Role Permissions

InNetWitness Platform, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the netwitness_adminicon_25x22.png (Admin) > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness Platform and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness Platform user role:

  • Administrators
  • Respond Administrators (RAs)

  • Reporting Engine Content Administrators (RE CAs)
  • Data Privacy Officers (DPOs)
  • SOC Managers (SOC Mgrs)
  • Operators
  • Malware Analysts (MAs)
  • Analysts
  • UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness Platform services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

  • service name = investigate-server
  • resource = metrics
  • action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Admin-server

The following table describes the permissions in the Admin-server tab.

Permission Description
admin-server.configuration.manage Permission to modify all service configuration parameters
admin-server.health.read Permission to view any health notifications that the service exposes
admin-server.logs.manage Permission to change log-related configuration
admin-server.metrics.read Permission to view any metrics that the service exposes
admin-server.process.manage Permission to start and stop the service
admin-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
admin-server.security.read Permission to view security-related resources

Administration

The following table describes the list of permissions in Administration tab.

Permission Description
Access Administration Module

Permission to access all the administration modules

Access Health & Wellness Permission to access the health and wellness module
Apply System Updates

Permission to update the system

Can Opt In to Live Intelligence Sharing Permission to opt for Live Intelligence sharing
Manage Advanced Settings

Permission to modify the advanced settings

Manage ATD Settings Permission to modify the ATD settings
Manage Auditing

Permission to modify the auditing

Manage Email Permission to change the email settings
Manage Global Auditing

Permission to modify global auditing

Manage Health & Wellness Policy Permission to update the health & wellness policy

Manage Jobs

Permission to change the job settings

Manage LLS

Permission to modify LLS

Manage Logs Permission to modify log related configurations
Manage Notifications

Permission to change notification settings

Manage Plugins Permission to modify the plugins
Manage Predicates

Permission to modify the predicates

Manage Reconstruction Permission to change the reconstruction
Manage Security

Permission to update the security settings

Manage Services Permission to start and stop the services
Manage SSL Security Permission to manage PKI setting
Manage System Settings

Permission to the modify the system settings

Modify ESA Settings Permission to modify the ESA settings
Modify Event Sources

Permission to modify the ESA sources

Modify Hosts Permission to modify the hosts
Modify Services

Permission to modify the services

View Event Sources Permission to view the event sources
View Health & Wellness Policy

Permission to view the health & wellness policy

View Health & Wellness Stats Browser Permission to view the health and wellness status in the browser
View Hosts

Permission to view the hosts

View Services Permission to view the services
View Unified Sources

Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts UEBA Analysts
Access Administration Module

Yes Yes Yes Yes Yes

Access Health & Wellness Yes Yes Yes Yes Yes
Apply System Updates

Yes

Can Opt In to Live Intelligence Sharing Yes
Manage Advanced Settings

Yes

Manage ATD Settings Yes Yes Yes Yes
Manage Auditing

Yes Yes

Manage Email Yes
Manage Global Auditing

Yes Yes

Manage Health & Wellness Policy Yes

Manage Jobs

Yes

Yes

Yes

Manage LLS

Yes
Manage Logs Yes Yes

Manage Notifications

Yes
Manage Plugins Yes Yes Yes Yes

Manage Predicates

Yes
Manage Reconstruction Yes

Manage Security

Yes Yes
Manage Services Yes Yes

Manage SSL Security

Manage System Settings

Yes Yes Yes Yes
Modify ESA Settings Yes

Modify Event Sources

Yes
Modify Hosts Yes

Modify Services

Yes Yes
View Event Sources Yes Yes

View Health & Wellness Policy

Yes Yes Yes
View Health & Wellness Stats Browser Yes Yes Yes Yes

View Hosts

Yes Yes
View Services Yes Yes

View Unified Sources

Yes Yes Yes Yes

Alerting

The following table describes the permissions in the Alerting tab.

