Sec/User Mgmt: Role Permissions

Document created by RSA Information Design and Development on Aug 29, 2018Last modified by RSA Information Design and Development on Mar 23, 2020
Version 12Show Document
  • View in full screen mode
 

InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the Admin > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Platform user role:

  • Administrators
  • Respond Administrators (RAs)

  • Data Privacy Officers (DPOs)
  • SOC Managers (SOC Mgrs)
  • Operators
  • Malware Analysts (MAs)
  • Analysts
  • UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Platform services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

  • service name = investigate-server
  • resource = metrics
  • action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Administration

The following table describes the list of permissions in Administration tab.

                                                                                                                                   
PermissionDescription
Access Administration Module

Permission to access all the administration modules

Access Health & WellnessPermission to access the health and wellness module
Apply System Updates

Permission to update the system

Can Opt In to Live Intelligence SharingPermission to opt for Live Intelligence sharing
Manage Advanced Settings

Permission to modify the advanced settings

Manage ATD SettingsPermission to modify the ATD settings
Manage Auditing

Permission to modify the auditing

Manage EmailPermission to change the email settings
Manage Global Auditing

Permission to modify global auditing

Manage Health & Wellness PolicyPermission to update the health & wellness policy

Manage Jobs

Permission to change the job settings

Manage LLS

Permission to modify LLS

Manage LogsPermission to modify log related configurations
Manage Notifications

Permission to change notification settings

Manage PluginsPermission to modify the plugins
Manage Predicates

Permission to modify the predicates

Manage ReconstructionPermission to change the reconstruction
Manage Security

Permission to update the security settings

Manage ServicesPermission to start and stop the services
Manage System Settings

Permission to the modify the system settings

Modify ESA SettingsPermission to modify the ESA settings
Modify Event Sources

Permission to modify the ESA sources

Modify HostsPermission to modify the hosts
Modify Services

Permission to modify the services

View Event SourcesPermission to view the event sources
View Health & Wellness Policy

Permission to view the health & wellness policy

View Health & Wellness Stats BrowserPermission to view the health and wellness status in the browser
View Hosts

Permission to view the hosts

View ServicesPermission to view the services
View Unified Sources

Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                                                                                                   
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Administration Module

 

YesYesYesYesYes
Access Health & Wellness YesYesYesYesYes
Apply System Updates

 

  Yes  
Can Opt In to Live Intelligence Sharing   Yes  
Manage Advanced Settings

 

  Yes  
Manage ATD SettingsYesYesYesYes  
Manage Auditing

 

Yes Yes  
Manage Email   Yes  
Manage Global Auditing

 

Yes Yes  
Manage Health & Wellness Policy   Yes  

Manage Jobs

 

Yes

Yes

Yes

 

 

Manage LLS

 

  Yes  
Manage Logs Yes Yes  
Manage Notifications

 

  Yes  
Manage Plugins YesYesYes Yes
Manage Predicates

 

  Yes  
Manage Reconstruction   Yes  
Manage Security

 

Yes Yes  
Manage Services Yes Yes  
Manage System Settings

 

YesYesYes Yes
Modify ESA Settings   Yes  
Modify Event Sources

 

  Yes  
Modify Hosts   Yes  
Modify Services

 

Yes Yes  
View Event Sources  YesYes  
View Health & Wellness Policy

 

 YesYes Yes
View Health & Wellness Stats Browser YesYesYes Yes
View Hosts

 

Yes Yes  
View Services Yes Yes  
View Unified Sources

 

YesYesYes Yes

Admin-server

The following table describes the permissions in the Admin-server tab.

                                       
PermissionDescription
admin-server.configuration.managePermission to modify all service configuration parameters
admin-server.health.readPermission to view any health notifications that the service exposes
admin-server.logs.managePermission to change log-related configuration
admin-server.metrics.readPermission to view any metrics that the service exposes
admin-server.process.managePermission to start and stop the service
admin-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
admin-server.security.readPermission to view security-related resources

Alerting

The following table describes the permissions in the Alerting tab.

