What about this approach:
- Login as admin. Create user 'Eng' with Administrator Role.
- Login as 'Eng', delete all filters, create filter only for 'Eng' related events.
- Login as admin, change permissions of 'Eng' to Monitor only.
- Login as admin. Create user 'IT' with Administrator Role.
- Login as 'IT', delete all filters, create filter only for 'IT' related events.
- Login as admin, change permissions of 'IT' to Monitor only.
- 'Eng' and 'IT' users can login and see only events related to them. They can't change/mess up anything.
Multiple appliances would work, but the licensing might not be worth it, and you lose out on correlations: What if "Bad Thing" is only indicated by Event A and Event B, but Event A is getting reported to Engineering and Event B is going to IT? LEM appliances don't chat to compare correlation notes (as of version 6.2).
matej's solution could work: create filters and dashboards (OpsCenter) for each team and set them as "Monitor" accounts. Downside here is it means that you also get to create all the rules and alerts, since your Engineering and IT guys won't be able to modify the rules engine to setup their own notifications and alerts.
Also, the "Manage --> Nodes" screen is universal, so if they have access to that, they can see all the devices logging to the LEM. If they have access to "Explore --> nDepth" they'll see events from any/all devices that match their search criteria. There isn't a way to lock a user out of search results if they have access to nDepth in LEM.
Just trying to give some more info for consideration.
Well I don't think we are wanting correlations between the engineering nodes and the IT/IS nodes. We essentially want to be able to run two separate LEM accounts under the same license.
Also, with multiple appliances, I'm thinking about creating an Appliance A for engineering and Appliance B for IT/IS, would appliance A be able to see any of the information from appliance B and vice versa?
You can't run two appliances on the same license, so you'd be looking at two separate licenses for two appliances. The appliances don't share data at all, so they would be completely separate.