on Aug 29, 2018InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the Admin > Security > Roles tab.
In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.
Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).
Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.
The tables that follow show the default permissions assigned to each NetWitness Platform user role:
- Administrators
-
Respond Administrators (RAs)
- Data Privacy Officers (DPOs)
- SOC Managers (SOC Mgrs)
- Operators
- Malware Analysts (MAs)
- Analysts
- UEBA Analysts
Since the Administrators role has all of the permissions by default, it is not included in the tables.
Service Permissions Format for New Services
The service permissions for some new NetWitness Platform services contain three parts in the following format:
<service name>.<resource>.<action>
For example, for the investigate-server.metrics.read permission:
- service name = investigate-server
- resource = metrics
- action = read
Users assigned this permission can read any metrics that the investigate-server service exposes.
Administration
The following table describes the list of permissions in Administration tab.
| Permission | Description |
|---|---|
| Access Administration Module | Permission to access all the administration modules |
| Access Health & Wellness | Permission to access the health and wellness module |
| Apply System Updates | Permission to update the system |
| Can Opt In to Live Intelligence Sharing | Permission to opt for Live Intelligence sharing |
| Manage Advanced Settings | Permission to modify the advanced settings |
| Manage ATD Settings | Permission to modify the ATD settings |
| Manage Auditing | Permission to modify the auditing |
| Manage Email | Permission to change the email settings |
| Manage Global Auditing | Permission to modify global auditing |
| Manage Health & Wellness Policy | Permission to update the health & wellness policy |
| Manage Jobs | Permission to change the job settings |
| Manage LLS | Permission to modify LLS |
| Manage Logs | Permission to modify log related configurations |
| Manage Notifications | Permission to change notification settings |
| Manage Plugins | Permission to modify the plugins |
| Manage Predicates | Permission to modify the predicates |
| Manage Reconstruction | Permission to change the reconstruction |
| Manage Security | Permission to update the security settings |
| Manage Services | Permission to start and stop the services |
| Manage System Settings | Permission to the modify the system settings |
| Modify ESA Settings | Permission to modify the ESA settings |
| Modify Event Sources | Permission to modify the ESA sources |
| Modify Hosts | Permission to modify the hosts |
| Modify Services | Permission to modify the services |
| View Event Sources | Permission to view the event sources |
| View Health & Wellness Policy | Permission to view the health & wellness policy |
| View Health & Wellness Stats Browser | Permission to view the health and wellness status in the browser |
| View Hosts | Permission to view the hosts |
| View Services | Permission to view the services |
| View Unified Sources | Permission to view the unified sources |
The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Administration Module |
| Yes | Yes | Yes | Yes | Yes |
| Access Health & Wellness | Yes | Yes | Yes | Yes | Yes | |
| Apply System Updates |
| Yes | ||||
| Can Opt In to Live Intelligence Sharing | Yes | |||||
| Manage Advanced Settings |
| Yes | ||||
| Manage ATD Settings | Yes | Yes | Yes | Yes | ||
| Manage Auditing |
| Yes | Yes | |||
| Manage Email | Yes | |||||
| Manage Global Auditing |
| Yes | Yes | |||
| Manage Health & Wellness Policy | Yes | |||||
| Manage Jobs |
| Yes | Yes | Yes |
|
|
| Manage LLS |
| Yes | ||||
| Manage Logs | Yes | Yes | ||||
| Manage Notifications |
| Yes | ||||
| Manage Plugins | Yes | Yes | Yes | Yes | ||
| Manage Predicates |
| Yes | ||||
| Manage Reconstruction | Yes | |||||
| Manage Security |
| Yes | Yes | |||
| Manage Services | Yes | Yes | ||||
| Manage System Settings |
| Yes | Yes | Yes | Yes | |
| Modify ESA Settings | Yes | |||||
| Modify Event Sources |
| Yes | ||||
| Modify Hosts | Yes | |||||
| Modify Services |
| Yes | Yes | |||
| View Event Sources | Yes | Yes | ||||
| View Health & Wellness Policy |
| Yes | Yes | Yes | ||
| View Health & Wellness Stats Browser | Yes | Yes | Yes | Yes | ||
| View Hosts |
| Yes | Yes | |||
| View Services | Yes | Yes | ||||
| View Unified Sources |
| Yes | Yes | Yes | Yes |
Admin-server
The following table describes the permissions in the Admin-server tab.
