circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

User Access Management

circle-info

Before you start, change the password.

Authentication and authorization of Logpoint SIEM users is based on user roles and the permissions granted to those roles. SOAR Automation user access management works the same, but a separate license is required.

  • Add permissions to Permission Groups.

  • Assign one or more Permission Groups to a User Group.

  • Assign Users to User Groups.

hashtag
Permission Groups

There are two default standard permission groups. You can't modify or delete them.

hashtag
Admin Permission Group

Grants comprehensive access, including read, create, and delete access rights. It is for users or administrators who require full access rights to Logpoint for comprehensive configuration and maintenance.

hashtag
Operator Permission Group

Operators can monitor and investigate by viewing dashboards and widgets, running searches, and using search templates, packages, and views to investigate events. Users in the operator permission group can create and modify their own dashboards and alerts, build and maintain searches and reports, and maintain the analytics content used by the SOC. Operators have read and create permissions for Incidents, allowing them to view incidents assigned to them or their group, investigate incidents, and create new incidents from alerts or investigations.

You can also assign the user groups Incident User Groups and Data Privacy Groups.

After a user is created, they must be authenticated based on their credentials to log in and access Logpoint. Logpoint supports multiple authentication methods, including local authentication, external Identity Providers (IdPs), and Multi-Factor Authentication (MFA).

chevron-rightViewing Permission Groupshashtag

  1. In the navigation bar, click Settings>>Users.

  2. Click Permission Groups.

  3. Sort the columns in ascending and descending order by clicking the arrow in the column name.

  4. To add or remove which columns are visible, click the More dropdown, and click Columns. Deselect the columns not to display.

hashtag
New Permission Groups

Permission groups streamline user management, and tailor permissions to align with organizational roles and responsibilities. According to your organization’s structure and the user’s responsibility, setup different permission groups. You can edit, delete, or create new groups.

When a new permission group is added, it is reflected in Logpoint SIEM and SOAR automation of the users.

SIEM Permissions:

  • Knowledge Base

  • Configuration

  • Analytics

chevron-rightAdd a New Permission Grouphashtag

  1. Go to Settings > User Accounts from the navigation bar and click Permission Groups.

  2. Click Add.

  3. Enter a Name and a Description.

  4. All permissions are selected by default. Under Knowledge Base, Configuration, and Parsers, deselect the permissions the users shouldn't have. You must deselect them one by one.

circle-info

SOAR Automation permissions are only accessible if you have a license.

  1. Click Submit.

chevron-rightEditing Permission Grouphashtag

  1. Go to Settings >> User Accounts from the navigation bar and click PermissionGroups.

  2. Click the name of the permission group.

  3. Remove permissions or change access rights.

  4. Click Submit.

chevron-rightDelete Permission Groupshashtag

Before deleting a permission group, verify it is not in use.

  1. Go to Settings > User Accounts from the navigation bar and click Permission Groups.

  2. To delete:

    • a single permission group: select it in the list and in the Actions column, click the Delete icon.

    • multiple permission groups: select the permission groups, click the MORE dropdown, and click Delete Selected.

    • all the permission groups: click the MORE dropdown and click Delete All.

  3. Click Yes.

hashtag
SOAR Playbooks Permissions

SOAR Playbooks
Read
Create
Delete

Playbook Actions

- List playbook. - Export or Enable or Monitor playbooks.

- Clone or Add or Edit playbook. - Run playbook.

Delete playbook.

Manage Playbook Triggers

List triggers.

Add or Edit triggers.

Delete triggers.

hashtag
SOAR Settings Permissions

SOAR Settings
Read
Create
Delete

Integrations

- Export or View Vendors. - Export or View Products. - Search before Export or View.

- Add or Edit Vendors and Products. - Add or Edit or Clone Actions.

Delete Vendors, Products and Actions.

API Key

View API Key.

Generate API Key.

N/A.

Licensing

View License

Upload License.

N/A.

My Products

Export or View Products.

Add or Edit Products.

Delete Products.

Lists Management

View List.

Add or Edit List.

Delete List.

Import

N/A.

Upload imported Settings.

N/A.

System Health

View System Health.

N/A.

N/A.

hashtag
SOAR Cases Permissions

SOAR Cases
Read
Create
Delete

Manage Cases

Export or View Cases.

- Add or Edit or Annotate Cases. - Tag or Comment or Edit item to Cases. - Change Case Status and Change Handling Status.

Delete Label and Comment.

hashtag
User Groups

Group users and grant them the same permissions. Admin users can also grant permissions to repositories and device groups to a user group.

There are three default, standard user groups. You can't modify or delete them.

  • Logpoint Administrator: Users have full access to all features and settings.

  • User Account Administrator: All permissions except for System Settings. This User Group cannot view the Logpoint Administrator group.

