Sec/User Mgmt: Role Permissions

Document created by RSA Information Design and Development

on Aug 29, 2018•Last modified by RSA Information Design and Development

on Jan 27, 2021

Version 39Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the (Admin) > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Platform user role:

Administrators
Respond Administrators (RAs)
Reporting Engine Content Administrators (RE CAs)
Data Privacy Officers (DPOs)
SOC Managers (SOC Mgrs)
Operators
Malware Analysts (MAs)
Analysts
UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Platform services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

service name = investigate-server
resource = metrics
action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Admin-server

The following table describes the permissions in the Admin-server tab.

Permission	Description
admin-server.configuration.manage	Permission to modify all service configuration parameters
admin-server.health.read	Permission to view any health notifications that the service exposes
admin-server.logs.manage	Permission to change log-related configuration
admin-server.metrics.read	Permission to view any metrics that the service exposes
admin-server.process.manage	Permission to start and stop the service
admin-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
admin-server.security.read	Permission to view security-related resources

Administration

The following table describes the list of permissions in Administration tab.

Permission	Description
Access Administration Module	Permission to access all the administration modules
Access Health & Wellness	Permission to access the health and wellness module
Apply System Updates	Permission to update the system
Can Opt In to Live Intelligence Sharing	Permission to opt for Live Intelligence sharing
Manage Advanced Settings	Permission to modify the advanced settings
Manage ATD Settings	Permission to modify the ATD settings
Manage Auditing	Permission to modify the auditing
Manage Email	Permission to change the email settings
Manage Global Auditing	Permission to modify global auditing
Manage Health & Wellness Policy	Permission to update the health & wellness policy
Manage Jobs	Permission to change the job settings
Manage LLS	Permission to modify LLS
Manage Logs	Permission to modify log related configurations
Manage Notifications	Permission to change notification settings
Manage Plugins	Permission to modify the plugins
Manage Predicates	Permission to modify the predicates
Manage Reconstruction	Permission to change the reconstruction
Manage Security	Permission to update the security settings
Manage Services	Permission to start and stop the services
Manage SSL Security	Permission to manage PKI setting
Manage System Settings	Permission to the modify the system settings
Modify ESA Settings	Permission to modify the ESA settings
Modify Event Sources	Permission to modify the ESA sources
Modify Hosts	Permission to modify the hosts
Modify Services	Permission to modify the services
View Event Sources	Permission to view the event sources
View Health & Wellness Policy	Permission to view the health & wellness policy
View Health & Wellness Stats Browser	Permission to view the health and wellness status in the browser
View Hosts	Permission to view the hosts
View Services	Permission to view the services
View Unified Sources	Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	MAs	Analysts
Access Administration Module		Yes	Yes	Yes	Yes	Yes
Access Health & Wellness		Yes	Yes	Yes	Yes	Yes
Apply System Updates				Yes
Can Opt In to Live Intelligence Sharing				Yes
Manage Advanced Settings				Yes
Manage ATD Settings	Yes	Yes	Yes	Yes
Manage Auditing		Yes		Yes
Manage Email				Yes
Manage Global Auditing		Yes		Yes
Manage Health & Wellness Policy				Yes
Manage Jobs		Yes	Yes	Yes
Manage LLS				Yes
Manage Logs		Yes		Yes
Manage Notifications				Yes
Manage Plugins		Yes	Yes	Yes		Yes
Manage Predicates				Yes
Manage Reconstruction				Yes
Manage Security		Yes		Yes
Manage Services		Yes		Yes
Manage SSL Security
Manage System Settings		Yes	Yes	Yes		Yes
Modify ESA Settings				Yes
Modify Event Sources				Yes
Modify Hosts				Yes
Modify Services		Yes		Yes
View Event Sources			Yes	Yes
View Health & Wellness Policy			Yes	Yes		Yes
View Health & Wellness Stats Browser		Yes	Yes	Yes		Yes
View Hosts		Yes		Yes
View Services		Yes		Yes
View Unified Sources		Yes	Yes	Yes		Yes

Alerting

The following table describes the permissions in the Alerting tab.