                           
PermissionDescription
Access Alerting ModulePermission to access the alerting module
Manage RulesPermission to update the rules
View AlertsPermission to view the alerts
View RulesPermission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                         
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Alerting ModuleYes

Yes

Yes

Yes

 

Yes

Manage RulesYesYesYesYes  
View AlertsYes

Yes

Yes

 

 

Yes

View Rules YesYesYes  

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

                                           
PermissionDescription
config-server.*All permissions (everything below)
config-server.configuration.managePermission to modify all service configuration parameters
config-server.health.readPermission to view any health notifications that the service exposes
config-server.logs.managePermission to change log-related configuration
config-server.metrics.readPermission to view any metrics that the service exposes
config-server.process.managePermission to start and stop the service
config-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
config-server.security.readPermission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

                                                   
PermissionDescription

content-server.*

All permissions (everything below)

content-server.configuration.managePermission to modify all service configuration parameters

content-server.health.read

Permission to view any health notifications that the service exposes

content-server.logparser.manage Permission to manage log parser configurations

content-server.logparser.read

Permission to view log parser configurations

content-server.logs.managePermission to change log-related configuration

content-server.metrics.read

Permission to view any metrics that the service exposes

content-server.process.manage

Permission to start and stop the service

content-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

content-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                               
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
content-server.* Yes Yes 

 

content-server.configuration.manage      

content-server.health.read

     

 

content-server.logparser.manage      

content-server.logparser.read

  Yes  

Yes

content-server.logs.manage      

content-server.metrics.read

 

 

 

 

 

 

content-server.process.manage

 

 

 

 

 

 

content-server.security.manage

 

 

 

 

 

 

content-server.security.read

 

 

 

 

 

 

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

                                                                                   
PermissionDescription
contexthub-server.*All permissions (everything below)
contexthub-server.configuration.managePermission to modify all service configuration parameters

contexthub-server.connection.manage

Permission to modify all connection settings

contexthub-server.connection.readPermission to view all connection settings

contexthub-server.connectiontypes.read

Permission to view all configured connection types

contexthub-server.datasource.managePermission to modify data source settings

contexthub-server.datasource.read

Permission to view data source settings

contexthub-server.health.readPermission to view any health notifications that the service exposes

contexthub-server.listentries.manage

Permission to modify list entries

contexthub-server.logs.managePermission to change log-related configuration
contexthub-server.metrics.readPermission to view any metrics that the service exposes
contexthub-server.process.managePermission to start and stop the service

contexthub-server.query.read

Permission to view queries

contexthub-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.readPermission to view security-related resources
contexthub-server.stix.readPermission to view stix settings

contexthub-server.taxiidatasource.manage

Permission to modify settings for the taxii data source

contexthub-server.taxiidatasource.readPermission to view settings for the taxii data source

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                                       
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
contexthub-server.* Yes   

 

contexthub-server.configuration.manage      

contexthub-server.connection.manage

     

 

contexthub-server.connection.readYes Yes YesYes

contexthub-server.connectiontypes.read

  Yes  

 

contexthub-server.datasource.manageYes Yes YesYes

contexthub-server.datasource.read

Yes Yes Yes

Yes

contexthub-server.health.read      

contexthub-server.listentries.manage

Yes   Yes

Yes

contexthub-server.logs.manage      
contexthub-server.metrics.read     

 

contexthub-server.process.manage      

contexthub-server.query.read

Yes Yes Yes

Yes

contexthub-server.security.manage      
contexthub-server.security.read     

 

contexthub-server.stix.read  Yes YesYes

contexthub-server.taxiidatasource.manage

  Yes Yes

Yes

contexthub-server.taxiidatasource.read

  Yes YesYes

Correlation-server

The following table describes the permissions in the Correlation-server tab.

                                                                                               
PermissionDescription
correlation-server.*All permissions (everything below)
correlation-server.configuration.managePermission to modify all service configuration parameters
correlation-server.endpoint.managePermission to modify all endpoint configuration parameters
correlation-server.endpoint.readPermission to view all endpoint configuration parameters
correlation-server.engine.managePermission to modify all engine configuration parameters
correlation-server.engine.readPermission to view all engine configuration parameters
correlation-server.esperrule.managePermission to modify all esperrule configuration parameters
correlation-server.esperrule.readPermission to view all esperrule configuration parameters
correlation-server.health.readPermission to view any health notifications that the service exposes
correlation-server.keyvaluerule.managePermission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.readPermission to view all keyvaluerule configuration parameters
correlation-server.logs.managePermission to change log-related configuration
correlation-server.metrics.readPermission to view any metrics that the service exposes
correlation-server.module.managePermission to modify each module
correlation-server.module.readPermission to view each module
correlation-server.process.managePermission to start and stop the service
correlation-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.readPermission to view security-related resources
correlation-server.stream.managePermission to edit stream configuration settings
correlation-server.stream.readPermission to view stream configuration settings
correlation-server.telemetry.readPermission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                                                                  
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
correlation-server.* 

