Sec/User Mgmt: Role Permissions

Document created by RSA Information Design and Development on Aug 29, 2018•Last modified by RSA Information Design and Development on Mar 23, 2020

Version 12Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the Admin > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Platform user role:

Administrators
Respond Administrators (RAs)
Data Privacy Officers (DPOs)
SOC Managers (SOC Mgrs)
Operators
Malware Analysts (MAs)
Analysts
UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Platform services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

service name = investigate-server
resource = metrics
action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Administration

The following table describes the list of permissions in Administration tab.

Permission	Description
Access Administration Module	Permission to access all the administration modules
Access Health & Wellness	Permission to access the health and wellness module
Apply System Updates	Permission to update the system
Can Opt In to Live Intelligence Sharing	Permission to opt for Live Intelligence sharing
Manage Advanced Settings	Permission to modify the advanced settings
Manage ATD Settings	Permission to modify the ATD settings
Manage Auditing	Permission to modify the auditing
Manage Email	Permission to change the email settings
Manage Global Auditing	Permission to modify global auditing
Manage Health & Wellness Policy	Permission to update the health & wellness policy
Manage Jobs	Permission to change the job settings
Manage LLS	Permission to modify LLS
Manage Logs	Permission to modify log related configurations
Manage Notifications	Permission to change notification settings
Manage Plugins	Permission to modify the plugins
Manage Predicates	Permission to modify the predicates
Manage Reconstruction	Permission to change the reconstruction
Manage Security	Permission to update the security settings
Manage Services	Permission to start and stop the services
Manage System Settings	Permission to the modify the system settings
Modify ESA Settings	Permission to modify the ESA settings
Modify Event Sources	Permission to modify the ESA sources
Modify Hosts	Permission to modify the hosts
Modify Services	Permission to modify the services
View Event Sources	Permission to view the event sources
View Health & Wellness Policy	Permission to view the health & wellness policy
View Health & Wellness Stats Browser	Permission to view the health and wellness status in the browser
View Hosts	Permission to view the hosts
View Services	Permission to view the services
View Unified Sources	Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	MAs	Analysts
Access Administration Module		Yes	Yes	Yes	Yes	Yes
Access Health & Wellness		Yes	Yes	Yes	Yes	Yes
Apply System Updates				Yes
Can Opt In to Live Intelligence Sharing				Yes
Manage Advanced Settings				Yes
Manage ATD Settings	Yes	Yes	Yes	Yes
Manage Auditing		Yes		Yes
Manage Email				Yes
Manage Global Auditing		Yes		Yes
Manage Health & Wellness Policy				Yes
Manage Jobs		Yes	Yes	Yes
Manage LLS				Yes
Manage Logs		Yes		Yes
Manage Notifications				Yes
Manage Plugins		Yes	Yes	Yes		Yes
Manage Predicates				Yes
Manage Reconstruction				Yes
Manage Security		Yes		Yes
Manage Services		Yes		Yes
Manage System Settings		Yes	Yes	Yes		Yes
Modify ESA Settings				Yes
Modify Event Sources				Yes
Modify Hosts				Yes
Modify Services		Yes		Yes
View Event Sources			Yes	Yes
View Health & Wellness Policy			Yes	Yes		Yes
View Health & Wellness Stats Browser		Yes	Yes	Yes		Yes
View Hosts		Yes		Yes
View Services		Yes		Yes
View Unified Sources		Yes	Yes	Yes		Yes

Admin-server

The following table describes the permissions in the Admin-server tab.

Permission	Description
admin-server.configuration.manage	Permission to modify all service configuration parameters
admin-server.health.read	Permission to view any health notifications that the service exposes
admin-server.logs.manage	Permission to change log-related configuration
admin-server.metrics.read	Permission to view any metrics that the service exposes
admin-server.process.manage	Permission to start and stop the service
admin-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
admin-server.security.read	Permission to view security-related resources

Alerting

The following table describes the permissions in the Alerting tab.