Permission Description
Access Alerting Module Permission to access the alerting module
Manage Rules Permission to update the rules
View Alerts Permission to view the alerts
View Rules Permission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Alerting Module Yes

Yes

Yes

Yes

Yes

Manage Rules Yes Yes Yes Yes
View Alerts Yes

Yes

Yes

Yes

View Rules Yes Yes Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission Description
config-server.* All permissions (everything below)
config-server.configuration.manage Permission to modify all service configuration parameters
config-server.health.read Permission to view any health notifications that the service exposes
config-server.logs.manage Permission to change log-related configuration
config-server.metrics.read Permission to view any metrics that the service exposes
config-server.process.manage Permission to start and stop the service
config-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
config-server.security.read Permission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

Permission Description

content-server.*

All permissions (everything below)

content-server.collection.read Permission to read selective collection content
content-server.configuration.manage Permission to modify all service configuration parameters

content-server.health.read

Permission to view any health notifications that the service exposes

content-server.logparser.manage Permission to manage log parser configurations

content-server.logparser.read

Permission to view log parser configurations

content-server.logs.manage Permission to change log-related configuration

content-server.metrics.read

Permission to view any metrics that the service exposes

content-server.policy.read

Permission to read policies

content-server.process.manage

Permission to start and stop the service

content-server.rule.manage

Permission to manage content rules

content-server.rule.read Permission to view content rules

content-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

content-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
content-server.* Yes Yes

content-server.collection.read
content-server.configuration.manage

content-server.health.read

content-server.logparser.manage

content-server.logparser.read

Yes

Yes

content-server.logs.manage

content-server.metrics.read

content-server.policy.read

content-server.process.manage

content-server.rule.manage

content-server.rule.read

content-server.security.manage

content-server.security.read

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

Permission Description
contexthub-server.* All permissions (everything below)
contexthub-server.configuration.manage Permission to modify all service configuration parameters

contexthub-server.connection.manage

Permission to modify all connection settings

contexthub-server.connection.read Permission to view all connection settings

contexthub-server.connectiontypes.read

Permission to view all configured connection types

contexthub-server.datasource.manage Permission to modify data source settings

contexthub-server.datasource.read

Permission to view data source settings

contexthub-server.health.read Permission to view any health notifications that the service exposes

contexthub-server.listentries.manage

Permission to modify list entries

contexthub-server.logs.manage Permission to change log-related configuration
contexthub-server.metrics.read Permission to view any metrics that the service exposes
contexthub-server.process.manage Permission to start and stop the service

contexthub-server.query.read

Permission to view queries

contexthub-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.read Permission to view security-related resources
contexthub-server.stix.read Permission to view stix settings

contexthub-server.taxiidatasource.manage

Permission to modify settings for the taxii data source

contexthub-server.taxiidatasource.read Permission to view settings for the taxii data source

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
contexthub-server.* Yes

contexthub-server.configuration.manage
contexthub-server.connection.manage

contexthub-server.connection.read Yes Yes Yes Yes
contexthub-server.connectiontypes.read Yes

contexthub-server.datasource.manage Yes Yes Yes Yes

contexthub-server.datasource.read

Yes Yes Yes Yes
contexthub-server.health.read
contexthub-server.listentries.manage Yes Yes Yes Yes
contexthub-server.logs.manage
contexthub-server.metrics.read

contexthub-server.process.manage
contexthub-server.query.read Yes Yes Yes Yes
contexthub-server.security.manage
contexthub-server.security.read

contexthub-server.stix.read Yes Yes Yes
contexthub-server.taxiidatasource.manage Yes Yes Yes
contexthub-server.taxiidatasource.read Yes Yes Yes

Correlation-server

The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.