Yes

 

 

 

 

correlation-server.configuration.manage      
correlation-server.endpoint.manage

 

 

 

 

 

 

correlation-server.endpoint.read

 

 

 

 

 

 

correlation-server.engine.manageYes

 

Yes

Yes

 

 

correlation-server.engine.readYes YesYes  
correlation-server.esperrule.manage

 

 

 

 

 

 

correlation-server.esperrule.read

 

 

 

 

 

 

correlation-server.health.read 

 

 

 

 

 

correlation-server.keyvaluerule.manage      
correlation-server.keyvaluerule.read      
correlation-server.logs.manage      
correlation-server.metrics.read 

 

 

 

 

 

correlation-server.module.manageYes YesYes  
correlation-server.module.readYes

 

Yes

Yes

 

 

correlation-server.process.manage      
correlation-server.security.manage 

 

 

 

 

 

correlation-server.security.read      
correlation-server.stream.manageYes

 

Yes

Yes

 

 

correlation-server.stream.readYes YesYes  
correlation-server.telemetry.read 

 

 

 

 

 

Dashboard

The following table describes the permissions in the Dashboard tab.

                                                                               
PermissionDescription
Dashlet Access - Admin Device List DashletPermission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor DashletPermission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News DashletPermission to access Admin News Dashlet
Dashlet Access - Alert Variance DashletPermission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts DashletPermission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs DashletPermission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values DashletPermission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources DashletPermission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources DashletPermission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions DashletPermission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources DashletPermission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs DashletPermission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report DashletPermission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts DashletPermission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts DashletPermission to access Top Alerts Dashlet
Dashlet Access - Unified RSA First Watch DashletPermission to access Unified RSA First Watch Dashlet
Dashlet Access - Unified Shortcuts DashletPermission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                              
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts
Dashlet Access - Admin Device List Dashlet

Yes

YesYesYes Yes
Dashlet Access - Admin Device Monitor Dashlet Yes    
Dashlet Access - Admin News Dashlet

Yes

YesYesYes Yes
Dashlet Access - Alert Variance DashletYesYesYes  Yes
Dashlet Access - Alerting Recent Alerts DashletYesYesYes  Yes
Dashlet Access - Investigation Jobs DashletYesYesYes  Yes
Dashlet Access - Investigation Top Values DashletYesYesYes  Yes
Dashlet Access - Live Featured Resources DashletYesYesYesYes Yes
Dashlet Access - Live New Resources DashletYesYesYesYes Yes
Dashlet Access - Live Subscriptions DashletYesYesYesYes Yes
Dashlet Access - Live Updated Resources DashletYesYesYesYes Yes
Dashlet Access - Malware Jobs DashletYesYesYes  Yes
Dashlet Access - Reporting Recent Report DashletYesYesYes  Yes
Dashlet Access - Reporting Charts DashletYesYesYes  Yes
Dashlet Access - Top Alerts DashletYesYesYes  Yes
Dashlet Access - Unified RSA First Watch DashletYesYesYesYes Yes
Dashlet Access - Unified Shortcuts DashletYesYesYesYes Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

                                                       
PermissionDescription

endpoint-broker-server*

All permissions (everything below)

endpoint-broker-server.agent.managePermission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.readPermission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.managePermission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.readPermission to view any health notifications that the service exposes
endpoint-broker-server.logs.managePermission to change log-related configuration
endpoint-broker-server.metrics.readPermission to view any metrics that the service exposes
endpoint-broker-server.policy.readPermission to view existing policy details
endpoint-broker-server.process.managePermission to start and stop the service
endpoint-broker-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-broker-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                        
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts

endpoint-broker-server*

 

 

 

 

 

 

endpoint-broker-server.agent.manage   Yes Yes
endpoint-broker-server.agent.read 

 

 

Yes

 

Yes

endpoint-broker-server.configuration.manage      
endpoint-broker-server.health.read 

 

 

 

 

 

endpoint-broker-server.logs.manage      
endpoint-broker-server.metrics.read 

 

 

 

 

 

endpoint-broker-server.policy.read 

 

 

 

 

Yes

endpoint-broker-server.process.manage

      
endpoint-broker-server.security.manage 

 

 

 

 

 

endpoint-broker-server.security.read

      

Endpoint-server

The following table describes the permissions in the Endpoint-server tab.