Permission	Description
Access Alerting Module	Permission to access the alerting module
Manage Rules	Permission to update the rules
View Alerts	Permission to view the alerts
View Rules	Permission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	Analysts
Access Alerting Module	Yes	Yes	Yes	Yes	Yes
Manage Rules	Yes	Yes	Yes	Yes
View Alerts	Yes	Yes	Yes		Yes
View Rules		Yes	Yes	Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission	Description
config-server.*	All permissions (everything below)
config-server.configuration.manage	Permission to modify all service configuration parameters
config-server.health.read	Permission to view any health notifications that the service exposes
config-server.logs.manage	Permission to change log-related configuration
config-server.metrics.read	Permission to view any metrics that the service exposes
config-server.process.manage	Permission to start and stop the service
config-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
config-server.security.read	Permission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

Permission	Description
content-server.*	All permissions (everything below)
content-server.configuration.manage	Permission to modify all service configuration parameters
content-server.health.read	Permission to view any health notifications that the service exposes
content-server.logparser.manage	Permission to manage log parser configurations
content-server.logparser.read	Permission to view log parser configurations
content-server.logs.manage	Permission to change log-related configuration
content-server.metrics.read	Permission to view any metrics that the service exposes
content-server.process.manage	Permission to start and stop the service
content-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
content-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operators	Analysts
content-server.*	Yes		Yes
content-server.configuration.manage
content-server.health.read
content-server.logparser.manage
content-server.logparser.read		Yes		Yes
content-server.logs.manage
content-server.metrics.read
content-server.process.manage
content-server.security.manage
content-server.security.read

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

Permission	Description
contexthub-server.*	All permissions (everything below)
contexthub-server.configuration.manage	Permission to modify all service configuration parameters
contexthub-server.connection.manage	Permission to modify all connection settings
contexthub-server.connection.read	Permission to view all connection settings
contexthub-server.connectiontypes.read	Permission to view all configured connection types
contexthub-server.datasource.manage	Permission to modify data source settings
contexthub-server.datasource.read	Permission to view data source settings
contexthub-server.health.read	Permission to view any health notifications that the service exposes
contexthub-server.listentries.manage	Permission to modify list entries
contexthub-server.logs.manage	Permission to change log-related configuration
contexthub-server.metrics.read	Permission to view any metrics that the service exposes
contexthub-server.process.manage	Permission to start and stop the service
contexthub-server.query.read	Permission to view queries
contexthub-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.read	Permission to view security-related resources
contexthub-server.stix.read	Permission to view stix settings
contexthub-server.taxiidatasource.manage	Permission to modify settings for the taxii data source
contexthub-server.taxiidatasource.read	Permission to view settings for the taxii data source

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
contexthub-server.*		Yes
contexthub-server.configuration.manage
contexthub-server.connection.manage
contexthub-server.connection.read	Yes		Yes	Yes	Yes
contexthub-server.connectiontypes.read			Yes
contexthub-server.datasource.manage	Yes		Yes	Yes	Yes
contexthub-server.datasource.read	Yes		Yes	Yes	Yes
contexthub-server.health.read
contexthub-server.listentries.manage	Yes			Yes	Yes
contexthub-server.logs.manage
contexthub-server.metrics.read
contexthub-server.process.manage
contexthub-server.query.read	Yes		Yes	Yes	Yes
contexthub-server.security.manage
contexthub-server.security.read
contexthub-server.stix.read			Yes	Yes	Yes
contexthub-server.taxiidatasource.manage			Yes	Yes	Yes
contexthub-server.taxiidatasource.read			Yes	Yes	Yes

Correlation-server

The following table describes the permissions in the Correlation-server tab.