Permission Description
correlation-server.* All permissions (everything below)
correlation-server.configuration.manage Permission to modify all service configuration parameters
correlation-server.endpoint.manage Permission to modify all endpoint configuration parameters
correlation-server.endpoint.read Permission to view all endpoint configuration parameters
correlation-server.engine.manage Permission to modify all engine configuration parameters
correlation-server.engine.read Permission to view all engine configuration parameters
correlation-server.esperrule.manage Permission to modify all esperrule configuration parameters
correlation-server.esperrule.read Permission to view all esperrule configuration parameters
correlation-server.health.read Permission to view any health notifications that the service exposes
correlation-server.keyvaluerule.manage Permission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.read Permission to view all keyvaluerule configuration parameters
correlation-server.logs.manage Permission to change log-related configuration
correlation-server.metrics.read Permission to view any metrics that the service exposes
correlation-server.module.manage Permission to modify each module
correlation-server.module.read Permission to view each module
correlation-server.process.manage Permission to start and stop the service
correlation-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.read Permission to view security-related resources
correlation-server.stream.manage Permission to edit stream configuration settings
correlation-server.stream.read Permission to view stream configuration settings
correlation-server.telemetry.read Permission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
correlation-server.*

Yes

correlation-server.configuration.manage
correlation-server.endpoint.manage

correlation-server.endpoint.read

correlation-server.engine.manage Yes

Yes

Yes

correlation-server.engine.read Yes Yes Yes
correlation-server.esperrule.manage

correlation-server.esperrule.read

correlation-server.health.read

correlation-server.keyvaluerule.manage
correlation-server.keyvaluerule.read
correlation-server.logs.manage
correlation-server.metrics.read

correlation-server.module.manage Yes Yes Yes
correlation-server.module.read Yes

Yes

Yes

correlation-server.process.manage
correlation-server.security.manage

correlation-server.security.read
correlation-server.stream.manage Yes

Yes

Yes

correlation-server.stream.read Yes Yes Yes
correlation-server.telemetry.read

Dashboard

The following table describes the permissions in the Dashboard tab.

Permission Description
Dashlet Access - Admin Device List Dashlet Permission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor Dashlet Permission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News Dashlet Permission to access Admin News Dashlet
Dashlet Access - Alert Variance Dashlet Permission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts Dashlet Permission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs Dashlet Permission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values Dashlet Permission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources Dashlet Permission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources Dashlet Permission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions Dashlet Permission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources Dashlet Permission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs Dashlet Permission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report Dashlet Permission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts Dashlet Permission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts Dashlet Permission to access Top Alerts Dashlet
Dashlet Access - Unified RSA First Watch Dashlet Permission to access Unified RSA First Watch Dashlet
Dashlet Access - Unified Shortcuts Dashlet Permission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts
Dashlet Access - Admin Device List Dashlet

Yes

Yes Yes Yes Yes
Dashlet Access - Admin Device Monitor Dashlet Yes
Dashlet Access - Admin News Dashlet

Yes

Yes Yes Yes Yes
Dashlet Access - Alert Variance Dashlet Yes Yes Yes Yes
Dashlet Access - Alerting Recent Alerts Dashlet Yes Yes Yes Yes
Dashlet Access - Investigation Jobs Dashlet Yes Yes Yes Yes
Dashlet Access - Investigation Top Values Dashlet Yes Yes Yes Yes
Dashlet Access - Live Featured Resources Dashlet Yes Yes Yes Yes Yes
Dashlet Access - Live New Resources Dashlet Yes Yes Yes Yes Yes
Dashlet Access - Live Subscriptions Dashlet Yes Yes Yes Yes Yes
Dashlet Access - Live Updated Resources Dashlet Yes Yes Yes Yes Yes
Dashlet Access - Malware Jobs Dashlet Yes Yes Yes Yes
Dashlet Access - Reporting Recent Report Dashlet Yes Yes Yes Yes
Dashlet Access - Reporting Charts Dashlet Yes Yes Yes Yes
Dashlet Access - Top Alerts Dashlet Yes Yes Yes Yes
Dashlet Access - Unified RSA First Watch Dashlet Yes Yes Yes Yes Yes
Dashlet Access - Unified Shortcuts Dashlet Yes Yes Yes Yes Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