| Permission | Description |
|---|---|
| admin-server.configuration.manage | Permission to modify all service configuration parameters |
| admin-server.health.read | Permission to view any health notifications that the service exposes |
| admin-server.logs.manage | Permission to change log-related configuration |
| admin-server.metrics.read | Permission to view any metrics that the service exposes |
| admin-server.process.manage | Permission to start and stop the service |
| admin-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| admin-server.security.read | Permission to view security-related resources |
Alerting
The following table describes the permissions in the Alerting tab.
| Permission | Description |
|---|---|
| Access Alerting Module | Permission to access the alerting module |
| Manage Rules | Permission to update the rules |
| View Alerts | Permission to view the alerts |
| View Rules | Permission to view the rules |
The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Alerting Module | Yes | Yes | Yes | Yes |
| Yes |
| Manage Rules | Yes | Yes | Yes | Yes | ||
| View Alerts | Yes | Yes | Yes |
|
| Yes |
| View Rules | Yes | Yes | Yes |
Config-server
The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.
| Permission | Description |
|---|---|
| config-server.* | All permissions (everything below) |
| config-server.configuration.manage | Permission to modify all service configuration parameters |
| config-server.health.read | Permission to view any health notifications that the service exposes |
| config-server.logs.manage | Permission to change log-related configuration |
| config-server.metrics.read | Permission to view any metrics that the service exposes |
| config-server.process.manage | Permission to start and stop the service |
| config-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| config-server.security.read | Permission to view security-related resources |
Content-server
The following table describes the permissions in the Content-server tab.
| Permission | Description |
|---|---|
| content-server.* | All permissions (everything below) |
| content-server.configuration.manage | Permission to modify all service configuration parameters |
| content-server.health.read | Permission to view any health notifications that the service exposes |
| content-server.logparser.manage | Permission to manage log parser configurations |
| content-server.logparser.read | Permission to view log parser configurations |
| content-server.logs.manage | Permission to change log-related configuration |
| content-server.metrics.read | Permission to view any metrics that the service exposes |
| content-server.process.manage | Permission to start and stop the service |
| content-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| content-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| content-server.* | Yes | Yes |
| |||
| content-server.configuration.manage | ||||||
| content-server.health.read |
| |||||
| content-server.logparser.manage | ||||||
| content-server.logparser.read | Yes | Yes | ||||
| content-server.logs.manage | ||||||
| content-server.metrics.read |
|
|
|
|
|
|
| content-server.process.manage |
|
|
|
|
| |
| content-server.security.manage |
|
|
|
|
|
|
| content-server.security.read |
|
|
|
|
|
Contexthub-server
The following table describes the permissions in the Contexthub-server tab.
| Permission | Description |
|---|---|
| contexthub-server.* | All permissions (everything below) |
| contexthub-server.configuration.manage | Permission to modify all service configuration parameters |
| contexthub-server.connection.manage | Permission to modify all connection settings |
| contexthub-server.connection.read | Permission to view all connection settings |
| contexthub-server.connectiontypes.read | Permission to view all configured connection types |
| contexthub-server.datasource.manage | Permission to modify data source settings |
| contexthub-server.datasource.read | Permission to view data source settings |
| contexthub-server.health.read | Permission to view any health notifications that the service exposes |
| contexthub-server.listentries.manage | Permission to modify list entries |
| contexthub-server.logs.manage | Permission to change log-related configuration |
| contexthub-server.metrics.read | Permission to view any metrics that the service exposes |
| contexthub-server.process.manage | Permission to start and stop the service |
| contexthub-server.query.read | Permission to view queries |
| contexthub-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| contexthub-server.security.read | Permission to view security-related resources |
| contexthub-server.stix.read | Permission to view stix settings |
| contexthub-server.taxiidatasource.manage | Permission to modify settings for the taxii data source |
| contexthub-server.taxiidatasource.read | Permission to view settings for the taxii data source |
The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| contexthub-server.* | Yes |
| ||||
| contexthub-server.configuration.manage | ||||||
| contexthub-server.connection.manage |
| |||||
| contexthub-server.connection.read | Yes | Yes | Yes | Yes | ||
| contexthub-server.connectiontypes.read | Yes |
| ||||
| contexthub-server.datasource.manage | Yes | Yes | Yes | Yes | ||
| contexthub-server.datasource.read | Yes | Yes | Yes | Yes | ||
| contexthub-server.health.read | ||||||
| contexthub-server.listentries.manage | Yes | Yes | Yes | |||
| contexthub-server.logs.manage | ||||||
| contexthub-server.metrics.read |
| |||||
| contexthub-server.process.manage | ||||||
| contexthub-server.query.read | Yes | Yes | Yes | Yes | ||
| contexthub-server.security.manage | ||||||
| contexthub-server.security.read |
| |||||
| contexthub-server.stix.read | Yes | Yes | Yes | |||
| contexthub-server.taxiidatasource.manage | Yes | Yes | Yes | |||
| contexthub-server.taxiidatasource.read | Yes | Yes | Yes |
Correlation-server
The following table describes the permissions in the Correlation-server tab.