Permission	Description
correlation-server.*	All permissions (everything below)
correlation-server.configuration.manage	Permission to modify all service configuration parameters
correlation-server.endpoint.manage	Permission to modify all endpoint configuration parameters
correlation-server.endpoint.read	Permission to view all endpoint configuration parameters
correlation-server.engine.manage	Permission to modify all engine configuration parameters
correlation-server.engine.read	Permission to view all engine configuration parameters
correlation-server.esperrule.manage	Permission to modify all esperrule configuration parameters
correlation-server.esperrule.read	Permission to view all esperrule configuration parameters
correlation-server.health.read	Permission to view any health notifications that the service exposes
correlation-server.keyvaluerule.manage	Permission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.read	Permission to view all keyvaluerule configuration parameters
correlation-server.logs.manage	Permission to change log-related configuration
correlation-server.metrics.read	Permission to view any metrics that the service exposes
correlation-server.module.manage	Permission to modify each module
correlation-server.module.read	Permission to view each module
correlation-server.process.manage	Permission to start and stop the service
correlation-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.read	Permission to view security-related resources
correlation-server.stream.manage	Permission to edit stream configuration settings
correlation-server.stream.read	Permission to view stream configuration settings
correlation-server.telemetry.read	Permission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators
correlation-server.*		Yes
correlation-server.configuration.manage
correlation-server.endpoint.manage
correlation-server.endpoint.read
correlation-server.engine.manage	Yes		Yes	Yes
correlation-server.engine.read	Yes		Yes	Yes
correlation-server.esperrule.manage
correlation-server.esperrule.read
correlation-server.health.read
correlation-server.keyvaluerule.manage
correlation-server.keyvaluerule.read
correlation-server.logs.manage
correlation-server.metrics.read
correlation-server.module.manage	Yes		Yes	Yes
correlation-server.module.read	Yes		Yes	Yes
correlation-server.process.manage
correlation-server.security.manage
correlation-server.security.read
correlation-server.stream.manage	Yes		Yes	Yes
correlation-server.stream.read	Yes		Yes	Yes
correlation-server.telemetry.read

Dashboard

The following table describes the permissions in the Dashboard tab.

Permission	Description
Dashlet Access - Admin Device List Dashlet	Permission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor Dashlet	Permission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News Dashlet	Permission to access Admin News Dashlet
Dashlet Access - Alert Variance Dashlet	Permission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts Dashlet	Permission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs Dashlet	Permission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values Dashlet	Permission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources Dashlet	Permission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources Dashlet	Permission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions Dashlet	Permission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources Dashlet	Permission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs Dashlet	Permission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report Dashlet	Permission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts Dashlet	Permission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts Dashlet	Permission to access Top Alerts Dashlet
Dashlet Access - Unified RSA First Watch Dashlet	Permission to access Unified RSA First Watch Dashlet
Dashlet Access - Unified Shortcuts Dashlet	Permission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RA	DPOs	SOC Mgrs	Operators	Analysts
Dashlet Access - Admin Device List Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Admin Device Monitor Dashlet		Yes
Dashlet Access - Admin News Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Alert Variance Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Alerting Recent Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Top Values Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Live Featured Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live New Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Subscriptions Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Updated Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Malware Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Recent Report Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Charts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Top Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Unified RSA First Watch Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Unified Shortcuts Dashlet	Yes	Yes	Yes	Yes	Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

Permission	Description
endpoint-broker-server*	All permissions (everything below)
endpoint-broker-server.agent.manage	Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.read	Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.manage	Permission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.read	Permission to view any health notifications that the service exposes
endpoint-broker-server.logs.manage	Permission to change log-related configuration
endpoint-broker-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-broker-server.policy.read	Permission to view existing policy details
endpoint-broker-server.process.manage	Permission to start and stop the service
endpoint-broker-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-broker-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	Operators	Analysts
endpoint-broker-server*
endpoint-broker-server.agent.manage	Yes	Yes
endpoint-broker-server.agent.read	Yes	Yes
endpoint-broker-server.configuration.manage
endpoint-broker-server.health.read
endpoint-broker-server.logs.manage
endpoint-broker-server.metrics.read
endpoint-broker-server.policy.read		Yes
endpoint-broker-server.process.manage
endpoint-broker-server.security.manage
endpoint-broker-server.security.read

Endpoint-server

The following table describes the permissions in the Endpoint-server tab.