Permission Description

endpoint-broker-server*

All permissions (everything below)

endpoint-broker-server.agent.manage Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.read Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.manage Permission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.read Permission to view any health notifications that the service exposes
endpoint-broker-server.logs.manage Permission to change log-related configuration
endpoint-broker-server.metrics.read Permission to view any metrics that the service exposes
endpoint-broker-server.policy.read Permission to view existing policy details
endpoint-broker-server.process.manage Permission to start and stop the service
endpoint-broker-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-broker-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts
endpoint-broker-server*

endpoint-broker-server.agent.manage Yes Yes
endpoint-broker-server.agent.read

Yes

Yes
endpoint-broker-server.configuration.manage
endpoint-broker-server.health.read

endpoint-broker-server.logs.manage
endpoint-broker-server.metrics.read

endpoint-broker-server.policy.read

Yes
endpoint-broker-server.process.manage
endpoint-broker-server.security.manage

endpoint-broker-server.security.read

Endpoint-server

The following table describes the permissions in the Endpoint-server tab.

Permission Description

endpoint-server*

All permissions (everything below)

endpoint-server.agent.manage

Permission to generate and download the agent packager.

Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on.

endpoint-server.agent.read

Permission to view the agent packager configuration.

Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on.

endpoint-server.agentupdate.manage Permission to upgrade agent and uninstall agent.
endpoint-server.ca.manage

Permission to generate and download the agent packager.

Permission to upgrade agent.

endpoint-server.ca.read

Permission to generate and download the agent packager

endpoint-server.configuration.manage Permission to modify all endpoint configuration parameters
endpoint-server.filter.manage Permission to save, modify, and delete filters
endpoint-server.filter.read Permission to view filters
endpoint-server.health.read Permission to view any health notifications that the service exposes
endpoint-server.logs.manage Permission to change log-related configuration
endpoint-server.metrics.read Permission to view any metrics that the service exposes
endpoint-server.policy.read Permission to view existing policy details

endpoint-server.process.manage

Permission to start and stop the service

endpoint-server.relay.manage Permission to modify Relay Server Configuration

endpoint-server.relay.read

Permissions to view Relay Server details

endpoint-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts

endpoint-server*

endpoint-server.agent.manage Yes Yes
endpoint-server.agent.read Yes Yes
endpoint-server.agentupdate.manage
endpoint-server.ca.manage Yes

endpoint-server.ca.read

Yes

endpoint-server.configuration.manage
endpoint-server.filter.manage Yes
endpoint-server.filter.read Yes
endpoint-server.health.read

endpoint-server.logs.manage
endpoint-server.metrics.read

endpoint-server.policy.read

Yes

endpoint-server.process.manage

endpoint-server.rar.manage

endpoint-server.rar.read

endpoint-server.relay.manage Yes

endpoint-server.relay.read

Yes

endpoint-server.security.manage

endpoint-server.security.read

Incidents

The following table describes the permissions in the Incidents tab.

Permission Description
Access Incident Module Permission to access the Incident module
Configure Incident Management Integration Permission to configure incident management integration
Delete Alerts and incidents Permission o delete alerts and incidents
Manage Alert Handling Rules Permission to modify the alert handling rules
View and Manage Incidents Permission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Incident Module Yes Yes Yes Yes

Yes

Configure Incident Management Integration Yes Yes Yes
Delete Alerts and incidents Yes Yes

Manage Alert Handling Rules Yes Yes Yes
View and Manage Incidents Yes Yes Yes Yes

Yes

Integration-server

(The Integration-server permissions are available in NetWitness Platform version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

Permission Description

integration-server.*

All permissions (everything below)

integration-server.api.access Permission to authorize external requests from 3rd party applications
integration-server.configuration.manage Permission to view and modify all service integration configuration parameters
integration-server.health.read Permission to read any health notifications that the service exposes
integration-server.logs.manage Permission to change log-related integration configurations
integration-server.metrics.read Permission to read any metrics that the service exposes
integration-server.notification.manage Permission to change global notification configurations (for example, SMTP server)
integration-server.notification.read Permission to read global notification configurations (for example, SMTP server)
integration-server.notification.send Permission to send notifications (for example, Email)
integration-server.process.manage Permission to start and stop the service
integration-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
integration-server.security.read Permission to read security-related resources
integration-server.template.manage Permission to change notification template
integration-server.template.read Permission to read notification template

