Sec/User Mgmt: Role Permissions

Document created by RSA Information Design and Development on Sep 19, 2017Last modified by RSA Information Design and Development on Oct 2, 2017
Version 3Show Document
  • View in full screen mode
  

This topic describes access to the user interface that users assigned to the built-in NetWitness Suite roles have by default. 

Within NetWitness Suite, user access to each module, dashlet, and view is restricted based on the assigned permissions described in this topic. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the Admin > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of the NetWitness Suite and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Suite user role:

  • Administrators
  • Operators
  • Analysts
  • Respond Administrator
  • SOC Managers (SOC Mgrs)
  • Malware Analysts (MAs)
  • Data Privacy Officers (DPOs)

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Suite services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

  • service name = investigate-server
  • resource = metrics
  • action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Administration

The following table lists the permissions in the Administration tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                                           
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Access Administration ModuleYesYesYesYesYes
Access Health & WellnessYesYesYesYesYes
Apply System UpdatesYes    
Can Opt In to Live Intelligence SharingYes    
Manage Global AuditingYes   Yes
Manage Health & Wellness PolicyYes    
Manage Advanced SettingsYes    
Manage AuditingYes   Yes
Manage EmailYes    
Manage LLSYes    
Manage LogsYes   Yes
Manage NotificationsYes    
Manage PluginsYes    
Manage PredicatesYes    
Manage SReconstructionYes    
Manage SecurityYes   Yes
Manage ServicesYes   Yes
Manage System SettingsYes    
Modify ESA SettingsYes    
Modify Event SourcesYes    
Modify HostsYes    
Modify ServicesYes   Yes
View Event SourcesYes Yes  
View Health & Wellness PolicyYesYesYes  
View Health & Wellness Stats BrowserYesYesYes Yes
View HostsYes   Yes
View ServicesYes   Yes

Admin-server

The following table describes the permissions in the Admin-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

                                       
PermissionDescription
admin-server.configuration.managePermission to view and modify all service configuration parameters
admin-server.health.readPermission to read any health notifications that the service exposes
admin-server.logs.managePermission to change log-related configuration
admin-server.metrics.readPermission to read any metrics that the service exposes
admin-server.process.managePermission to start and stop the service
admin-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
admin-server.security.readPermission to read security-related resources

Alerting

The following table lists the permissions in the Alerting tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                   
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Access Alerting ModuleYesYesYes Yes
Manage RulesYes Yes Yes
View Alerts YesYes Yes
View RulesYes Yes Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

                                           
PermissionDescription
config-server.*All permissions (everything below)
config-server.configuration.managePermission to view and modify all service configuration parameters
config-server.health.readPermission to read any health notifications that the service exposes
config-server.logs.managePermission to change log-related configuration
config-server.metrics.readPermission to read any metrics that the service exposes
config-server.process.managePermission to start and stop the service
config-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
config-server.security.readPermission to read security-related resources

Dashboard

The following table lists the permissions in the Dashboard tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                           
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Dashlet Access - Admin Device List DashletYesYesYes Yes
Dashlet Access - Admin Device Monitor DashletYes   Yes
Dashlet Access - Admin News DashletYesYesYes Yes
Dashlet Access - Alert Variance Dashlet YesYes Yes
Dashlet Access - Alerting Recent Alerts Dashlet YesYes Yes
Dashlet Access - Investigation Jobs Dashlet YesYes Yes
Dashlet Access - Investigation Top Values Dashlet YesYes Yes
Dashlet Access - Live Featured Resources DashletYesYesYes Yes
Dashlet Access - Live New Resources DashletYesYesYes Yes
Dashlet Access - Live Subscriptions DashletYesYesYes Yes
Dashlet Access - Live Updated Resources DashletYesYesYes Yes
Dashlet Access - Malware Jobs Dashlet YesYes Yes
Dashlet Access - Reporting Recent Report Dashlet YesYes Yes
Dashlet Access - Reporting Charts Dashlet YesYes Yes
Dashlet Access - Top Alerts Dashlet YesYes Yes
Dashlet Access - Unified RSA First Watch DashletYesYesYes Yes
Dashlet Access - Unified Shortcuts DashletYesYesYes Yes

Esa-analytics-server

The following table describes the permissions in the Esa-Analytics-server tab. The Administrators and Operators roles have all of the permissions and are the only roles granted permissions by default.