Permission	Description
Access Alerting Module	Permission to access the alerting module
Manage Rules	Permission to update the rules
View Alerts	Permission to view the alerts
View Rules	Permission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	Analysts
Access Alerting Module	Yes	Yes	Yes	Yes	Yes
Manage Rules	Yes	Yes	Yes	Yes
View Alerts	Yes	Yes	Yes		Yes
View Rules		Yes	Yes	Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission	Description
config-server.*	All permissions (everything below)
config-server.configuration.manage	Permission to modify all service configuration parameters
config-server.health.read	Permission to view any health notifications that the service exposes
config-server.logs.manage	Permission to change log-related configuration
config-server.metrics.read	Permission to view any metrics that the service exposes
config-server.process.manage	Permission to start and stop the service
config-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
config-server.security.read	Permission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

Permission	Description
content-server.*	All permissions (everything below)
content-server.collection.read	Permission to read selective collection content
content-server.configuration.manage	Permission to modify all service configuration parameters
content-server.health.read	Permission to view any health notifications that the service exposes
content-server.logparser.manage	Permission to manage log parser configurations
content-server.logparser.read	Permission to view log parser configurations
content-server.logs.manage	Permission to change log-related configuration
content-server.metrics.read	Permission to view any metrics that the service exposes
content-server.policy.read	Permission to read policies
content-server.process.manage	Permission to start and stop the service
content-server.rule.manage	Permission to manage content rules
content-server.rule.read	Permission to view content rules
content-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
content-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operators	Analysts
content-server.*	Yes		Yes
content-server.collection.read
content-server.configuration.manage
content-server.health.read
content-server.logparser.manage
content-server.logparser.read		Yes		Yes
content-server.logs.manage
content-server.metrics.read
content-server.policy.read
content-server.process.manage
content-server.rule.manage
content-server.rule.read
content-server.security.manage
content-server.security.read

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

Permission	Description
contexthub-server.*	All permissions (everything below)
contexthub-server.configuration.manage	Permission to modify all service configuration parameters
contexthub-server.connection.manage	Permission to modify all connection settings
contexthub-server.connection.read	Permission to view all connection settings
contexthub-server.connectiontypes.read	Permission to view all configured connection types
contexthub-server.datasource.manage	Permission to modify data source settings
contexthub-server.datasource.read	Permission to view data source settings
contexthub-server.health.read	Permission to view any health notifications that the service exposes
contexthub-server.listentries.manage	Permission to modify list entries
contexthub-server.logs.manage	Permission to change log-related configuration
contexthub-server.metrics.read	Permission to view any metrics that the service exposes
contexthub-server.process.manage	Permission to start and stop the service
contexthub-server.query.read	Permission to view queries
contexthub-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.read	Permission to view security-related resources
contexthub-server.stix.read	Permission to view stix settings
contexthub-server.taxiidatasource.manage	Permission to modify settings for the taxii data source
contexthub-server.taxiidatasource.read	Permission to view settings for the taxii data source

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
contexthub-server.*		Yes
contexthub-server.configuration.manage
contexthub-server.connection.manage
contexthub-server.connection.read	Yes		Yes	Yes	Yes
contexthub-server.connectiontypes.read			Yes
contexthub-server.datasource.manage	Yes		Yes	Yes	Yes
contexthub-server.datasource.read	Yes		Yes	Yes	Yes
contexthub-server.health.read
contexthub-server.listentries.manage	Yes		Yes	Yes	Yes
contexthub-server.logs.manage
contexthub-server.metrics.read
contexthub-server.process.manage
contexthub-server.query.read	Yes		Yes	Yes	Yes
contexthub-server.security.manage
contexthub-server.security.read
contexthub-server.stix.read			Yes	Yes	Yes
contexthub-server.taxiidatasource.manage			Yes	Yes	Yes
contexthub-server.taxiidatasource.read			Yes	Yes	Yes

Correlation-server

The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.

