Hi All,
I tried to implement Data RBAC in Chronicle based on the latest documentation shared by google and tested it for 2 different scopes.
Scenario 1 : Allow all log sources excluding few log sources
Scenario 2 : Allow only few log sources
Scenario 1 : Allow all log sources excluding few log sources
- Scope defined in settings
Scenario 2 : Allow only few log sources
- Scope defined in settings
After defining the scope in Chronicle settings, The scope was mapped to the principalset defined in GCP at project level as defined in documentation
- Roles provided to principal :
-
Chronicle API Restricted Data Access (Beta)
-
Chronicle API Restricted Data Access Viewer (Beta)
-
-
Condition added to role Chronicle API Restricted Data Access (Beta)
-
After the above mentioned changes. I can see that the scope is mapped to the AD group as it is visible under “Group Assigned” property of Scope settings.
Issue : Users part of the group can still see all the data in log search for both scenario’s and scope assigned property in SIEM settings → profile shows (Global scope) instead of the expected value.
Could you please help in identifying what may be the issue behind this?