                                                                               
PermissionDescription

endpoint-server*

All permissions (everything below)

endpoint-server.agent.manage

Permission to generate and download the agent packager.

Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on.

endpoint-server.agent.read

Permission to view the agent packager configuration.

Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on.

endpoint-server.ca.managePermission to generate and download the agent packager.

endpoint-server.ca.read

Permission to generate and download the agent packager

endpoint-server.configuration.managePermission to modify all endpoint configuration parameters
endpoint-server.filter.managePermission to save, modify, and delete filters
endpoint-server.filter.readPermission to view filters
endpoint-server.health.readPermission to view any health notifications that the service exposes
endpoint-server.logs.managePermission to change log-related configuration
endpoint-server.metrics.readPermission to view any metrics that the service exposes
endpoint-server.policy.readPermission to view existing policy details

endpoint-server.process.manage

Permission to start and stop the service

endpoint-server.relay.managePermission to modify Relay Server Configuration

endpoint-server.relay.read

Permissions to view Relay Server details

endpoint-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                                              
PermissionRADPOsSOC MgrsOperatorsMAsAnalysts

endpoint-server*

     

 

endpoint-server.agent.manage   Yes Yes
endpoint-server.agent.read   Yes 

Yes

endpoint-server.ca.manage   Yes  

endpoint-server.ca.read

   Yes 

 

endpoint-server.configuration.manage      
endpoint-server.filter.manage     

Yes

endpoint-server.filter.read     Yes
endpoint-server.health.read     

 

endpoint-server.logs.manage      
endpoint-server.metrics.read     

 

endpoint-server.policy.read     

Yes

endpoint-server.process.manage

      
endpoint-server.relay.manage   Yes  

endpoint-server.relay.read

 

 

 

Yes

 

 

endpoint-server.security.manage     

 

endpoint-server.security.read

      

Esa-analytics-server

The following table describes the permissions in the Esa-analytics-server tab. The Administrators and Operators roles have all of the permissions and are the only roles granted permissions by default.

                                                           
PermissionDescription
esa-analytics-server.*All permissions (everything below)
esa-analytics-server.analytics.managePermission to modify ESA analytics
esa-analytics-server.analytics.readPermission to view ESA analytics
esa-analytics-server.configuration.managePermission to modify all service configuration parameters
esa-analytics-server.health.readPermission to view any health notifications that the service exposes
esa-analytics-server.logs.managePermission to change log-related configuration
esa-analytics-server.metrics.readPermission to view any metrics that the service exposes
esa-analytics-server.model.managePermission to modify ESA models
esa-analytics-server.model.read Permission to view ESA models
esa-analytics-server.process.managePermission to start and stop the service

esa-analytics-server.security.manage

Permission to modify security-related resources

esa-analytics-server.security.readPermission to view security-related resources

Incidents

The following table describes the permissions in the Incidents tab.

                               
PermissionDescription
Access Incident ModulePermission to access the Incident module
Configure Incident Management IntegrationPermission to configure incident management integration
Delete Alerts and incidentsPermission o delete alerts and incidents
Manage Alert Handling RulesPermission to modify the alert handling rules
View and Manage IncidentsPermission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                  
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Incident ModuleYesYesYes Yes

Yes

Configure Incident Management IntegrationYesYesYes   
Delete Alerts and incidentsYesYes   

 

Manage Alert Handling RulesYesYesYes   
View and Manage IncidentsYesYesYes Yes

Yes

Integration-server

(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

                                                                   
PermissionDescription

integration-server.*

All permissions (everything below)

integration-server.api.accessPermission to authorize external requests from 3rd party applications
integration-server.configuration.managePermission to view and modify all service integration configuration parameters
integration-server.health.readPermission to read any health notifications that the service exposes
integration-server.logs.managePermission to change log-related integration configurations
integration-server.metrics.readPermission to read any metrics that the service exposes
integration-server.notification.managePermission to change global notification configurations (for example, SMTP server)
integration-server.notification.readPermission to read global notification configurations (for example, SMTP server)
integration-server.notification.sendPermission to send notifications (for example, Email)
integration-server.process.managePermission to start and stop the service
integration-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
integration-server.security.readPermission to read security-related resources
integration-server.template.managePermission to change notification template
integration-server.template.readPermission to read notification template

 

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

                                                                                                                                                   
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts

integration-server.*

 Yes    
integration-server.api.access      
integration-server.configuration.manage      
integration-server.health.read      
integration-server.logs.manage      
integration-server.metrics.read      
integration-server.notification.manageYes YesYes  
integration-server.notification.readYes YesYes  
integration-server.notification.sendYes YesYes  
integration-server.process.manage      
integration-server.security.manage      
integration-server.security.read      
integration-server.template.manageYes YesYes  
integration-server.template.readYes YesYes  

Investigate

The following table describes the permissions in the Investigate tab.

