I don't really use the built-in roles because I like to start off with a tight ACL and loosen it up as access to the data is needed.

I have a few roles that are in place or being put in place once the content is completed to support them:

Intel Admin - Only access to Wintel server logs

Unix Admin - Only access to Unix server logs

DBA - only access to DB servers and DB logs

Exchange Admin - Only access to email traffic and logs of email servers

Risk & Invenstigations - Only access to login/logout data, web traffic, and email traffic

Compliance & Privacy - Only access to medical record logs

Each of these roles has content I've created for them to support the bulk of their workload, but obviously they are welcome to create their own, except for trends and data monitors.  They are only able to see the content from within their role in the specific folders.

As far as creating connectors go, I'm the only person who does it .

I like to start off inexperienced customer administrators with 'Operator/Analyst'. It lets them see everything and only contribute to Public.

Once the team is defined I typically end up creating custom groups based on what they need; it ends up being different every time.

A.

Do you use filters to restrict certain users access to certain data? We function in a model similar to an MSSP and I'm having an issue with a filter applied to restrict users from one group to seeing only their data (based on customerURI set at the connector). The filter works for data they create in active channels and the like but when they view stock content like dashboards they see all the data from all the groups. When they drill down they see only the data that pertains to them but that drill down data will only be subset of the data they see in the dashboard. I don't have to create seperate dashboards for each group, do I? Thanks

Basically, yes, you do have to create different Data Monitors and Dashboards if you want to restrict the results for users.  The reason is that user event  Filters restrict results returned by the user's query, but Data Monitors run independent of that.  So when a user pulls up a Dashboard, it contains results that have been collected independent of the viewer.  Data Monitor will gather statistics even if it's never viewed. 

Thanks all,

I'll start of by creating a separate root group, define some high level groups (ArcSight defaults & like chrisb suggested.) As more granular access is needed, I'll add sub groups. I hope this will give me a proper framework for future deployments. Easily extendible by adding the (Business specific) sub groups.

Now I need to create myself a good format to document these settings. Using the 'ACLReportGen.sh' script will show about 150 rows with ACL's, expanding that a bit to include the customer. That's a lot of ACL's to put down & than even add the customer specifics.

cheers, jhs

I think the "Different every time'' comment to be very accurate. No two SOC's are the same and neither are the roles and responsibilities, contained within them, try as you might it is difficult to pigeon hole users into specific roles and constraints. Starting this way also highlighted the hard core users from the pretenders. As such a settled user base resulted.