User access, roles, and permissions
For accessing and completing tasks with IBM Security QRadar Log Insights, users require specific roles and permissions. Review the different available roles, permissions, and the associated tasks that users can complete with the roles and permissions. These roles help you to set up users so that they can begin day to day operations.
Add users in your organization such as:
- IT or system administrators
- Security business leaders
- Security analysts
The differences between users' job functions are represented by the different roles and permissions that they are assigned when they are added to an account.
New users are added to a QRadar Log Insights account by a system administrator or an account administrator and are assigned the appropriate role for each application or service.
Administrators with user management permissions can remove user access for some applications or services if needed. This access removal prevents users from seeing or accessing components that they are not entitled to.
Administration
The following administration roles are supported.
| Administration role | Permission |
|---|---|
|
Account configuration |
In a Standard account, the Admin can change the account settings (name, description, or identity provider) for the account or set an organization profile. A User can only view the account's settings. |
|
User management |
The Admin can add, view, or remove access for all other users in an account. The Admin can edit roles for all other users, except for the account management role. You must be a System Administration account admin to edit the account management role. |
|
Data sources |
An administrator can view, connect, and configure data sources for an account. They can also create, update, and remove Connected Assets and Risk data sources. A user can use only the Universal Data Insights data sources that they are granted access to. They can also view Connected Assets and Risk data sources, but to view Connected Assets and Risk data, a user must also have the necessary Asset Management permissions. For more information, see Asset Management. |
Application and services
Application and services roles are defined and enforced at the application or service level, the associated permissions vary by application or service.
The following standard user roles are supported.
- Admin
-
This role is typically assigned to someone in the security operations job function, those users who are in charge of setting up integrations between systems and other configurations, or to those users who have an oversight role.
- User
-
This role is typically assigned to a security analyst, worker, or responder who uses an application or solution to protect your enterprise.
- Viewer
-
This role is typically assigned to someone in an auditor job function. These users have read access to all data, but cannot create, edit, or delete anything.
A user can be assigned to different roles in different applications where the user is entitled. For example, John is entitled to applications App 1 and App 2. You can assign John as an Admin in App 1 and as a User in App 2.
The following table summarizes the application roles and permissions.
| Application or service | Permission |
|---|---|
| Asset Management | An administrator can create, update, and remove Connected Assets and Risk data. A user can view Connected Assets and Risk data from all Connected Assets and Risk data sources. |
|
Case Management |
By default, all users are assigned the User role for IBM® Security Case Management. For users who need to manage cases, select the Admin role. The Admin role allows you to edit and delete all cases. You can review the onscreen tooltip to see a full list of the permissions associated with the Admin role. |
|
Data Explorer |
Select the User role to access IBM Security Data Explorer. |
|
Detection and Response Center |
Select the User role to access IBM Detection and Response Center. |
|
Edge Gateway |
Select an option if you want to assign permissions for IBM Security Edge Gateway. The tooltips for |
|
Log Insights |
Select an option to assign permissions for Ingestion data sources.
For more information, see Adding ingestion data sources. |
|
Data Collector |
Select the Admin role to create, register, edit, and delete IBM Data Collectors. On the User management page, go to the Ingestion data sources section and select the Admin option so that users can access the Data Collector. |
|
QRadar Proxy |
Administrators use QRadar Proxy to enter connection settings, including a background service token that enable communication between QRadar Proxy and QRadar®. Then, all users can enter their own credentials so that they can proxy the IBM QRadar User Behavior Analytics app or access QRadar content from the QRadar SIEM dashboard widgets and IBM Detection and Response Center. The proxying of QRadar apps is not supported when you connect to QRadar on Cloud. |
|
Threat Intelligence Insights |
Select the Admin role to assign permissions to manage user accounts and access additional reports from IBM X-Force® Exchange. Both User and Admin roles can access the IBM Security Threat Intelligence Insights application, view threat reports, create and share threats, and run an Am I Affected scan. The Account Configuration permission that is described in the Administration roles and permissions table is required to set up the organization's profile to customize the account's threat intelligence feed. The Data Source permission that is described in the Administration roles and permissions table is required to Configure Threat Intelligence Insights external data sources or Connect one or more data sources. To run an Am I Affected scan in the Threat Intelligence Insights application, you must connect one or more data sources . |
|
Threat Investigator |
For more information about IBM Security Threat Investigator, see Roles and permissions for Threat Investigator. |