                                   
PermissionDescription
Access Investigation ModulePermission to access investigation module
Context LookupPermission to access context lookup
Create Incidents from InvestigationPermission to create incidents from investigation
Manage List from InvestigationPermission to modify the list of investigation
Navigate EventsPermission to navigate the events
Navigate ValuesPermission to navigate the values

The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                           
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Access Investigation ModuleYesYesYes YesYes
Context LookupYes Yes YesYes
Create Incidents from InvestigationYes Yes YesYes
Manage List from InvestigationYes Yes YesYes
Navigate EventsYesYesYes YesYes
Navigate ValuesYesYesYes YesYes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

                                                                                   
PermissionDescription
investigate-server.*All permissions (everything below) for the 11.4 Events view and 11.3 and earlier Event Analysis view

investigate-server.column group.read

Permission to access column groups

investigate-server.configuration.managePermission to change any configuration properties for the service
investigate-server.content.exportPermission to export content from the service

investigate-server-content.manage

Permission to clear all per service or per user reconstruction cache

investigate-server.content.reconstructPermission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count

investigate-server.event.read

Permission to view events that the service exposes

investigate-server.health.readPermission to view any health notifications that the service exposes
investigate-server.logs.managePermission to change log-related configuration
investigate-server.metagroup.managePermission to manage meta groups

investigate-server.metagroup.read

Permission to view and use meta groups

investigate-server.metrics.readPermission to view any metrics that the service exposes
investigate-server.predicate.manage

Permission to edit or remove one or more predicates

investigate-server.predicate.read

Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view.

investigate-server.process.managePermission to start and stop the service
investigate-server.profile.readPermission to access profiles.
investigate-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.readPermission to view security-related resources

The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                                                                                                                
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
investigate-server.*Yes

Yes

 

 

 

 

investigate-server.columngroup.read  Yes YesYes
investigate-server.configuration.manage      
investigate-server.content.export 

 

Yes

 

Yes

Yes

investigate-server.content.manage

 

 

 

 

 

 

investigate-server.content.reconstruct  Yes YesYes

investigate-server.event.read

 

 

Yes 

Yes

Yes

investigate-server.health.read      

investigate-server.incident.manage

 

 

 

 

 

Yes

investigate-server.logs.manage 

 

 

 

 

 

investigate-server.metagroup.manage      

investigate-server.metagroup.read

 

 

Yes

 

Yes

Yes

investigate-server.metrics.read      

investigate-server.predicate.manage

 

 

 

 

 

 

investigate-server.predicate.read

 

 

Yes

 

Yes

Yes

investigate-server.process.manage 

 

 

 

 

 

investigate-server.profile.read  Yes YesYes
investigate-server.security.manage      
investigate-server.security.read 

 

 

 

 

 

License-server

The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.

                                                   
PermissionDescription
license-server.*All permissions (everything below)
license-server.configuration.managePermission to modify all service configuration parameters
license-server.health.readPermission to view any health notifications that the service exposes
license-server.license.managePermission to manage license related configurations
license-server.license.readPermission to view license related configurations
license-server.logs.managePermission to change log-related configuration
license-server.metrics.readPermission to view any metrics that the service exposes
license-server.process.managePermission to start and stop the service
license-server.security.managePermission to edit security-related resources (passwords, keys, and so on)
license-server.security.readPermission to view security-related resources

Live

The following table describes the permissions in the Live tab.

                                               
PermissionPermission
Live  
Access Live ModulePermission to access live module
Manage Live System SettingsPermission to modify the live system settings
Resources  
Deploy Live ResourcesPermission to deploy live resources
Manage Live FeedsPermission to modify live feeds
Manage Live ResourcesPermission to modify live resources
Search Live ResourcesPermission to search live resources
View Live Resource DetailsPermission to view live resource details

The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

                                                                                                      
PermissionRAsDPOsSOC MgrsOperatorsMAsAnalysts
Live      

 

Access Live Module YesYesYes Yes
Manage Live System Settings   Yes 

 

Resources       
Deploy Live Resources Yes Yes 

 

Manage Live Feeds Yes