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts

integration-server.*

Yes
integration-server.api.access
integration-server.configuration.manage
integration-server.health.read
integration-server.logs.manage
integration-server.metrics.read
integration-server.notification.manage Yes Yes Yes
integration-server.notification.read Yes Yes Yes
integration-server.notification.send Yes Yes Yes
integration-server.process.manage
integration-server.security.manage
integration-server.security.read
integration-server.template.manage Yes Yes Yes
integration-server.template.read Yes Yes Yes

Investigate

The following table describes the permissions in the Investigate tab.

Permission Description
Access Investigation Module Permission to access investigation module
Context Lookup Permission to access context lookup
Create Incidents from Investigation Permission to create incidents from investigation
Manage List from Investigation Permission to modify the list of investigation
Navigate Events Permission to navigate the events
Navigate Values Permission to navigate the values

The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Investigation Module Yes Yes Yes Yes Yes
Context Lookup Yes Yes Yes Yes
Create Incidents from Investigation Yes Yes Yes Yes
Manage List from Investigation Yes Yes Yes Yes
Navigate Events Yes Yes Yes Yes Yes
Navigate Values Yes Yes Yes Yes Yes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

Permission Description
investigate-server.* All permissions (everything below) for 11.4 and above Events view, and 11.3 and earlier Event Analysis view.

investigate-server.column group.read

Permission to access column groups

investigate-server.configuration.manage Permission to change any configuration properties for the service
investigate-server.content.export Permission to export content from the service

investigate-server-content.manage

Permission to clear all per service or per user reconstruction cache

investigate-server.content.reconstruct Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count

investigate-server.event.filter

Permission to view the Filter Events panel in the Events view

investigate-server.event.read

Permission to view events that the service exposes

investigate-server.health.read Permission to view any health notifications that the service exposes
investigate-server.incident.manage Create or update an incident in Respond
investigate-server.logs.manage Permission to change log-related configuration
investigate-server.metagroup.manage Permission to manage meta groups

investigate-server.metagroup.read

Permission to view and use meta groups

investigate-server.metrics.read Permission to view any metrics that the service exposes
investigate-server.predicate.manage

Permission to edit or remove one or more predicates

investigate-server.predicate.read

Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view.

investigate-server.process.manage Permission to start and stop the service
investigate-server.profile.read Permission to access profiles.
investigate-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.read Permission to view security-related resources

The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed. The UEBA Analysts and Content Administrators roles have none of these permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
investigate-server.* Yes

Yes

investigate-server.columngroup.read Yes Yes Yes
investigate-server.configuration.manage
investigate-server.content.export

Yes

Yes

Yes

investigate-server.content.manage

investigate-server.content.reconstruct Yes Yes Yes

investigate-server.event.filter

Yes

Yes

Yes

Yes

Yes

investigate-server.event.read

Yes

Yes

Yes

investigate-server.health.read

investigate-server.incident.manage

Yes

investigate-server.logs.manage

investigate-server.metagroup.manage

investigate-server.metagroup.read

Yes

Yes

Yes

investigate-server.metrics.read

investigate-server.predicate.manage

investigate-server.predicate.read

Yes

Yes

Yes

investigate-server.process.manage

investigate-server.profile.read Yes Yes Yes
investigate-server.security.manage
investigate-server.security.read

License-server

The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.