  • Incident User Groups: Manage incidents, including alert ownership and access to incident details. All Logpoint users can view incidents, but they can't resolve or close them. Only users who are part of the Logpoint Administrator group and the User Account Administrator group can grant access or add users to Incident User Groups.

hashtag
Data Privacy User Groups

Users who are linked to a Data Privacy User Group can administer access to encrypted user data. Data Privacy encrypts specific clear-text fields so they are hidden from non-admin Logpoint users. Encrypted data can only be viewed by non-admin users by request, and then a user who is part of a Data Privacy user group can grant access to the data.

chevron-rightViewing User Groupshashtag

  1. In the navigation bar, click Settings >> Users.

  2. Click User Groups.

  3. Sort the columns in ascending and descending order by clicking the arrow in the column name.

  4. To add or remove which columns are visible, click the More dropdown, and click Columns. Deselect the columns not to display.

hashtag
New User Groups

When you create a new user group, you grant the group which permissions they have. In addition, if you are an admin user, you also grant repo and device access to a user group in addition to a universal query. User groups can access all repos and devices or specific repos and devices, depending on what they are granted access to. Device groups include all devices, log sources, and IP addresses within the group.

You use a universal query to differentiate searches between user groups. For example, if a universal query is set to col_type=syslog, then only logs corresponding to col_type=syslog are in the search results for the user group assigned to that universal query.

You must set up different user groups, other than the two default ones, according to your own organization's structure, and which users should have the same access as other users. You can edit the groups you add, delete them, or create new ones. Add User Groups, then assign an Incident User Group to manage incidents.

chevron-rightAdding a New User Grouphashtag

  1. Go to Settings > User Accounts from the navigation bar and click User Groups.

  2. Click Add.

  3. Enter a Name and a Description.

  4. Enter a Universal Query. You use a universal query to differentiate searches between user groups. For example, if a universal query is set to col_type=syslog, then only logs corresponding to col_type=syslog are in the search results for the user group that is assigned that universal query.

  5. Select a Permission Group.

    User Groups can be granted access to all Repos and Devices, or you can select specific Repos and Devices. Device Groups include all the devices, log sources, and IP addresses part of the group.

  6. Click Object Permissions. To grant access to:

    1. repos, device groups, devices, log sources and IP addresses in all of the Logpoint in your environment, select Full Permission.

    2. Select All Repos for only Repo access.

    3. Select All Devices for only Device access.

    4. To grant access to specific Devices and Repos, click Advanced selection. Devices and Log Sources not assigned to any device group are listed under Ungrouped.

  7. Click Confirm.

  8. Click Save.

  9. Click Submit.

chevron-rightEditing a User Grouphashtag

  1. Go to Settings > User Accounts from the navigation bar and click User Groups.

  2. Select the user group to edit.

  3. Change the name, query, permission group and/or the repos or devices the group has access to.

  4. Click Submit.

chevron-rightDeleting User Groupshashtag

To delete a User Group, verify it is not in use.

  1. Go to Settings > User Accounts from the navigation bar and click User Groups.

  2. To delete:

    1. a single user group: select it in the list and click the Delete icon from Actions.

    2. multiple user groups: select the user groups, click the MORE dropdown, and select Delete Selected.

    3. all the user groups: click the MORE dropdown and select Delete All.

  3. Click Yes to confirm.

hashtag
Incident User Groups

Incident management, including assigning alert ownership, is controlled by users whose user group is also linked to an Incident User Group. Only users who are part of an Incident User Group can own or manage an Alert Rule. Only users in the Logpoint Administrator and User Account Administrator user groups can grant access or add users to Incident User Groups.

chevron-rightAdding User Groups to an Incident User Grouphashtag

  1. Go to Settings > User Accounts from the navigation bar and click Incident User Groups.

  2. Click Add.

  3. Double-click or drag and drop the user groups to select.

  4. Click Submit.

    Assign User Groups to an Incident User Group so they can manage incidentsarrow-up-right

hashtag
Data Privacy

Data Privacy encrypts specific clear-text fields, hiding them from non-admin Logpoint users. Encrypted data can be viewed only by non-admin users upon request, and only a user in a Data Privacy user group can grant access.

Only admin users and user account administrators can set up Data Privacy User Groups. There are two group types:

  • Can Request Access — users who can send a request to view encrypted data.

  • Can Grant Access — users other than admin users who can grant viewing access to encrypted data.