                                                       
PermissionDescription
esa-analytics-server.*All permissions (everything below)
esa-analytics-server.analytics.managePermission to view and modify ESA analytics
esa-analytics-server.analytics.readPermission to view ESA analytics
esa-analytics-server.configuration.managePermission to view and modify all service configuration parameters
esa-analytics-server.health.readPermission to read any health notifications that the service exposes
esa-analytics-server.logs.managePermission to change log-related configuration
esa-analytics-server.metrics.readPermission to read any metrics that the service exposes
esa-analytics-server.model.managePermission to view and modify ESA models
esa-analytics-server.model.read Permission to view ESA models
esa-analytics-server.process.managePermission to start and stop the service
esa-analytics-server.security.readPermission to read security-related resources

Incidents

The following table lists the permissions in the Incidents tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                           
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Access Incident Module YesYesYesYes
Configure Incident Management Integration  Yes Yes
Delete Alerts and incidents    Yes
Manage Alert Handling Rules  Yes Yes
View and Manage Incidents YesYesYesYes

Investigate

The following table lists the permissions in the Investigate tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                   
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Access Investigation Module YesYesYesYes
Context Lookup YesYesYes 
Create Incidents from Investigation YesYesYes 
Manage List from Investigation YesYesYes 
Navigate Events YesYesYesYes
Navigate Values YesYesYesYes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

                                           
PermissionDescription
investigate-server.*All permissions (everything below)
investigate-server.configuration.managePermission to change any configuration properties for the server
investigate-server.health.readPermission to read any health notifications that the service exposes
investigate-server.logs.managePermission to change log-related configuration
investigate-server.metrics.readPermission to read any metrics that the service exposes
Investigate-server.process.managePermission to start and stop the service
investigate-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.readPermission to read security-related resources

The following table lists the permissions in the Investigate-server tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                                   
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
investigate-server.* YesYesYesYes
investigate-server.configuration.manage     
investigate-server.health.read     
investigate-server.logs.manage     
investigate-server.metrics.read     
investigate-server.process.manage     
investigate-server.security.manage     
investigate-server.security.read     

Live

The following table lists the permissions in the Live tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                                           
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Live      
Access Live ModuleYesYesYes Yes
Manage Live System SettingsYes    
Resources      
Deploy Live ResourcesYes   Yes
Manage Live FeedsYes   Yes
Manage Live ResourcesYes   Yes
Search Live ResourcesYesYesYes Yes
View Live Resource DetailsYesYesYes Yes

Orchestration-server

The following table describes the permissions in the Orchestration-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

                                           
PermissionDescription
orchestration-server.* All permissions (everything below)
orchestration-server.configuration.managePermission to view and modify all service configuration parameters
orchestration-server.health.readPermission to read any health notifications that the service exposes
orchestration-server.logs.managePermission to change log-related configuration
orchestration-server.metrics.readPermission to read any metrics that the service exposes
orchestration-server.process.managePermission to start and stop the service
orchestration-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
orchestration-server.security.readPermission to read security-related resources

Malware

The following table lists the permissions in the Malware tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                           
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Download Malware File(s) YesYesYesYes
Initiate Malware Analysis Scan YesYesYesYes
View Malware Analysis Events YesYesYesYes

Reports

The following table lists the permissions in the Reports tab assigned to each role. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                                                                                                                                                                                   
PermissionOperatorsAnalystsSOC MgrsMAsDPOs
Alert      
Define RE Alert YesYes Yes
Export RE Alert Definition YesYes Yes
Manage RE Alerts YesYes Yes
View RE Alerts YesYes Yes
View Scheduled RE Alerts YesYes Yes
Chart       
Define Chart YesYes Yes
Delete Chart YesYes Yes
Export Chart Definition YesYes Yes
Manage Charts YesYes Yes
View Charts YesYes Yes
List       
Define Lists YesYes Yes
Delete List YesYes Yes
Export List YesYes Yes
Manage Lists YesYes Yes
Report      
Define Report YesYes Yes
Delete Report YesYes Yes
Export Report YesYes Yes
Manage Reports YesYes Yes
View Reports YesYes Yes
Reports      
Access Configure YesYes Yes
Access Reporter Module YesYes Yes
Access Reporter search YesYes Yes
Access View YesYes Yes
Rule      
Add RE Alert Definition from Rule YesYes Yes
Define Rule YesYes Yes
Delete Rule YesYes Yes
Export Rule YesYes Yes
Manage Rules YesYes Yes
View Rule Usage YesYes Yes
Schedules      
Define Schedule YesYes Yes
Delete Schedule YesYes Yes
View Schedules YesYes Yes
Warehouse Analytics      
Define Jobs YesYes Yes
Delete Jobs YesYes Yes
Manage Jobs YesYes Yes
View Jobs YesYes Yes

Respond-server

The following table describes the permissions in the Respond-server tab.

                                                                                           
PermissionDescription
respond-server.*All permissions (everything below)
respond-server.alert.deletePermission to delete alerts
respond-server.alert.managePermission to create, update, or delete alerts
respond-server.alert.readPermission to view alerts
respond-server.alertrule.managePermission to create, update, or delete alert aggregation rules
respond-server.alertrule.readPermission to view alert aggregation rules
respond-server.configuration.managePermission to change any configuration properties for the service
respond-server.health.read Permission to read any health notifications that the service exposes