| Permission | Description |
|---|---|
| correlation-server.* | All permissions (everything below) |
| correlation-server.configuration.manage | Permission to modify all service configuration parameters |
| correlation-server.endpoint.manage | Permission to modify all endpoint configuration parameters |
| correlation-server.endpoint.read | Permission to view all endpoint configuration parameters |
| correlation-server.engine.manage | Permission to modify all engine configuration parameters |
| correlation-server.engine.read | Permission to view all engine configuration parameters |
| correlation-server.esperrule.manage | Permission to modify all esperrule configuration parameters |
| correlation-server.esperrule.read | Permission to view all esperrule configuration parameters |
| correlation-server.health.read | Permission to view any health notifications that the service exposes |
| correlation-server.keyvaluerule.manage | Permission to modify all keyvaluerule configuration parameters |
| correlation-server.keyvaluerule.read | Permission to view all keyvaluerule configuration parameters |
| correlation-server.logs.manage | Permission to change log-related configuration |
| correlation-server.metrics.read | Permission to view any metrics that the service exposes |
| correlation-server.module.manage | Permission to modify each module |
| correlation-server.module.read | Permission to view each module |
| correlation-server.process.manage | Permission to start and stop the service |
| correlation-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| correlation-server.security.read | Permission to view security-related resources |
| correlation-server.stream.manage | Permission to edit stream configuration settings |
| correlation-server.stream.read | Permission to view stream configuration settings |
| correlation-server.telemetry.read | Permission to view telemetry configuration settings |
The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| correlation-server.* | Yes |
|
|
|
| |
| correlation-server.configuration.manage | ||||||
| correlation-server.endpoint.manage |
|
|
|
|
|
|
| correlation-server.endpoint.read |
|
|
|
|
|
|
| correlation-server.engine.manage | Yes |
| Yes | Yes |
|
|
| correlation-server.engine.read | Yes | Yes | Yes | |||
| correlation-server.esperrule.manage |
|
|
|
|
|
|
| correlation-server.esperrule.read |
|
|
|
|
|
|
| correlation-server.health.read |
|
|
|
|
| |
| correlation-server.keyvaluerule.manage | ||||||
| correlation-server.keyvaluerule.read | ||||||
| correlation-server.logs.manage | ||||||
| correlation-server.metrics.read |
|
|
|
|
| |
| correlation-server.module.manage | Yes | Yes | Yes | |||
| correlation-server.module.read | Yes |
| Yes | Yes |
|
|
| correlation-server.process.manage | ||||||
| correlation-server.security.manage |
|
|
|
|
| |
| correlation-server.security.read | ||||||
| correlation-server.stream.manage | Yes |
| Yes | Yes |
|
|
| correlation-server.stream.read | Yes | Yes | Yes | |||
| correlation-server.telemetry.read |
|
|
|
|
|
Dashboard
The following table describes the permissions in the Dashboard tab.