Permission Description
license-server.* All permissions (everything below)
license-server.configuration.manage Permission to modify all service configuration parameters
license-server.health.read Permission to view any health notifications that the service exposes
license-server.license.manage Permission to manage license related configurations
license-server.license.read Permission to view license related configurations
license-server.logs.manage Permission to change log-related configuration
license-server.metrics.read Permission to view any metrics that the service exposes
license-server.process.manage Permission to start and stop the service
license-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
license-server.security.read Permission to view security-related resources

Live

The following table describes the permissions in the Live tab.

Permission Permission
Live
Access Live Module Permission to access live module
Manage Live System Settings Permission to modify the live system settings
Resources
Deploy Live Resources Permission to deploy live resources
Manage Live Feeds Permission to modify live feeds
Manage Live Resources Permission to modify live resources
Search Live Resources Permission to search live resources
View Live Resource Details Permission to view live resource details

The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Live

Access Live Module Yes Yes Yes Yes
Manage Live System Settings Yes

Resources
Deploy Live Resources Yes Yes

Manage Live Feeds Yes Yes
Manage Live Resources Yes Yes

Search Live Resources Yes Yes Yes Yes
View Live Resource Details Yes Yes Yes

Malware

The following table describes the permissions in the Malware tab.

Permission Operators
Download Malware File(s) Permission to donwnload the malware files for investigation
Initiate Malware Analysis Scan Permission to start the malware analysis scan
View Malware Analysis Events Permission to view the malware analysis events

The following table lists the permissions in the Malware tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Download Malware File(s) Yes Yes Yes Yes
Initiate Malware Analysis Scan Yes Yes Yes Yes
View Malware Analysis Events Yes Yes Yes Yes

Metrics-server

The following table describes the permissions in the Metrics-server tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.

Permission Description

metrics-server .*

All permissions (everything below)

metrics-server.configuration.manage Permission to modify all service configuration parameters

metrics-server-content.manage

Permission to modify configuration parameters in the service

metrics-server-content.read Permission to view configuration parameters of the service
metrics-server.health.read Permission to view any health notifications that the service exposes
metrics-server.logs.manage Permission to change log-related configuration
metrics-server.metric.manage Permission to modify all the configuration parameters
metrics-server.metric.read Permission to view configuration of New Health and Wellness
metrics-server.metrics.read Permission to view any metrics that the service exposes
metrics-server.process.manage Permission to start and stop the service
metrics-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
metrics-server.security.read Permission to view security-related resources

The following table lists the permissions in the Metrics-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operator MAs Analysts UEBA Analysts

metrics-server .*

metrics-server.configuration.manage

metrics-server-content.manage

metrics-server-content.read
metrics-server.health.read
metrics-server.logs.manage
metrics-server.metric.manage
metrics-server.metric.read Yes Yes Yes Yes Yes
metrics-server.metrics.read
metrics-server.process.manage
metrics-server.security.manage
metrics-server.security.read

Orchestration-server

The following table describes the permissions in the Orchestration-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission Description
orchestration-server.* All permissions (everything below)
orchestration-server.configuration.manage Permission to modify all service configuration parameters

orchestration-server.file.read

Permission to view files

orchestration-server.health.read Permission to view any health notifications that the service exposes
orchestration-server.logs.manage Permission to change log-related configuration
orchestration-server.metrics.read Permission to view any metrics that the service exposes
orchestration-server.process.manage Permission to start and stop the service
orchestration-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
orchestration-server.security.read Permission to view security-related resources

Reports

The following table describes the permissions in the Reports tab.

