Rules Management in Multitenant Deployments
In a multitenant environment, you must customize rules to make them tenant-aware. Tenant-aware rules use the when the domain is one of the following rule test, but the domain modifier determines the scope of the rule.
The following table shows how you can use the domain modifier to change the scope of rules in a multitenant deployment.
Table 1: Scope Of Rules in a Multitenant Environment
Rule test example
Single domain rules
These rules include only 1 domain modifier.
and when the domain is one of the following: manufacturing
Single tenant rules
These rules include all the domains that are assigned to the tenant. Use single tenant rules to correlate events across multiple domains within a single tenant.
and when the domain is one of the following: manufacturing, finance, legal
These rules use the Any domain modifier and run across all tenants.
and when the domain is one of the following: Any domain
By being domain-aware, the custom rules engine (CRE) automatically isolates event correlations from different tenants by using their respective domains. For more information about working with rules in a domain-segmented network, see Domains and Log Sources in Multitenant Environments.
Restricting Log Activity Capabilities for Tenant Users
To ensure that the tenant administrator and users can view the log data for only their tenant, you must restrict the permissions for the Log Activity capability.
When you add the Log Activity capability to a user role, the Maintain Custom Rules and View Custom Rules permissions are automatically granted. Users who have these permissions have access to all log data for all domains. They can edit rules in all domains, even if their security profile settings have domain-level restrictions.
To prevent users from being able to access log data and modify rules in other domains or tenants, edit the user role and remove the Maintain Custom Rules and View Custom Rules permissions. Without these permissions, the tenant administrator and users cannot change rules, including those rules in their own domain.
- On the navigation menu (), click Admin to open the admin tab.
- In the System Configuration section, click User Roles and select the user role that you want to edit.
- Under Log Activity, clear the Maintain Custom Rules and View Custom Rules check boxes.
- Click Save.