Administration Guide › Custom Roles and Policies › Configuring Custom User Roles and Access Policies

Configuring Custom User Roles and Access Policies

A user role can be a predefined application user group or a user-defined application group. Custom user roles are needed when the predefined application groups (Administrator, Analyst, and Auditor) are not sufficiently fine-grained to reflect work assignments. Custom user roles require custom access policies and modification of predefined policies to include the new role.

Administrators can create user roles and corresponding policies as follows:

1. For each role assumed by users of CA User Activity Reporting Module:
   • Identify the resources to which access must be granted.
   • Identify the actions you want to permit on each resource.
   • Identify the identities, or individuals, to whom this role applies.

     Note: Identities can be other application groups designed to make up a super group.

2. If a predefined application group is too broad for your needs, create a new application group and assign this application group to the individuals you identified. It is good practice to name a user-defined application group with a term that describes the role the assigned users are to perform.
3. Add the new application group to the CALM Application Access policy, which is an Access Control List type.
4. If the new role needs to be able to take an action on one or more resources, such as create, do the following:
   1. Configure a CALM policy that allows the new application group to create or take other valid actions the identified CA User Activity Reporting Module resources.
   2. Configure a scoping policy that grants the new application group read and write access to the AppObject resource and specify a filter that states where the identified resource is stored in the EEM folders. For each filter, enter the named attribute, pozFolder, CONTAINS and a value, where the value is the EEM Folder path beginning with /CALM_Configuration.
5. If the new role only needs to view a specific CA User Activity Reporting Module resource, configure a scoping policy that permits read access to AppObject and specify a filter where the named attribute, pozFolder, CONTAINS a value, where the value is the EEM Folder path beginning with /CALM_Configuration where that resource is stored.
6. Test the policies.
7. Assign the new role to user accounts.

Administrators can also create restrict user access with access filters. If a particular kind of restricted access applies to only one individual, you can omit assigning that person an application group, or role. To limit the access of a user:

1. Create a user but assign no role.
2. Give the user access to the CA User Activity Reporting Module application by adding the user to the CALM access policy.
3. Create a scoping policy that grants read or write access to the SafeObject, AppObject and specify a filter where the named attribute pozFolder is equal to the value of the EEM folder for the resource. For example, if the resource is reports, set the named attribute calmTag equal to the value of a report tag.
4. Create a custom access filter.

Administrators can customize user access to the CA User Activity Reporting Module resources. Consider the following examples:

• Create roles to assign specific administration responsibilities to different groups of administrators. For example, create a role such as UserAccountAdministrator. Create a policy that grants users with this role access to only the functionality needed to maintain users and groups. Such a policy must define read and write access to the GlobalUser resource as well as to the User and UserGroup resources.
• Create roles to distribute responsibilities of analysts to the various types of reports and queries based on tags. For example, create roles such as SystemAccessAnalyst and PCIAnalyst and assign analysts to just one of the restricted analyst roles. Then create policies that grant access to a subset of these resources based on tag. For example, create a policy that grants the SystemAccessAnalyst role access to reports and queries that have the System Access tag and another that grants the PCIAnalyst role access to reports and queries that have the PCI tag. Create other roles and policies based on other tags. Policies that restrict access in this way do so with access filters.

Administrators can create server-based policies using either of the following approaches:

• Restrict data

  You can restrict access to specific logs by creating a data access filter, setting the filter for receiver_name field, and specifying a value such as systemstatus or syslog.

• Restrict configuration

  You can restrict access to a particular CA User Activity Reporting Module server by creating a policy on the SafeObject resource class with AppObject as the selected resource. That is, to restrict access just to the report server configuration on a particular host, define a filter such as the following:

  pozFolder contains /CALM_Configuration/Modules/calmReporter/LogServer01
  

More information:

Sample Policies for Custom Integrations

Sample Policies for Suppression and Summarization Rules

Create an Access Filter

Restricting Data Access for a User: Win-Admin Scenario

Restricting Access for a Role: PCI-Analyst Scenario