This topic identifies the user roles and permissions required for a user to conduct malware analysis in Security Analytics. If you cannot perform an analysis task or see a view, the administrator may need to adjust the roles and permissions configured for you.
Required Roles and Permissions
RSA Security Analytics manages security by providing access to views and functions using both system permissions and permissions on individual services.
On the system level, the user needs to be assigned a system role, in the Administration > System view, that provides access to specific views and functions. The default Malware_Analysts role in Security Analytics 10.5 is assigned all of the permissions listed below. If necessary, an Administrator can create a custom role with some combination of the following permissions:
- Access Investigation Module (required)
- Investigation - Navigate Events
- Investigation - Navigate Values
- Access Incident Module
- View and Manage Incidents
- View Malware Events (to view events)
- File Download (to download files from the Malware Analysis service)
- Initiate Malware Scan (to initiate a one-time service scan or one-time file upload)
- Dashlet permissions for convenience: Dashlet - Investigate Top Values Dashlet, Dashlet - Investigate Service List Dashlet, Dashlet - Investigate Jobs Dashlet, Dashlet - Investage Shortcuts Dashlet.
A use case for creating a custom role would be a Junior Malware Analyst role, with limited permissions that do not include the File Download permission.
On specific services, a malware analyst needs to be a member of the Analysts group, or to a group that has the two default permissions assigned to the Analyst group: sdk.meta and sdk.content. Users who have these permissions can use specific applications, run queries, and view content for purposes of analysis on the service.