| Permission | Description |
|---|---|
| Dashlet Access - Admin Device List Dashlet | Permission to access Admin Device List Dashlet |
| Dashlet Access - Admin Device Monitor Dashlet | Permission to access Admin Device Monitor Dashlet |
| Dashlet Access - Admin News Dashlet | Permission to access Admin News Dashlet |
| Dashlet Access - Alert Variance Dashlet | Permission to access Alert Variance Dashlet |
| Dashlet Access - Alerting Recent Alerts Dashlet | Permission to access Alerting Recent Alerts Dashlet |
| Dashlet Access - Investigation Jobs Dashlet | Permission to access Investigation Jobs Dashlet |
| Dashlet Access - Investigation Top Values Dashlet | Permission to access Investigation Top Values Dashlet |
| Dashlet Access - Live Featured Resources Dashlet | Permission to access Live Featured Resources Dashlet |
| Dashlet Access - Live New Resources Dashlet | Permission to access Live New Resources Dashlet |
| Dashlet Access - Live Subscriptions Dashlet | Permission to access Live Subscriptions Dashlet |
| Dashlet Access - Live Updated Resources Dashlet | Permission to access Live Updated Resources Dashlet |
| Dashlet Access - Malware Jobs Dashlet | Permission to access Malware Jobs Dashlet |
| Dashlet Access - Reporting Recent Report Dashlet | Permission to access Reporting Recent Report Dashlet |
| Dashlet Access - Reporting Charts Dashlet | Permission to access Reporting Charts Dashlet |
| Dashlet Access - Top Alerts Dashlet | Permission to access Top Alerts Dashlet |
| Dashlet Access - Unified RSA First Watch Dashlet | Permission to access Unified RSA First Watch Dashlet |
| Dashlet Access - Unified Shortcuts Dashlet | Permission to access Unified Shortcuts Dashlet |
The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Dashlet Access - Admin Device List Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Admin Device Monitor Dashlet | Yes | |||||
| Dashlet Access - Admin News Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Alert Variance Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Alerting Recent Alerts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Investigation Jobs Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Investigation Top Values Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Live Featured Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live New Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live Subscriptions Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live Updated Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Malware Jobs Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Reporting Recent Report Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Reporting Charts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Top Alerts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Unified RSA First Watch Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Unified Shortcuts Dashlet | Yes | Yes | Yes | Yes | Yes |
Endpoint-broker-server
The following table describes the permissions in the Endpoint Broker server tab.
| Permission | Description |
|---|---|
| endpoint-broker-server* | All permissions (everything below) |
| endpoint-broker-server.agent.manage | Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on. |
| endpoint-broker-server.agent.read | Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on. |
| endpoint-broker-server.configuration.manage | Permission to modify all endpoint broker configuration parameters |
| endpoint-broker-server.health.read | Permission to view any health notifications that the service exposes |
| endpoint-broker-server.logs.manage | Permission to change log-related configuration |
| endpoint-broker-server.metrics.read | Permission to view any metrics that the service exposes |
| endpoint-broker-server.policy.read | Permission to view existing policy details |
| endpoint-broker-server.process.manage | Permission to start and stop the service |
| endpoint-broker-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| endpoint-broker-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| endpoint-broker-server* |
|
|
|
|
| |
| endpoint-broker-server.agent.manage | Yes | Yes | ||||
| endpoint-broker-server.agent.read |
|
| Yes |
| Yes | |
| endpoint-broker-server.configuration.manage | ||||||
| endpoint-broker-server.health.read |
|
|
|
|
| |
| endpoint-broker-server.logs.manage | ||||||
| endpoint-broker-server.metrics.read |
|
|
|
|
| |
| endpoint-broker-server.policy.read |
|
|
|
| Yes | |
| endpoint-broker-server.process.manage | ||||||
| endpoint-broker-server.security.manage |
|
|
|
|
| |
| endpoint-broker-server.security.read |
Endpoint-server
The following table describes the permissions in the Endpoint-server tab.
| Permission | Description |
|---|---|
| endpoint-server* | All permissions (everything below) |
| endpoint-server.agent.manage | Permission to generate and download the agent packager. Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on. |
| endpoint-server.agent.read | Permission to view the agent packager configuration. Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on. |
| endpoint-server.ca.manage | Permission to generate and download the agent packager. |
| endpoint-server.ca.read | Permission to generate and download the agent packager |
| endpoint-server.configuration.manage | Permission to modify all endpoint configuration parameters |
| endpoint-server.filter.manage | Permission to save, modify, and delete filters |
| endpoint-server.filter.read | Permission to view filters |
| endpoint-server.health.read | Permission to view any health notifications that the service exposes |
| endpoint-server.logs.manage | Permission to change log-related configuration |
| endpoint-server.metrics.read | Permission to view any metrics that the service exposes |
| endpoint-server.policy.read | Permission to view existing policy details |
| endpoint-server.process.manage | Permission to start and stop the service |
| endpoint-server.relay.manage | Permission to modify Relay Server Configuration |
| endpoint-server.relay.read | Permissions to view Relay Server details |