Permission Description
Alert
Define RE Alert Permission to define the RE alerts
Export RE Alert Definition Permission to export the RE alert definistions
Manage RE Alerts Permission to to modify the RE alerts
View RE Alerts Permission to view the RE alerts
View Scheduled RE Alerts Permission to view the scheduled RE alerts
Chart
Define Chart Permission to define the charts
Delete Chart Permission to delete the charts
Export Chart Definition Permission to export the chart definistions
Manage Charts Permission to modify the charts
View Charts Permission to view the charts
List
Define Lists Permission to define the lists
Delete List Permission to delete the lists
Export List Permission to export the lists
Manage Lists Permission to modify the lists
Report
Define Report Permission to define the reports
Delete Report Permission to delete the reports
Export Report Permission to export the reports
Manage Reports Permission to modify the reports
View Reports Permission to view the reports
Reports
Access Configure Permission to access Configure module
Access Reporter Module Permission to access Reporter module
Access Reporter search Permission to access Reporter search
Access View Permission to access Reports view
Rule
Add RE Alert Definition from Rule Permission to add RE alert definition from the rules
Define Rule Permission to define the rules
Delete Rule Permission to delete the rules
Export Rule Permission to export the rules
Manage Rules Permission to modify the rules
View Rule Usage Permission to view the rules usage
Schedules
Define Schedule Permission to define the schedules
Delete Schedule Permission to delete the schedules
View Schedules Permission to view the schedules
Warehouse Analytics
Define Jobs Permission to define the warehouse analytics jobs
Delete Jobs Permission to delete the warehouse analytics jobs
Manage Jobs Permission to modify the warehouse analytics jobs
View Jobs Permission to view the warehouse analytics jobs

The following table lists the permissions in the Reports tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Alert

Define RE Alert Yes Yes Yes
Export RE Alert Definition

Yes Yes Yes
Manage RE Alerts Yes Yes Yes
View RE Alerts

Yes

Yes Yes Yes
View Scheduled RE Alerts Yes Yes Yes
Chart

Define Chart Yes Yes Yes
Delete Chart

Yes Yes Yes
Export Chart Definition Yes Yes Yes
Manage Charts

Yes Yes Yes
View Charts Yes Yes Yes
List

Define Lists Yes Yes Yes
Delete List

Yes Yes Yes
Export List Yes Yes Yes
Manage Lists

Yes Yes Yes
Report
Define Report

Yes Yes Yes
Delete Report Yes Yes Yes
Export Report

Yes Yes Yes
Manage Reports Yes Yes Yes
View Reports

Yes Yes Yes
Reports
Access Configure

Yes Yes Yes
Access Reporter Module Yes Yes Yes
Access Reporter search

Yes Yes Yes
Access View Yes Yes Yes
Rule

Add RE Alert Definition from Rule Yes Yes Yes
Define Rule

Yes Yes Yes
Delete Rule Yes Yes Yes
Export Rule

Yes Yes Yes
Manage Rules Yes Yes Yes
View Rule Usage

Yes Yes Yes
Schedules
Define Schedule

Yes Yes Yes
Delete Schedule Yes Yes Yes
View Schedules

Yes Yes Yes
Warehouse Analytics
Define Jobs

Yes Yes Yes
Delete Jobs Yes Yes Yes
Manage Jobs

Yes Yes Yes
View Jobs Yes Yes Yes

Respond-server

The following table describes the permissions in the Respond-server tab.

Note: For viewing and managing the Risk Score feature, users who have installed NetWitness Platform 11.3 or upgraded from NetWitness 10.6.x to 11.3, risk score permissions will be already present for Analysts. For users updating from NetWitness 11.x to NetWitness Platform 11.3, the Administrator has to provide Analysts' permissions to manage and view risk score.

Permission Description
respond-server.* All permissions (everything below)
respond-server.alert.delete Permission to delete alerts
respond-server.alert.manage Permission to create, update, or delete alerts and alert filters
respond-server.alert.read Permission to view alerts and alert filters
respond-server.alertrule.manage Permission to create, update, or delete alert aggregation rules
respond-server.alertrule.read Permission to view alert aggregation rules
respond-server.configuration.manage Permission to change any configuration properties for the service
respond-server.health.read Permission to view any health notifications that the service exposes
respond-server.incident.delete Permission to delete incidents
respond-server.incident.manage Permission to create, update, or delete incidents and incident filters including permission to view the Create Incident and Add to Incident options in the Investigate > Events view
respond-server.incident.read Permission to view incidents and incident filters
respond-server.journal.manage Permission to create, update, or delete journal entries for an incident
respond-server.journal.read Permission to view journal entries for an incident
respond-server.logs.manage Permission to change log-related configuration
respond-server.metrics.read Permission to view any metrics that the service exposes
respond-server.notification.manage (This permission is available in NetWitness Platform version 11.1 and later.)
Permission to configure incident email notification settings such as the selected email server, SOC Managers, and who will be sent the notifications (Assignee and SOC Managers)
respond-server.notification.read (This permission is available in NetWitness Platform version 11.1 and later.)
Permission to view incident email notification settings
respond-server.process.manage Permission to start and stop the service
respond-server.remediation.manage Permission to create, update, or delete remediation tasks
respond-server.remediation.read Permission to view remediation tasks

