Hi everyone,
I’m struggling to get the SOC Status (Legacy) dashboard to display data for a user with limited permissions. Despite extensive configuration, the dashboard shows "No data available" or "Unknown widget" for the restricted user, while it works perfectly for an API Admin.
My Current Setup:
-
Custom IAM Role: I’ve created a role with 49+ permissions, including all
chronicle.nativeDashboards.*,chronicle.dashboardCharts.*,chronicle.cases.get, andchronicle.events.udmSearch. -
Data RBAC: I have assigned the
Chronicle API Restricted Data Accessrole with an IAM condition pointing to a specific scope (dev-sec-ops). -
SOAR Mapping: Inside SecOps Settings, I have mapped my custom IAM role to the Tier 1 SOC Role and the correct environment.
-
Goal: I want this user to see the SOC Status dashboard but remain restricted by their Data Access Scope (specifically, they should not see Google Workspace logs).
The Issue: The user can see the logs allowed by their scope in UDM search, but the SOC Status dashboard is blank.
I’ve read that SOAR data sources (Cases/Alerts) might be restricted to Global Users only. Is it currently impossible for a Scoped/Restricted User to view these legacy SOAR dashboards? If so, is there a workaround to show alert/case statistics that respect a Data Access Scope?
Would appreciate any insights from the community or the product team!