The Data Source permission that is described in the Administration roles and permissions table is required to Configure Threat Intelligence Insights external data sources or Connect one or more data sources. To run an Am I Affected scan in the Threat Intelligence Insights application, you must Connect one or more data sources. Users need either User or Admin access for Threat Intelligence Insights to view the Threat Intelligence Insights dashboard. |
|
IBM Security Threat Investigator |
For more information, see Roles and permissions for Threat Investigator. |
|
IBM QRadar User Behavior Analytics |
Select the User role to access User Behavior Analytics. Roles and permissions for User Behavior Analytics are managed in the QRadar system and persist to QRadar Suite Software for the user. Users need either User or Admin access for QRadar Proxy and User access for User Behavior Analytics to view the User Behaviour Analytics dashboard. |