IBM Support

QRadar: How to view all of the available user role permissions on the Console to set an app's required_capabilities

How To


Summary

Administrators or app developers might need to view the available capabilities of user roles in QRadar. This technical note defines the existing capabilities and how to view them from the command line. Developers who need to assign permissions to an application can use the capabilities list to complete the required_capabilities field in the application manifest.json file.

Objective

To allow application developers to view existing permissions required for applications. The list in the capabilities file matches the permissions in the user interface.
image-20230814122038-2

Steps

To view the available capabilities for your current version, complete the following procedure. It is critical that administrators do not attempt to modify the capabilities file. These instructions are provided for administrators to review the latest capabilities provided for their users or review potential user roles that can be assigned to an application. For more information, see App authorization with QRadar.
Procedure
  1. Use SSH to log in to the Console as the root user.
  2. To view the list of capabilities, type: 
    less /opt/qradar/conf/capabilities.conf
    Note: Do not modify or edit the capabilities file as incorrect entries can break permissions on the Console. This procedure is provided as reference information for administrators and app developers.
  3. The command outputs the following capabilities:
    Group Authorized service token capability Description
    1 ADMIN   System Administrator - Full permissions to all user interfaces. An ADMIN cannot modify the accounts of other administrators.
    1 VIEWADMIN Remote Networks and Services Configuration - Allows users to access the Admin > Remote Networks and Services Configuration interface.
    1 ADMINMANAGER  Administrator Manager -
    1 MNGELOCALONLY Manage Local Only Authentication Setting
    0 ConfigServices  ConfigServices
    0 DISABLED        Disabled
    10 SYSTEM  Delegated Administration
    10 SYSTEM.USERADMIN Monitor User Activity
    10 SYSTEM.NETWORKHIERARCHY Define Network Hierarchy
    10 SYSTEM.LOGSOURCE        Manage Log Sources
    10 SYSTEM.MNGCENTCREDENTIAL        Manage Centralized Credentials
    10 SYSTEM.MNGREFERENCEDATA Manage Reference Data
    10 SYSTEM.WINCOLLECT       WinCollect
    20 SEM      Offense Management
    20 SEM.VIEWRULES   View Custom Rules
    20 SEM.RULECREATION    Maintain Custom Rules
    20 SEM.ASSIGNOFFENSE   Assign Offenses to Users
    20 SEM.MANAGECLOSINGREASONS   Manage Offense Closing Reasons
    25 EventViewer        Event Viewer
    25 EventViewer.VIEWRULES View Custom Rules
    25 EventViewer.RULECREATION Maintain Custom Rules
    25 EventViewer.CUSTOMARIELPROPERTY User-defined CustomEvent Properties
    25 EventViewer.MANAGETIMESERIES    Manage Time Series
    27 ASSETS     Asset Management
    27 ASSETS.VADATA   View Vulnerability Assessment (VA) Data
    27 ASSETS.VASCAN   Perform Vulnerability Assessment (VA) Scans
    27 ASSETS.SERVERDISCOVERY  Server Discovery
    27 ASSETS.REMOVEVULNS      Remove Vulnerabilities
    40 SURVEILLANCE    Network Surveillance 
    40 SURVEILLANCE.VIEWRULES  View Custom Rules
    40 SURVEILLANCE.DATAMINECONTENT    View Flow Content
    40 SURVEILLANCE.CUSTOMFLOWPROPERTY User-defined Custom Flow Properties
    40 SURVEILLANCE.MANAGETIMESERIES   Manage Time Series
    40 SURVEILLANCE.RULECREATION       Maintain Custom Rules
    50 REPORTING       Reporting
    50 REPORTING.MAINTAINTEMPLATES Maintain Templates
    50 REPORTING.DISTRIBUTE Distribute Reports through Email
    55 FORENSICS Incident Forensics
    55 FORENSICS.CASECREATION Create cases in Incident Forensics
    70 LOGAGGREGATION Log Aggregation
    100 PLATFORMCONFIGURATION Platform Configuration
    100 PLATFORMCONFIGURATION.NOTIF View System Notifications
    100 PLATFORMCONFIGURATION.NOTIFDISMISS Dismiss System Notifications
    100 PLATFORMCONFIGURATION.READONLYREFERENCEDATA View Reference Data
    130 QVM.ASSIGNASSETOWNER    Assign Asset Owner
    130 QVM.VULNERABILITY Assign Vulnerability
    130 QVM.EXCEPTION Exception Vulnerability
    N/A
    QVM.SCANPOLICY  (Deprecated)
    Scan policy permissions - Allows users to configure scan policies.
    This capability is deprecated with the release of QRadar 7.5.0 Update Package 6. Users on older version might have access to the capabilities, but the user role is obsolete for users on 7.5.0 UP6 or later. For more information, see QRadar Vulnerability Manager end of life.
    N/A QVM.SCANPROFILE (Deprecated)
    Scan profile permissions - Provides permissions to configure scan profiles.
    This capability is deprecated with the release of QRadar 7.5.0 Update Package 6. Users on older version might have access to the capabilities, but the user role is obsolete for users on 7.5.0 UP6 or later. For more information, see QRadar Vulnerability Manager end of life.
    Important: Do NOT attempt to modify the capabilities file.
  4. If you use a value that is deprecated or no longer exists, the application can fail to install properly or experience user interface issues for a permission that no longer exists.

    Results
    Select the best user role for your application. For more information, see QRadar app framework v2.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 August 2023

UID

ibm17026595

Page Feedback