Permission	Description
endpoint-server*	All permissions (everything below)
endpoint-server.agent.manage	Permission to generate and download the agent packager. Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-server.agent.read	Permission to view the agent packager configuration. Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on.
endpoint-server.ca.manage	Permission to generate and download the agent packager.
endpoint-server.ca.read	Permission to generate and download the agent packager
endpoint-server.configuration.manage	Permission to modify all endpoint configuration parameters
endpoint-server.filter.manage	Permission to save, modify, and delete filters
endpoint-server.filter.read	Permission to view filters
endpoint-server.health.read	Permission to view any health notifications that the service exposes
endpoint-server.logs.manage	Permission to change log-related configuration
endpoint-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-server.policy.read	Permission to view existing policy details
endpoint-server.process.manage	Permission to start and stop the service
endpoint-server.relay.manage	Permission to modify Relay Server Configuration
endpoint-server.relay.read	Permissions to view Relay Server details
endpoint-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-server.security.read	Permission to view security-related resources

Permission	Operators	Analysts
endpoint-server*
endpoint-server.agent.manage	Yes	Yes
endpoint-server.agent.read	Yes	Yes
endpoint-server.ca.manage	Yes
endpoint-server.ca.read	Yes
endpoint-server.configuration.manage
endpoint-server.filter.manage		Yes
endpoint-server.filter.read		Yes
endpoint-server.health.read
endpoint-server.logs.manage
endpoint-server.metrics.read
endpoint-server.policy.read		Yes
endpoint-server.process.manage
endpoint-server.relay.manage	Yes
endpoint-server.relay.read	Yes
endpoint-server.security.manage
endpoint-server.security.read

Esa-analytics-server

The following table describes the permissions in the Esa-analytics-server tab. The Administrators and Operators roles have all of the permissions and are the only roles granted permissions by default.

Permission	Description
esa-analytics-server.*	All permissions (everything below)
esa-analytics-server.analytics.manage	Permission to modify ESA analytics
esa-analytics-server.analytics.read	Permission to view ESA analytics
esa-analytics-server.configuration.manage	Permission to modify all service configuration parameters
esa-analytics-server.health.read	Permission to view any health notifications that the service exposes
esa-analytics-server.logs.manage	Permission to change log-related configuration
esa-analytics-server.metrics.read	Permission to view any metrics that the service exposes
esa-analytics-server.model.manage	Permission to modify ESA models
esa-analytics-server.model.read	Permission to view ESA models
esa-analytics-server.process.manage	Permission to start and stop the service
esa-analytics-server.security.manage	Permission to modify security-related resources
esa-analytics-server.security.read	Permission to view security-related resources

Incidents

The following table describes the permissions in the Incidents tab.

Permission	Description
Access Incident Module	Permission to access the Incident module
Configure Incident Management Integration	Permission to configure incident management integration
Delete Alerts and incidents	Permission o delete alerts and incidents
Manage Alert Handling Rules	Permission to modify the alert handling rules
View and Manage Incidents	Permission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
Access Incident Module	Yes	Yes	Yes	Yes	Yes
Configure Incident Management Integration	Yes	Yes	Yes
Delete Alerts and incidents	Yes	Yes
Manage Alert Handling Rules	Yes	Yes	Yes
View and Manage Incidents	Yes	Yes	Yes	Yes	Yes

Integration-server

(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

Permission	Description
integration-server.*	All permissions (everything below)
integration-server.api.access	Permission to authorize external requests from 3rd party applications
integration-server.configuration.manage	Permission to view and modify all service integration configuration parameters
integration-server.health.read	Permission to read any health notifications that the service exposes
integration-server.logs.manage	Permission to change log-related integration configurations
integration-server.metrics.read	Permission to read any metrics that the service exposes
integration-server.notification.manage	Permission to change global notification configurations (for example, SMTP server)
integration-server.notification.read	Permission to read global notification configurations (for example, SMTP server)
integration-server.notification.send	Permission to send notifications (for example, Email)
integration-server.process.manage	Permission to start and stop the service
integration-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
integration-server.security.read	Permission to read security-related resources
integration-server.template.manage	Permission to change notification template
integration-server.template.read	Permission to read notification template

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators
integration-server.*		Yes
integration-server.api.access
integration-server.configuration.manage
integration-server.health.read
integration-server.logs.manage
integration-server.metrics.read
integration-server.notification.manage	Yes		Yes	Yes
integration-server.notification.read	Yes		Yes	Yes
integration-server.notification.send	Yes		Yes	Yes
integration-server.process.manage
integration-server.security.manage
integration-server.security.read
integration-server.template.manage	Yes		Yes	Yes
integration-server.template.read	Yes		Yes	Yes

Investigate

The following table describes the permissions in the Investigate tab.

