Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Sec/User Mgmt: Role Permissions

Document created by RSA Information Design and Development Employee on Aug 29, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 14Show Document
  • View in full screen mode
 
 

InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the (Admin) > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Platform user role:

  • Administrators
  • Respond Administrators (RAs)

  • Reporting Engine Content Administrators (RE CAs)
  • Data Privacy Officers (DPOs)
  • SOC Managers (SOC Mgrs)
  • Operators
  • Malware Analysts (MAs)
  • Analysts
  • UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Platform services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

  • service name = investigate-server
  • resource = metrics
  • action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Admin-server

The following table describes the permissions in the Admin-server tab.

                                       
PermissionDescription
admin-server.configuration.managePermission to modify all service configuration parameters
admin-server.health.readPermission to view any health notifications that the service exposes
admin-server.logs.managePermission to change log-related configuration
admin-server.metrics.readPermission to view any metrics that the service exposes
admin-server.process.managePermission to start and stop the service
admin-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
admin-server.security.readPermission to view security-related resources

Administration

The following table describes the list of permissions in Administration tab.

                                                                                                                                       
PermissionDescription
Access Administration Module

Permission to access all the administration modules

Access Health & WellnessPermission to access the health and wellness module
Apply System Updates

Permission to update the system

Can Opt In to Live Intelligence SharingPermission to opt for Live Intelligence sharing
Manage Advanced Settings

Permission to modify the advanced settings

Manage ATD SettingsPermission to modify the ATD settings
Manage Auditing

Permission to modify the auditing

Manage EmailPermission to change the email settings
Manage Global Auditing

Permission to modify global auditing

Manage Health & Wellness PolicyPermission to update the health & wellness policy

Manage Jobs

Permission to change the job settings

Manage LLS

Permission to modify LLS

Manage LogsPermission to modify log related configurations
Manage Notifications

Permission to change notification settings

Manage PluginsPermission to modify the plugins
Manage Predicates

Permission to modify the predicates

Manage ReconstructionPermission to change the reconstruction
Manage Security

Permission to update the security settings

Manage ServicesPermission to start and stop the services
Manage SSL SecurityPermission to manage PKI setting
Manage System Settings

Permission to the modify the system settings

Modify ESA SettingsPermission to modify the ESA settings
Modify Event Sources

Permission to modify the ESA sources

Modify HostsPermission to modify the hosts
Modify Services

Permission to modify the services

View Event SourcesPermission to view the event sources
View Health & Wellness Policy

Permission to view the health & wellness policy

View Health & Wellness Stats BrowserPermission to view the health and wellness status in the browser
View Hosts

Permission to view the hosts

View ServicesPermission to view the services
View Unified Sources

Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                                                                                                                                             
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalystsUEBA Analysts
Access Administration Module

 

YesYesYesYesYes

 

Access Health & Wellness YesYesYesYesYes 
Apply System Updates

 

  Yes  

 

Can Opt In to Live Intelligence Sharing   Yes   
Manage Advanced Settings

 

  Yes  

 

Manage ATD SettingsYesYesYesYes   
Manage Auditing

 

Yes Yes  

 

Manage Email   Yes   
Manage Global Auditing

 

Yes Yes  

 

Manage Health & Wellness Policy   Yes   

Manage Jobs

 

Yes

Yes

Yes

 

 

 

Manage LLS

 

  Yes   
Manage Logs Yes Yes  

 

Manage Notifications

 

  Yes   
Manage Plugins YesYesYes Yes

 

Manage Predicates

 

  Yes   
Manage Reconstruction   Yes  

 

Manage Security

 

Yes Yes   
Manage Services Yes Yes  

 

Manage SSL Security

 

 

 

 

 

 

 

Manage System Settings

 

YesYesYes Yes 
Modify ESA Settings   Yes  

 

Modify Event Sources

 

  Yes   
Modify Hosts   Yes  

 

Modify Services

 

Yes Yes   
View Event Sources  YesYes  

 

View Health & Wellness Policy

 

 YesYes Yes 
View Health & Wellness Stats Browser YesYesYes Yes

 

View Hosts

 

Yes Yes   
View Services Yes Yes  

 

View Unified Sources

 

YesYesYes Yes 

Alerting

The following table describes the permissions in the Alerting tab.