Permission	Description
correlation-server.*	All permissions (everything below)
correlation-server.configuration.manage	Permission to modify all service configuration parameters
correlation-server.endpoint.manage	Permission to modify all endpoint configuration parameters
correlation-server.endpoint.read	Permission to view all endpoint configuration parameters
correlation-server.engine.manage	Permission to modify all engine configuration parameters
correlation-server.engine.read	Permission to view all engine configuration parameters
correlation-server.esperrule.manage	Permission to modify all esperrule configuration parameters
correlation-server.esperrule.read	Permission to view all esperrule configuration parameters
correlation-server.health.read	Permission to view any health notifications that the service exposes
correlation-server.keyvaluerule.manage	Permission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.read	Permission to view all keyvaluerule configuration parameters
correlation-server.logs.manage	Permission to change log-related configuration
correlation-server.metrics.read	Permission to view any metrics that the service exposes
correlation-server.module.manage	Permission to modify each module
correlation-server.module.read	Permission to view each module
correlation-server.process.manage	Permission to start and stop the service
correlation-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.read	Permission to view security-related resources
correlation-server.stream.manage	Permission to edit stream configuration settings
correlation-server.stream.read	Permission to view stream configuration settings
correlation-server.telemetry.read	Permission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators
correlation-server.*		Yes
correlation-server.configuration.manage
correlation-server.endpoint.manage
correlation-server.endpoint.read
correlation-server.engine.manage	Yes		Yes	Yes
correlation-server.engine.read	Yes		Yes	Yes
correlation-server.esperrule.manage
correlation-server.esperrule.read
correlation-server.health.read
correlation-server.keyvaluerule.manage
correlation-server.keyvaluerule.read
correlation-server.logs.manage
correlation-server.metrics.read
correlation-server.module.manage	Yes		Yes	Yes
correlation-server.module.read	Yes		Yes	Yes
correlation-server.process.manage
correlation-server.security.manage
correlation-server.security.read
correlation-server.stream.manage	Yes		Yes	Yes
correlation-server.stream.read	Yes		Yes	Yes
correlation-server.telemetry.read

Dashboard

The following table describes the permissions in the Dashboard tab.

Permission	Description
Dashlet Access - Admin Device List Dashlet	Permission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor Dashlet	Permission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News Dashlet	Permission to access Admin News Dashlet
Dashlet Access - Alert Variance Dashlet	Permission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts Dashlet	Permission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs Dashlet	Permission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values Dashlet	Permission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources Dashlet	Permission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources Dashlet	Permission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions Dashlet	Permission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources Dashlet	Permission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs Dashlet	Permission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report Dashlet	Permission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts Dashlet	Permission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts Dashlet	Permission to access Top Alerts Dashlet
Dashlet Access - Unified RSA First Watch Dashlet	Permission to access Unified RSA First Watch Dashlet
Dashlet Access - Unified Shortcuts Dashlet	Permission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RA	DPOs	SOC Mgrs	Operators	Analysts
Dashlet Access - Admin Device List Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Admin Device Monitor Dashlet		Yes
Dashlet Access - Admin News Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Alert Variance Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Alerting Recent Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Top Values Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Live Featured Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live New Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Subscriptions Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Updated Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Malware Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Recent Report Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Charts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Top Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Unified RSA First Watch Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Unified Shortcuts Dashlet	Yes	Yes	Yes	Yes	Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

Permission	Description
endpoint-broker-server*	All permissions (everything below)
endpoint-broker-server.agent.manage	Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.read	Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.manage	Permission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.read	Permission to view any health notifications that the service exposes
endpoint-broker-server.logs.manage	Permission to change log-related configuration
endpoint-broker-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-broker-server.policy.read	Permission to view existing policy details
endpoint-broker-server.process.manage	Permission to start and stop the service
endpoint-broker-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-broker-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	Operators	Analysts
endpoint-broker-server*
endpoint-broker-server.agent.manage	Yes	Yes
endpoint-broker-server.agent.read	Yes	Yes
endpoint-broker-server.configuration.manage
endpoint-broker-server.health.read
endpoint-broker-server.logs.manage
endpoint-broker-server.metrics.read
endpoint-broker-server.policy.read		Yes
endpoint-broker-server.process.manage
endpoint-broker-server.security.manage
endpoint-broker-server.security.read

Endpoint-server

The following table describes the permissions in the Endpoint-server tab.