Permission	Description
Access Investigation Module	Permission to access investigation module
Context Lookup	Permission to access context lookup
Create Incidents from Investigation	Permission to create incidents from investigation
Manage List from Investigation	Permission to modify the list of investigation
Navigate Events	Permission to navigate the events
Navigate Values	Permission to navigate the values

The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
Access Investigation Module	Yes	Yes	Yes	Yes	Yes
Context Lookup	Yes		Yes	Yes	Yes
Create Incidents from Investigation	Yes		Yes	Yes	Yes
Manage List from Investigation	Yes		Yes	Yes	Yes
Navigate Events	Yes	Yes	Yes	Yes	Yes
Navigate Values	Yes	Yes	Yes	Yes	Yes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

Permission	Description
investigate-server.*	All permissions (everything below) for the 11.4 Events view and 11.3 and earlier Event Analysis view
investigate-server.column group.read	Permission to access column groups
investigate-server.configuration.manage	Permission to change any configuration properties for the service
investigate-server.content.export	Permission to export content from the service
investigate-server-content.manage	Permission to clear all per service or per user reconstruction cache
investigate-server.content.reconstruct	Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count
investigate-server.event.read	Permission to view events that the service exposes
investigate-server.health.read	Permission to view any health notifications that the service exposes
investigate-server.logs.manage	Permission to change log-related configuration
investigate-server.metagroup.manage	Permission to manage meta groups
investigate-server.metagroup.read	Permission to view and use meta groups
investigate-server.metrics.read	Permission to view any metrics that the service exposes
investigate-server.predicate.manage	Permission to edit or remove one or more predicates
investigate-server.predicate.read	Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view.
investigate-server.process.manage	Permission to start and stop the service
investigate-server.profile.read	Permission to access profiles.
investigate-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
investigate-server.*	Yes	Yes
investigate-server.columngroup.read			Yes	Yes	Yes
investigate-server.configuration.manage
investigate-server.content.export			Yes	Yes	Yes
investigate-server.content.manage
investigate-server.content.reconstruct			Yes	Yes	Yes
investigate-server.event.read			Yes	Yes	Yes
investigate-server.health.read
investigate-server.incident.manage					Yes
investigate-server.logs.manage
investigate-server.metagroup.manage
investigate-server.metagroup.read			Yes	Yes	Yes
investigate-server.metrics.read
investigate-server.predicate.manage
investigate-server.predicate.read			Yes	Yes	Yes
investigate-server.process.manage
investigate-server.profile.read			Yes	Yes	Yes
investigate-server.security.manage
investigate-server.security.read

License-server

The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.

Permission	Description
license-server.*	All permissions (everything below)
license-server.configuration.manage	Permission to modify all service configuration parameters
license-server.health.read	Permission to view any health notifications that the service exposes
license-server.license.manage	Permission to manage license related configurations
license-server.license.read	Permission to view license related configurations
license-server.logs.manage	Permission to change log-related configuration
license-server.metrics.read	Permission to view any metrics that the service exposes
license-server.process.manage	Permission to start and stop the service
license-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
license-server.security.read	Permission to view security-related resources

Live

The following table describes the permissions in the Live tab.

Permission	Permission
Live
Access Live Module	Permission to access live module
Manage Live System Settings	Permission to modify the live system settings
Resources
Deploy Live Resources	Permission to deploy live resources
Manage Live Feeds	Permission to modify live feeds
Manage Live Resources	Permission to modify live resources
Search Live Resources	Permission to search live resources
View Live Resource Details	Permission to view live resource details

The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operators	Analysts
Live
Access Live Module	Yes	Yes	Yes	Yes
Manage Live System Settings			Yes
Resources
Deploy Live Resources	Yes		Yes
Manage Live Feeds	Yes