From 9970e54081cf06711679817408f48a0c3556ffb2 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 14 Sep 2021 14:03:22 -0400
Subject: [PATCH] Adjust custom_role examples to be more realistic

---
 salt/soc/files/soc/custom_roles | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/salt/soc/files/soc/custom_roles b/salt/soc/files/soc/custom_roles
index 80ae7b147..b95b94da4 100644
--- a/salt/soc/files/soc/custom_roles
+++ b/salt/soc/files/soc/custom_roles
@@ -9,12 +9,15 @@
 # Syntax      => prebuiltRoleX: customRoleY: op
 # Explanation => roleY and roleZ are adjusted permissions of roleX, op is:
 #                + add the new permissions/role mappings (default)
-#                - remove existing prebuilt permissions
+#                - remove existing "explicit" prebuilt permissions. This 
+#                  does not work with implictly inherited permissions.
 #
-# In the example below, we will define a new role for junior analysts,
-# that is nearly identical to the analyst role that comes with SOC, with the
-# exception that it removes their ability to obtain details about other 
-# analysts in the system.
+# In the example below, we will define two new roles for segregating
+# analysts into two regions. Then we will remove the ability for all
+# analysts to see the roles of other analysts. (Seperately we will need to
+# define these two new roles in Elasticsearch so that each analyst region 
+# can only see data from their specific region's indices, but that is out 
+# of scope from this file.)
 #
-# analyst:        jr_analyst
-# user-monitor:   jr_analyst:-
+# analyst:        westcoast_analyst, eastcoast_analyst
+# roles/read:     user-monitor:-
\ No newline at end of file