                           
PermissionDescription
Access Alerting ModulePermission to access the alerting module
Manage RulesPermission to update the rules
View AlertsPermission to view the alerts
View RulesPermission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                         
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Alerting ModuleYes

Yes

Yes

Yes

 

Yes

Manage RulesYesYesYesYes  
View AlertsYes

Yes

Yes

 

 

Yes

View Rules YesYesYes  

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

                                           
PermissionDescription
config-server.*All permissions (everything below)
config-server.configuration.managePermission to modify all service configuration parameters
config-server.health.readPermission to view any health notifications that the service exposes
config-server.logs.managePermission to change log-related configuration
config-server.metrics.readPermission to view any metrics that the service exposes
config-server.process.managePermission to start and stop the service
config-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
config-server.security.readPermission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

                                                                   
PermissionDescription

content-server.*

All permissions (everything below)

content-server.collection.readPermission to read selective collection content
content-server.configuration.managePermission to modify all service configuration parameters

content-server.health.read

Permission to view any health notifications that the service exposes

content-server.logparser.manage Permission to manage log parser configurations

content-server.logparser.read

Permission to view log parser configurations

content-server.logs.managePermission to change log-related configuration

content-server.metrics.read

Permission to view any metrics that the service exposes

content-server.policy.read

Permission to read policies

content-server.process.manage

Permission to start and stop the service

content-server.rule.manage

Permission to manage content rules

content-server.rule.readPermission to view content rules

content-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

content-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                   
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
content-server.* Yes Yes 

 

content-server.collection.read      
content-server.configuration.manage      

content-server.health.read

     

 

content-server.logparser.manage      

content-server.logparser.read

  Yes  

Yes

content-server.logs.manage      

content-server.metrics.read

 

 

 

 

 

 

content-server.policy.read

 

 

 

 

 

 

content-server.process.manage

 

 

 

 

 

 

content-server.rule.manage

 

 

 

 

 

 

content-server.rule.read      

content-server.security.manage

 

 

 

 

 

 

content-server.security.read

 

 

 

 

 

 

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

                                                                                   
PermissionDescription
contexthub-server.*All permissions (everything below)
contexthub-server.configuration.managePermission to modify all service configuration parameters

contexthub-server.connection.manage

Permission to modify all connection settings

contexthub-server.connection.readPermission to view all connection settings

contexthub-server.connectiontypes.read

Permission to view all configured connection types

contexthub-server.datasource.managePermission to modify data source settings

contexthub-server.datasource.read

Permission to view data source settings

contexthub-server.health.readPermission to view any health notifications that the service exposes

contexthub-server.listentries.manage

Permission to modify list entries

contexthub-server.logs.managePermission to change log-related configuration
contexthub-server.metrics.readPermission to view any metrics that the service exposes
contexthub-server.process.managePermission to start and stop the service

contexthub-server.query.read

Permission to view queries

contexthub-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.readPermission to view security-related resources
contexthub-server.stix.readPermission to view stix settings

contexthub-server.taxiidatasource.manage

Permission to modify settings for the taxii data source

contexthub-server.taxiidatasource.readPermission to view settings for the taxii data source

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                                       
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
contexthub-server.* Yes   

 

contexthub-server.configuration.manage      
contexthub-server.connection.manage     

 

contexthub-server.connection.readYes Yes YesYes
contexthub-server.connectiontypes.read  Yes  

 

contexthub-server.datasource.manageYes Yes YesYes

contexthub-server.datasource.read

Yes Yes YesYes
contexthub-server.health.read      
contexthub-server.listentries.manageYes Yes YesYes
contexthub-server.logs.manage      
contexthub-server.metrics.read     

 

contexthub-server.process.manage      
contexthub-server.query.readYes Yes YesYes
contexthub-server.security.manage      
contexthub-server.security.read     

 

contexthub-server.stix.read  Yes YesYes
contexthub-server.taxiidatasource.manage  Yes YesYes
contexthub-server.taxiidatasource.read  Yes YesYes

Correlation-server

The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.