Permission	Description
endpoint-server*	All permissions (everything below)
endpoint-server.agent.manage	Permission to generate and download the agent packager. Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-server.agent.read	Permission to view the agent packager configuration. Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on.
endpoint-server.ca.manage	Permission to generate and download the agent packager.
endpoint-server.ca.read	Permission to generate and download the agent packager
endpoint-server.configuration.manage	Permission to modify all endpoint configuration parameters
endpoint-server.filter.manage	Permission to save, modify, and delete filters
endpoint-server.filter.read	Permission to view filters
endpoint-server.health.read	Permission to view any health notifications that the service exposes
endpoint-server.logs.manage	Permission to change log-related configuration
endpoint-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-server.policy.read	Permission to view existing policy details
endpoint-server.process.manage	Permission to start and stop the service
endpoint-server.relay.manage	Permission to modify Relay Server Configuration
endpoint-server.relay.read	Permissions to view Relay Server details
endpoint-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-server.security.read	Permission to view security-related resources

Permission	Operators	Analysts
endpoint-server*
endpoint-server.agent.manage	Yes	Yes
endpoint-server.agent.read	Yes	Yes
endpoint-server.ca.manage	Yes
endpoint-server.ca.read	Yes
endpoint-server.configuration.manage
endpoint-server.filter.manage		Yes
endpoint-server.filter.read		Yes
endpoint-server.health.read
endpoint-server.logs.manage
endpoint-server.metrics.read
endpoint-server.policy.read		Yes
endpoint-server.process.manage
endpoint-server.rar.manage
endpoint-server.rar.read
endpoint-server.relay.manage	Yes
endpoint-server.relay.read	Yes
endpoint-server.security.manage
endpoint-server.security.read

Incidents

The following table describes the permissions in the Incidents tab.

Permission	Description
Access Incident Module	Permission to access the Incident module
Configure Incident Management Integration	Permission to configure incident management integration
Delete Alerts and incidents	Permission o delete alerts and incidents
Manage Alert Handling Rules	Permission to modify the alert handling rules
View and Manage Incidents	Permission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
Access Incident Module	Yes	Yes	Yes	Yes	Yes
Configure Incident Management Integration	Yes	Yes	Yes
Delete Alerts and incidents	Yes	Yes
Manage Alert Handling Rules	Yes	Yes	Yes
View and Manage Incidents	Yes	Yes	Yes	Yes	Yes

Integration-server

(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

Permission	Description
integration-server.*	All permissions (everything below)
integration-server.api.access	Permission to authorize external requests from 3rd party applications
integration-server.configuration.manage	Permission to view and modify all service integration configuration parameters
integration-server.health.read	Permission to read any health notifications that the service exposes
integration-server.logs.manage	Permission to change log-related integration configurations
integration-server.metrics.read	Permission to read any metrics that the service exposes
integration-server.notification.manage	Permission to change global notification configurations (for example, SMTP server)
integration-server.notification.read	Permission to read global notification configurations (for example, SMTP server)
integration-server.notification.send	Permission to send notifications (for example, Email)
integration-server.process.manage	Permission to start and stop the service
integration-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
integration-server.security.read	Permission to read security-related resources
integration-server.template.manage	Permission to change notification template
integration-server.template.read	Permission to read notification template

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	MAs	Analysts
integration-server.*		Yes
integration-server.api.access
integration-server.configuration.manage
integration-server.health.read