| endpoint-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| endpoint-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| endpoint-server* |
| |||||
| endpoint-server.agent.manage | Yes | Yes | ||||
| endpoint-server.agent.read | Yes | Yes | ||||
| endpoint-server.ca.manage | Yes | |||||
| endpoint-server.ca.read | Yes |
| ||||
| endpoint-server.configuration.manage | ||||||
| endpoint-server.filter.manage | Yes | |||||
| endpoint-server.filter.read | Yes | |||||
| endpoint-server.health.read |
| |||||
| endpoint-server.logs.manage | ||||||
| endpoint-server.metrics.read |
| |||||
| endpoint-server.policy.read | Yes | |||||
| endpoint-server.process.manage | ||||||
| endpoint-server.relay.manage | Yes | |||||
| endpoint-server.relay.read |
|
|
| Yes |
|
|
| endpoint-server.security.manage |
| |||||
| endpoint-server.security.read |
Esa-analytics-server
The following table describes the permissions in the Esa-analytics-server tab. The Administrators and Operators roles have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
| esa-analytics-server.* | All permissions (everything below) |
| esa-analytics-server.analytics.manage | Permission to modify ESA analytics |
| esa-analytics-server.analytics.read | Permission to view ESA analytics |
| esa-analytics-server.configuration.manage | Permission to modify all service configuration parameters |
| esa-analytics-server.health.read | Permission to view any health notifications that the service exposes |
| esa-analytics-server.logs.manage | Permission to change log-related configuration |
| esa-analytics-server.metrics.read | Permission to view any metrics that the service exposes |
| esa-analytics-server.model.manage | Permission to modify ESA models |
| esa-analytics-server.model.read | Permission to view ESA models |
| esa-analytics-server.process.manage | Permission to start and stop the service |
| esa-analytics-server.security.manage | Permission to modify security-related resources |
| esa-analytics-server.security.read | Permission to view security-related resources |
Incidents
The following table describes the permissions in the Incidents tab.
| Permission | Description |
|---|---|
| Access Incident Module | Permission to access the Incident module |
| Configure Incident Management Integration | Permission to configure incident management integration |
| Delete Alerts and incidents | Permission o delete alerts and incidents |
| Manage Alert Handling Rules | Permission to modify the alert handling rules |
| View and Manage Incidents | Permission to modify the incidents |
The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Incident Module | Yes | Yes | Yes | Yes | Yes | |
| Configure Incident Management Integration | Yes | Yes | Yes | |||
| Delete Alerts and incidents | Yes | Yes |
| |||
| Manage Alert Handling Rules | Yes | Yes | Yes | |||
| View and Manage Incidents | Yes | Yes | Yes | Yes | Yes |
Integration-server
(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)
The following table describes the permissions in the Integration-server tab.
| Permission | Description |
|---|---|
| integration-server.* | All permissions (everything below) |
| integration-server.api.access | Permission to authorize external requests from 3rd party applications |
| integration-server.configuration.manage | Permission to view and modify all service integration configuration parameters |
| integration-server.health.read | Permission to read any health notifications that the service exposes |
| integration-server.logs.manage | Permission to change log-related integration configurations |
| integration-server.metrics.read | Permission to read any metrics that the service exposes |
| integration-server.notification.manage | Permission to change global notification configurations (for example, SMTP server) |
| integration-server.notification.read | Permission to read global notification configurations (for example, SMTP server) |
| integration-server.notification.send | Permission to send notifications (for example, Email) |
| integration-server.process.manage | Permission to start and stop the service |
| integration-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| integration-server.security.read | Permission to read security-related resources |
| integration-server.template.manage | Permission to change notification template |
| integration-server.template.read | Permission to read notification template |
The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| integration-server.* | Yes | |||||
| integration-server.api.access | ||||||
| integration-server.configuration.manage | ||||||
| integration-server.health.read | ||||||
| integration-server.logs.manage | ||||||
| integration-server.metrics.read | ||||||
| integration-server.notification.manage | Yes | Yes | Yes | |||
| integration-server.notification.read | Yes | Yes | Yes | |||
| integration-server.notification.send | Yes | Yes | Yes | |||
| integration-server.process.manage | ||||||
| integration-server.security.manage | ||||||
| integration-server.security.read | ||||||
| integration-server.template.manage | Yes | Yes | Yes | |||
| integration-server.template.read | Yes | Yes | Yes |
Investigate
The following table describes the permissions in the Investigate tab.
| Permission | Description |
|---|---|
| Access Investigation Module | Permission to access investigation module |
| Context Lookup | Permission to access context lookup |
| Create Incidents from Investigation | Permission to create incidents from investigation |
| Manage List from Investigation | Permission to modify the list of investigation |
| Navigate Events | Permission to navigate the events |
| Navigate Values | Permission to navigate the values |
The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Investigation Module | Yes | Yes | Yes | Yes | Yes | |
| Context Lookup | Yes | Yes | Yes | Yes | ||
| Create Incidents from Investigation | Yes | Yes | Yes | Yes | ||
| Manage List from Investigation | Yes | Yes | Yes | Yes | ||
| Navigate Events | Yes | Yes | Yes | Yes | Yes | |
| Navigate Values | Yes | Yes | Yes | Yes | Yes |
Investigate-server
The following table describes the permissions in the Investigate-server tab.