                                                                                               
PermissionDescription
correlation-server.*All permissions (everything below)
correlation-server.configuration.managePermission to modify all service configuration parameters
correlation-server.endpoint.managePermission to modify all endpoint configuration parameters
correlation-server.endpoint.readPermission to view all endpoint configuration parameters
correlation-server.engine.managePermission to modify all engine configuration parameters
correlation-server.engine.readPermission to view all engine configuration parameters
correlation-server.esperrule.managePermission to modify all esperrule configuration parameters
correlation-server.esperrule.readPermission to view all esperrule configuration parameters
correlation-server.health.readPermission to view any health notifications that the service exposes
correlation-server.keyvaluerule.managePermission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.readPermission to view all keyvaluerule configuration parameters
correlation-server.logs.managePermission to change log-related configuration
correlation-server.metrics.readPermission to view any metrics that the service exposes
correlation-server.module.managePermission to modify each module
correlation-server.module.readPermission to view each module
correlation-server.process.managePermission to start and stop the service
correlation-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.readPermission to view security-related resources
correlation-server.stream.managePermission to edit stream configuration settings
correlation-server.stream.readPermission to view stream configuration settings
correlation-server.telemetry.readPermission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                  
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
correlation-server.* 

Yes

 

 

 

 

correlation-server.configuration.manage      
correlation-server.endpoint.manage

 

 

 

 

 

 

correlation-server.endpoint.read

 

 

 

 

 

 

correlation-server.engine.manageYes

 

Yes

Yes

 

 

correlation-server.engine.readYes YesYes  
correlation-server.esperrule.manage

 

 

 

 

 

 

correlation-server.esperrule.read

 

 

 

 

 

 

correlation-server.health.read 

 

 

 

 

 

correlation-server.keyvaluerule.manage      
correlation-server.keyvaluerule.read      
correlation-server.logs.manage      
correlation-server.metrics.read 

 

 

 

 

 

correlation-server.module.manageYes YesYes  
correlation-server.module.readYes

 

Yes

Yes

 

 

correlation-server.process.manage      
correlation-server.security.manage 

 

 

 

 

 

correlation-server.security.read      
correlation-server.stream.manageYes

 

Yes

Yes

 

 

correlation-server.stream.readYes YesYes  
correlation-server.telemetry.read 

 

 

 

 

 

Dashboard

The following table describes the permissions in the Dashboard tab.

                                                                               
PermissionDescription
Dashlet Access - Admin Device List DashletPermission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor DashletPermission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News DashletPermission to access Admin News Dashlet
Dashlet Access - Alert Variance DashletPermission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts DashletPermission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs DashletPermission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values DashletPermission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources DashletPermission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources DashletPermission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions DashletPermission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources DashletPermission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs DashletPermission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report DashletPermission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts DashletPermission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts DashletPermission to access Top Alerts Dashlet
Dashlet Access - Unified RSA First Watch DashletPermission to access Unified RSA First Watch Dashlet
Dashlet Access - Unified Shortcuts DashletPermission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                              
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts
Dashlet Access - Admin Device List Dashlet

Yes

YesYesYes Yes
Dashlet Access - Admin Device Monitor Dashlet Yes    
Dashlet Access - Admin News Dashlet

Yes

YesYesYes Yes
Dashlet Access - Alert Variance DashletYesYesYes  Yes
Dashlet Access - Alerting Recent Alerts DashletYesYesYes  Yes
Dashlet Access - Investigation Jobs DashletYesYesYes  Yes
Dashlet Access - Investigation Top Values DashletYesYesYes  Yes
Dashlet Access - Live Featured Resources DashletYesYesYesYes Yes
Dashlet Access - Live New Resources DashletYesYesYesYes Yes
Dashlet Access - Live Subscriptions DashletYesYesYesYes Yes
Dashlet Access - Live Updated Resources DashletYesYesYesYes Yes
Dashlet Access - Malware Jobs DashletYesYesYes  Yes
Dashlet Access - Reporting Recent Report DashletYesYesYes  Yes
Dashlet Access - Reporting Charts DashletYesYesYes  Yes
Dashlet Access - Top Alerts DashletYesYesYes  Yes
Dashlet Access - Unified RSA First Watch DashletYesYesYesYes Yes
Dashlet Access - Unified Shortcuts DashletYesYesYesYes Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

                                                       
PermissionDescription

endpoint-broker-server*

All permissions (everything below)

endpoint-broker-server.agent.managePermission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.readPermission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.managePermission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.readPermission to view any health notifications that the service exposes
endpoint-broker-server.logs.managePermission to change log-related configuration
endpoint-broker-server.metrics.readPermission to view any metrics that the service exposes
endpoint-broker-server.policy.readPermission to view existing policy details
endpoint-broker-server.process.managePermission to start and stop the service
endpoint-broker-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-broker-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                        
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts
endpoint-broker-server* 