Users in a Can Grant Access user group do not automatically have access to encrypted data. They also need to be part of a Can Request Access user group and send a request. A user cannot view decrypted data without another user's consent.

chevron-rightGrant access to Data Privacy User Grouphashtag

  1. Create a user group.

  2. Add the users.

  3. Map the user group to a Data Privacy user Group.

chevron-rightMapping a User Group to Data Privacyhashtag

  1. Go to Settings > User Accounts from the navigation bar and click Data Privacy Groups.

  2. Click Add.

  3. Enter a Name.

  4. Select a User Group.

  5. Select:

    1. Can Request Access so users can ask to view encrypted data.

    2. Can Grant Access so users other than admin or user account administrator users can grant access to encrypted data.

  6. Click Submit.

chevron-rightViewing Data Privacy User Groupshashtag

  1. Go to Settings >> User Accounts from the navigation bar and click Data Privacy Groups.

    1. To sort the columns in ascending or descending order, move your cursor to the column to sort. You will see a down arrow; click it and select Sort Ascending or Sort Descending.

    2. To filter the columns in the UI, click the MORE dropdown, then select Columns, and select the columns to filter.

  2. Click the Details icon in the Actions column to view user groups and their permissions, then either grant or request access.

chevron-rightEditing a Data Privacy User Grouphashtag

  1. Go to Settings > User Accounts from the navigation bar and click Data Privacy Groups.

  2. Click the user group to edit.

  3. Make your changes and click Submit.

chevron-rightDeleting Data Privacy User Groupshashtag

  1. Go to Settings > User Accounts from the navigation bar and click Data Privacy Groups.

  2. To delete:

    1. A single user group: select them in the list and click the Delete icon in the Actions column.

    2. Multiple user groups, select the user groups, click the More drop-down, and select Delete Selected.

    3. All the user groups, click the More drop-down and select Delete All.

  3. Click Yes.

hashtag
Users

Users refer to individual accounts that are authorized to access Logpoint and SOAR. Each user is assigned a user group and permission group that determine their level of access, actions they can perform, and data they can view within Logpoint and SOAR. This ensures secure, role-based access control (RBAC), allowing administrators to add, edit, or deactivate user accounts to maintain compliance and operational security.

chevron-rightAdding a New Userhashtag

  1. Go to Settings >> User Accounts from the navigation bar and click Users.

  2. Click Add.

  3. Enter a Username for the user.

  4. Enter a Password for the username.

  5. Select a User Group. You can associate a user with multiple user groups.

  6. Enter the user's Name and Email.

  7. Select the user's Time Zone. Users view logs according to their time zone. For example, if a user in Denmark views logs collected in England, the logs are displayed in the Danish time zone (UTC +1). The default timezone is UTC.

  8. Click Submit.

chevron-rightEditing a Userhashtag

  1. Go to Settings >> User Accounts from the navigation bar and click Users.

  2. Click the Username of the user.

  3. Edit their user group, email, or timezone.

  4. Click Submit.

chevron-rightDeactivating Usershashtag

A deactivated user is listed in the user list, but they can't access Logpoint.

  1. Go to Settings >> User Accounts from the navigation bar and click Users.

  2. In PLUGIN USERS at the top left, select authentication. If you are using Logpoint, don't select anything.

  3. To deactivate:

    1. A single user: click the De-Activate User icon from Actions.

    2. Multiple users: select the users, click the MORE dropdown, and click Deactivate Selected.

    3. All users: click the MORE dropdown, then select Deactivate all.

  4. Click Yes.

  5. Enter your credentials and click Ok.

chevron-rightActivating Deactivated Usershashtag

  1. Go to Settings >> User Accounts from the navigation bar and click Users.

  2. In PLUGIN USERS at the top left, select which authentication you use. If you are using Logpoint, don't select anything.

  3. To activate:

    1. A single user: click the Activate User icon from Actions.

    2. Multiple users: select the users, click the MORE dropdown, and click Deactivate Selected.

    3. All users: click the MORE dropdown, then click Deactivate all.

  4. Click Yes.

  5. Enter your credentials and click Ok.

chevron-rightDeleting Usershashtag

You must deactivate a user before deleting them. Also check whether they own a shared dashboard, alert rule, report template, or search template. If they do, either:

  • Delete the dashboard, alert rule, report template or search template

  • Transfer ownership to another user. After you delete a user, use Transfer Ownership for each entity they own.

  1. Go to Settings > User Accounts from the navigation bar and click Users.

  2. In PLUGIN USERS at the top left, select your authentication. If you are using Logpoint, don't select anything.

  3. Click Manage De-Activated Users.

  4. To delete:

    1. A single user, select them in the list, and click the Delete icon in the Actions column.

    2. Multiple users, select the users, click the More drop-down, and select Delete Selected.

    3. All users, click the More drop-down and select Delete All.

  5. Click Yes.

chevron-rightChanging a User Passwordhashtag

  1. Go to Settings > User Accounts from the navigation bar and click Users.

  2. Click the Change Password icon from Actions.

  3. Enter the New Password and re-enter it.

  4. Click Submit.

Last updated

Was this helpful?