| Permission | Description |
|---|---|
| investigate-server.* | All permissions (everything below) for the 11.4 Events view and 11.3 and earlier Event Analysis view |
| investigate-server.column group.read | Permission to access column groups |
| investigate-server.configuration.manage | Permission to change any configuration properties for the service |
| investigate-server.content.export | Permission to export content from the service |
| investigate-server-content.manage | Permission to clear all per service or per user reconstruction cache |
| investigate-server.content.reconstruct | Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count |
| investigate-server.event.read | Permission to view events that the service exposes |
| investigate-server.health.read | Permission to view any health notifications that the service exposes |
| investigate-server.logs.manage | Permission to change log-related configuration |
| investigate-server.metagroup.manage | Permission to manage meta groups |
| investigate-server.metagroup.read | Permission to view and use meta groups |
| investigate-server.metrics.read | Permission to view any metrics that the service exposes |
| investigate-server.predicate.manage | Permission to edit or remove one or more predicates |
| investigate-server.predicate.read | Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view. |
| investigate-server.process.manage | Permission to start and stop the service |
| investigate-server.profile.read | Permission to access profiles. |
| investigate-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| investigate-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| investigate-server.* | Yes | Yes |
|
|
|
|
| investigate-server.columngroup.read | Yes | Yes | Yes | |||
| investigate-server.configuration.manage | ||||||
| investigate-server.content.export |
| Yes | Yes | Yes | ||
| investigate-server.content.manage |
|
|
|
|
|
|
| investigate-server.content.reconstruct | Yes | Yes | Yes | |||
| investigate-server.event.read |
| Yes | Yes | Yes | ||
| investigate-server.health.read | ||||||
| investigate-server.incident.manage |
|
|
|
|
| Yes |
| investigate-server.logs.manage |
|
|
|
|
| |
| investigate-server.metagroup.manage | ||||||
| investigate-server.metagroup.read |
| Yes | Yes | Yes | ||
| investigate-server.metrics.read | ||||||
| investigate-server.predicate.manage |
|
|
|
|
| |
| investigate-server.predicate.read |
|
| Yes | Yes | Yes | |
| investigate-server.process.manage |
|
|
|
|
| |
| investigate-server.profile.read | Yes | Yes | Yes | |||
| investigate-server.security.manage | ||||||
| investigate-server.security.read |
|
|
|
|
|
License-server
The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
| license-server.* | All permissions (everything below) |
| license-server.configuration.manage | Permission to modify all service configuration parameters |
| license-server.health.read | Permission to view any health notifications that the service exposes |
| license-server.license.manage | Permission to manage license related configurations |
| license-server.license.read | Permission to view license related configurations |
| license-server.logs.manage | Permission to change log-related configuration |
| license-server.metrics.read | Permission to view any metrics that the service exposes |
| license-server.process.manage | Permission to start and stop the service |
| license-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| license-server.security.read | Permission to view security-related resources |
Live
The following table describes the permissions in the Live tab.
| Permission | Permission |
|---|---|
| Live | |
| Access Live Module | Permission to access live module |
| Manage Live System Settings | Permission to modify the live system settings |
| Resources | |
| Deploy Live Resources | Permission to deploy live resources |
| Manage Live Feeds | Permission to modify live feeds |
| Manage Live Resources | Permission to modify live resources |
| Search Live Resources | Permission to search live resources |
| View Live Resource Details | Permission to view live resource details |
The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Live |
| |||||
| Access Live Module | Yes | Yes | Yes | Yes | ||
| Manage Live System Settings | Yes |
| ||||
| Resources | ||||||
| Deploy Live Resources | Yes | Yes |
| |||
| Manage Live Feeds | Yes | Yes | ||||
| Manage Live Resources | Yes | Yes |
| |||
| Search Live Resources | Yes | Yes | Yes | Yes | ||
| View Live Resource Details | Yes | Yes | Yes | Yes |
Malware
The following table describes the permissions in the Malware tab.
| Permission | Operators |
|---|---|
| Download Malware File(s) | Permission to donwnload the malware files for investigation |
| Initiate Malware Analysis Scan | Permission to start the malware analysis scan |
| View Malware Analysis Events | Permission to view the malware analysis events |
The following table lists the permissions in the Malware tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.