Add users with the required permissions to investigate incidents and alerts in NetWitness Respond. Users with access to the Respond view need both Incidents and Respond-server permissions. Users with access to configure Respond notification settings need additional Integration-server permissions.
The following pre-configured roles have permissions in the Respond view:
- Analysts: The Security Operations Center (SOC) Analysts have access to Alerting, NetWitness Respond, Investigation, and Reporting, but not system configurations.
- Malware Analysts: Malware Analysts have access to investigations and malware events.
- Operators: Operators have access to configurations, but not Investigation, ESA, Alerting, Reporting and NetWitness Respond.
- SOC_Managers: The SOC Managers have the same access as Analysts plus additional permissions to handle incidents and configure NetWitness Respond.
- Data_Privacy_Officers: Data Privacy Officers (DPOs) are like Administrators with additional focus on configuration options that manage obfuscation and viewing of sensitive data within the system. See Data Privacy Management for additional information.
- Respond_Administrator: The Respond Administrator has full access to NetWitness Respond.
- Administrators: the Administrator has full system access to NetWitness Suite and has all permissions by default.
The NetWitness Respond default permissions are shown in the following tables. You need to assign user permissions from both the Incidents and Respond-server tabs, which are the Permissions tab names in the ADMIN > Security view Add or Edit Roles dialogs. You may want to add additional user permissions for Alerting, Context Hub, Investigate, Investigate-server, and Reports.
Users who configure Respond notification settings also need permissions in the Integration-server tab.
* Data Privacy Officers and Respond Administrators have the respond-server.* permission, which gives them all of the Respond-server permissions.
The Respond Administrator has all of the Respond-server and Incidents permissions.
(The Integration-server permissions are available in NetWitness Suite version 11.1 and later.)
Users who configure Respond Notifications also need Integration-server permissions. The following table lists the Respond Notification setting permissions in the Integration-server tab assigned to each role.
Respond Notification Settings Permissions
(The Respond notification setting permissions are available in NetWitness Suite version 11.1 and later.)
The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Respond Notification Settings (CONFIGURE > Respond Notifications).
- Configure Incident Management Integration
Respond Role Permission Examples
The following figure shows Respond-server permissions for the default Respond Administrator role. The Respond Administrator role contains all of the NetWitness Respond permissions.
The following figure shows the Incidents permissions for the default Analysts role:
For more information, see "Role Permissions" and "Manage Users with Roles and Permissions" in the System Security and User Management guide.