Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

User Accounts

The user account defines the unique user name that is used to log in to JSA, and specifies which user role, security profile, and tenant assignments the user is assigned to.

When you initially configure your system, you must create user accounts for each user who requires access to JSA.

Viewing and editing Information About the Current User

You can view and edit account information for the current user through the main product interface.

  1. Click the user icon in the upper right of the main product interface.

  2. Click User Preferences.

  3. Update the configurable user details.

    Parameter

    Description

    Email

    Enter an email address to be associated with this user. The address cannot contain more than 255 characters, and cannot contain spaces.

    Current Password

    Enter your current password.

    New Password

    Enter a new password for the user to gain access. The password must meet the minimum length and complexity requirements that are enforced by the password policy

    Confirm New Password

    Enter the new password again.

    Locale

    Select a preferred language from the list.

    Enable Popup Notifications

    When enabled, system notification messages are displayed. To disable system notifications, set to off.

  4. Click Save.

Viewing User Login History

You can view the login history of users to determine if there has been unauthorized access to their account. You can enable and disable the tracking of login attempts, and specify the retention period for tracking login attempts.

If you enable the login history display, a Login History window displays the date, time and IP address of the last successful login, and the number of unsuccessful login attempts of a user since the last successful login.

If you specify a retention period for tracking login attempts, JSA retains login history for the selected number of days.

When you change the login retention period, it takes effect for a user the next time they log in. For example if you change the login retention from 14 days to 7 days, any administrator continues to see 14 days of login history for any user that has not logged in since the change was made.

  1. On the Admin tab, click Authentication.

  2. Click General Authentication Settings.

  3. Enable Display Login History.

  4. Set the Login History Retention (in days) field to the number of days to retain the history of login attempts of a user.

    Note:

    The default is no value, which retains all login history.

  5. Click Save Settings.

  6. Close the Authentication window.

Creating a User Account

When you create a new user account, you must assign access credentials, a user role, and a security profile to the user. User roles define what actions the user has permission to perform. Security profiles define what data the user has permission to access.

Before you can create a user account, you must ensure that the required user role and security profile are created.

You can create multiple user accounts that include administrative privileges; however, any user role with Administrator Manager privileges can create other administrative user accounts.

  1. On the Admin tab, click Users.

    The User Management window opens.

  2. Click Add.

  3. Enter values for the following parameters:

    Parameter

    Description

    User Name

    Enter a unique username for the new user. The username must contain 1 - 60 characters.

    User Description

    Enter a description for the user. The description cannot contain more than 2048 characters.

    Email

    Enter an email address to be associated with this user. The address cannot contain more than 255 characters, and cannot contain spaces.

    New Password

    Enter a new password for the user to gain access. The password must meet the minimum length and complexity requirements that are enforced by the password policy

    Confirm New Password

    Enter the new password again.

    User Role

    Select a role for this user from the list.

    Security Profile

    Select a security profile for this user from the list.

    Override System Inactivity Timeout

    Enable this setting to configure the inactivity timeout threshold for the user account.

  4. Click Save.

  5. Close the User Details window.

  6. On the Admin tab, click Deploy Changes.

Editing a User Account

You can edit account information for the current user through the main product interface. To quickly locate the user account you want to edit on the User Management window, type the user name in the Search User text box on the toolbar.

  1. On the Admin tab, click Users.

  2. In the User Management window, select the user that you want to edit.

    You can use the Advanced Filter to search by User Role or Security Profile.

  3. In the User Details window, click Edit.

  4. Edit the account information for the user.

  5. Click Save.

  6. Close the User Management window.

  7. On the Admin tab, click Deploy Changes.

Disabling a User Account

You can disable a user account to restrict a user from accessing JSA. The option to disable a user account temporarily revokes a user's access without deleting the account.

If the user with the disabled account attempts to log in, a message is displayed to inform the user that the user name and password are no longer valid. Items that the user created, such as saved searches and reports, remain associated with the user.

  1. On the Admin tab, click Users.

  2. In the User Management window , click the user account that you want to disable.

    You can use the Advanced Filter to search by User Role or Security Profile.

  3. Click Edit.

  4. From the User Details window, select Disabled from the User Role list.

  5. Click Save.

  6. Close the User Management window.

  7. On the Admin tab menu, click Deploy Changes.

Deleting a User Account

If a user account is no longer necessary, you can delete the user account. After you delete a user, the user no longer has access to the user interface. If the user attempts to log in, a message is displayed to inform the user that the username and password is no longer valid.

To quickly locate the user account you want to delete on the User Management window, type the username in the Search User text box.

  1. On the Admin tab, click Users.

  2. In the User Management window, click the user account that you want to delete.

    You can use the Advanced Filter to search by User Role or Security Profile.

  3. In the User Details window, click Delete. A search for dependents begins.

  4. In the Found Dependents window, click Delete or Re-Assign dependents.

  5. When the user has no dependents, click Delete User.

  6. In the Confirm Delete window, click Delete > OK.

  7. Click Delete.

  8. Close the User Management window.

  9. On the Admin tab, click Deploy Changes.

Deleting Saved Searches of a Deleted User

If the saved searches of a deleted user are no longer necessary, you can delete the searches.

Saved searches that were created by a deleted user remain associated with the user until you delete the searches.

  1. On the Log Activity or Network Activity tab, click Search > Manage Search Results.

  2. Click the Status column to sort the saved searches.

  3. Select the saved searches with a status of "ERROR!", then click Delete.

Unlocking Locked User Accounts

New in 7.4.1 A user with root access can unlock user accounts that are locked out of JSA.

A user account can be locked out of JSA if there are too many failed login attempts for that account.

  1. Using SSH, log in to your system as the root user.

  2. Unlock specific user accounts or all user accounts.

    • Unlock specific user accounts by typing the following command:

      /opt/qradar/bin/runjava.sh com.ibm.si.security_model.authentication.AuthenticationLockoutCommandLineTool --removeaccount <user_account1> <user_account2> <user_account3>

    • Unlock all user accounts by typing the following command:

      /opt/qradar/bin/runjava.sh com.ibm.si.security_model.authentication.AuthenticationLockoutCommandLineTool --removeall- accounts

Unlocking Locked Hosts

New in 7.4.1 A user with root access can unlock hosts that are locked out of JSA.

A host can be locked out of JSA if there are too many failed login attempts from that host.

  1. Using SSH, log in to your system as the root user.

  2. Unlock specific hosts or all user hosts.

    • Unlock specific hosts by typing the following command:

      /opt/qradar/bin/runjava.sh com.ibm.si.security_model.authentication.AuthenticationLockoutCommandLineTool --remove-ip <host_IP_address1> <host_IP_address2> <host_IP_address3>

    • Unlock all hosts by typing the following command:

      /opt/qradar/bin/runjava.sh com.ibm.si.security_model.authentication.AuthenticationLockoutCommandLineTool --removeall- ips

Related Documentation