 

 

 

 

 

endpoint-broker-server.agent.manage   Yes Yes
endpoint-broker-server.agent.read 

 

 

Yes

 

Yes
endpoint-broker-server.configuration.manage      
endpoint-broker-server.health.read 

 

 

 

 

 

endpoint-broker-server.logs.manage      
endpoint-broker-server.metrics.read 

 

 

 

 

 

endpoint-broker-server.policy.read 

 

 

 

 

Yes
endpoint-broker-server.process.manage      
endpoint-broker-server.security.manage 

 

 

 

 

 

endpoint-broker-server.security.read      

Endpoint-server

The following table describes the permissions in the Endpoint-server tab.

                                                                               
PermissionDescription

endpoint-server*

All permissions (everything below)

endpoint-server.agent.manage

Permission to generate and download the agent packager.

Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on.

endpoint-server.agent.read

Permission to view the agent packager configuration.

Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on.

endpoint-server.ca.managePermission to generate and download the agent packager.

endpoint-server.ca.read

Permission to generate and download the agent packager

endpoint-server.configuration.managePermission to modify all endpoint configuration parameters
endpoint-server.filter.managePermission to save, modify, and delete filters
endpoint-server.filter.readPermission to view filters
endpoint-server.health.readPermission to view any health notifications that the service exposes
endpoint-server.logs.managePermission to change log-related configuration
endpoint-server.metrics.readPermission to view any metrics that the service exposes
endpoint-server.policy.readPermission to view existing policy details

endpoint-server.process.manage

Permission to start and stop the service

endpoint-server.relay.managePermission to modify Relay Server Configuration

endpoint-server.relay.read

Permissions to view Relay Server details

endpoint-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                                                
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts

endpoint-server*

     

 

endpoint-server.agent.manage   Yes Yes
endpoint-server.agent.read   Yes Yes
endpoint-server.ca.manage   Yes  

endpoint-server.ca.read

   Yes 

 

endpoint-server.configuration.manage      
endpoint-server.filter.manage     Yes
endpoint-server.filter.read     Yes
endpoint-server.health.read     

 

endpoint-server.logs.manage      
endpoint-server.metrics.read     

 

endpoint-server.policy.read     

Yes

endpoint-server.process.manage

      
endpoint-server.rar.manage      

endpoint-server.rar.read

 

 

 

 

 

 

endpoint-server.relay.manage   Yes  

endpoint-server.relay.read

 

 

 

Yes

 

 

endpoint-server.security.manage     

 

endpoint-server.security.read

      

Incidents

The following table describes the permissions in the Incidents tab.

                               
PermissionDescription
Access Incident ModulePermission to access the Incident module
Configure Incident Management IntegrationPermission to configure incident management integration
Delete Alerts and incidentsPermission o delete alerts and incidents
Manage Alert Handling RulesPermission to modify the alert handling rules
View and Manage IncidentsPermission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                  
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Incident ModuleYesYesYes Yes

Yes

Configure Incident Management IntegrationYesYesYes   
Delete Alerts and incidentsYesYes   

 

Manage Alert Handling RulesYesYesYes   
View and Manage IncidentsYesYesYes Yes

Yes

Integration-server

(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

                                                                     
PermissionDescription

integration-server.*

All permissions (everything below)

integration-server.api.accessPermission to authorize external requests from 3rd party applications
integration-server.configuration.managePermission to view and modify all service integration configuration parameters
integration-server.health.readPermission to read any health notifications that the service exposes
integration-server.logs.managePermission to change log-related integration configurations
integration-server.metrics.readPermission to read any metrics that the service exposes
integration-server.notification.managePermission to change global notification configurations (for example, SMTP server)
integration-server.notification.readPermission to read global notification configurations (for example, SMTP server)
integration-server.notification.sendPermission to send notifications (for example, Email)
integration-server.process.managePermission to start and stop the service
integration-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
integration-server.security.readPermission to read security-related resources
integration-server.template.managePermission to change notification template
integration-server.template.readPermission to read notification template

 

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                          
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts

integration-server.*

 Yes    
integration-server.api.access      
integration-server.configuration.manage      
integration-server.health.read      
integration-server.logs.manage </