UBA user roles for multitenancy

The User Behavior Analytics (UBA) app 3.6.0 and later supports multitenant environments in QRadar® 7.4.3 Fix Pack 6 and later.

In a multitenant deployment, you ensure that customers see only their data by creating domains that are based on their QRadar input sources. By creating security profiles and user roles, you can manage privileges for large groups of users within the domain. User roles ensure that users have access to only the information that they are authorized to see.

Note: UBA 3.6.0 (and later) does not support multiple domains under one security profile. A security profile can only have one domain assigned to it in order for UBA to work as expected.

For UBA to work with QRadar, the QRadar Admin can create user roles that designate a "UBA tenant admin" and any non-admin users or "UBA tenant". Each role has distinct responsibilities and associated activities.

QRadar admin/MSSP admin

The QRadar Admin/MSSP admin owns and manages the first or "admin" instance of UBA. The QRadar admin is responsible for completing the following tasks:
  • Setting up the first "admin" instance and the other non-admin UBA instances.
  • Configuring non-admin instances with the appropriate tenant_admin token and instance identifiers
  • Determining the size and installing Machine Learning for any instance that requires it. Note: The size of the Machine Learning instance must be the same for every instance. For example: If instance A uses a 5 GB Machine Learning instance, instances B and C must either use no Machine Learning or also 5 GB.
  • Upgrading all apps or systems.
  • Managing all system settings and rule configurations. Note: Rules are shared for every instance.

UBA tenant admin

The UBA tenant admin is responsible for the following tasks:
  • Configuring UBA Settings (specifically Application Settings)
  • Configuring Machine Learning settings.
  • Adding users to the trusted user list and deleting users.
  • Setting the Machine Learning priority.
  • Investigating users with QRadar Advisor with Watson™.
  • Configuring user imports.
  • Creating domain filters.
  • Creating and enabling custom machine learning models.
  • Creating GDPR reports.
Complete the following procedure to create a role for the tenant admin user.
  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click User Management, and then click the User Roles icon.
  3. Create a new role for the tenant admin user. For example, tenant_admin.
  4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
  5. Click Save.
User role permissions for tenant admin

UBA tenant user

The UBA tenant user has limited ability to manage the UBA instance but can do the following:
  • View and analyze user data in UBA.
  • Add notes.
  • Create custom alerts.
  • Create watchlists.
  • Internally investigate users.
Complete the following procedure to create a role for the UBA tenant user.
  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click User Management, and then click the User Roles icon.
  3. Create a new role for a tenant user. For example, tenant_user.
  4. Select the checkboxes as indicated in the following screen shot to add the permissions to the role.
  5. Click Save.
User role permissions for tenant user