respond-server.risk.manage

Permission to manage risk score

respond-server.risk.read Permission to view risk score
respond-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
respond-server.security.read Permission to view security-related resources

The following table lists the permissions in the Respond-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator has all of the permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
respond-server.*

Yes

Yes
respond-server.alert.delete
respond-server.alert.manage

Yes Yes Yes
respond-server.alert.read Yes Yes Yes
respond-server.alertrule.manage

Yes
respond-server.alertrule.read Yes
respond-server.configuration.manage

respond-server.health.read
respond-server.incident.delete

respond-server.incident.manage Yes Yes Yes
respond-server.incident.read

Yes Yes Yes
respond-server.journal.manage Yes Yes Yes
respond-server.journal.read

Yes Yes Yes
respond-server.logs.manage
respond-server.metrics.read

respond-server.notification.manage Yes
respond-server.notification.read

Yes
respond-server.process.manage
respond-server.remediation.manage

Yes Yes Yes
respond-server.remediation.read Yes Yes Yes

respond-server.risk.manage

Yes
respond-server.risk.read Yes
respond-server.security.manage

respond-server.security.read

Incident Email Notification Settings Permissions

Note: Incident email notification setting permissions are available in NetWitness Platform version 11.1 and later.
If you are updating from NetWitness Platform version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness Platform user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.

The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Incident Email Notification Settings [ netwitness_configureicon_24x21.png (Configure) > Incident Notifications].

Incidents tab:

  • Configure Incident Management Integration

Respond-server tab:

  • respond-server.notification.manage
  • respond-server.notification.read

Integration-server tab:

  • integration-server.notification.read
  • integration-server.notification.manage

Respond Event Analysis Permissions

Note: The Event Analysis panel in the Respond view is available in NetWitness Platform version 11.2 and later.

The Events panel in the Respond view, formerly known as the Event Analysis panel, shows the Events view from Investigate for specific indicator events. The following permissions are required to view the Events panel in the Respond view. These permissions are provided by default for users with the Analysts role.

Investigate-server tab:

  • investigate-server.event.read
  • investigate-server.content.reconstruct
  • investigate-server.content.export

Administration tab:

  • Access Administration Module

Respond Saved Filter Permissions

Note: Saved filters for the incidents and alerts lists in Respond are available in NetWitness Platform version 11.5 and later.

The following permissions are required for the incidents and alerts filters (Respond > Incidents and Respond > Alerts). The Analysts role has the required Respond filter permissions by default.

Respond-server tab:

  • respond-server.incident.manage

  • respond-server.incident.read

  • respond-server.alert.manage

  • respond-server.alert.read

Security-server

The following table describes the permissions in the Security-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission Description
security-server.* All permissions (everything below)
security-server.account.manage Permission to view, create, modify, or remove NetWitness Platform local accounts
security-server.account.read Permission to view NetWitness Platform local accounts
security-server.ca.manage Permission to manage NetWitness Platform deployment PKI parameters (for example, sign certificates, and so on)
security-server.ca.read Permission to view NetWitness Platform deployment PKI parameters
security-server.configuration.manage Permission to modify all service configuration parameters
security-server.connection.manage Permission to modify all connection configuration parameters
security-server.health.read Permission to view any health notifications that the service exposes
security-server.logs.manage Permission to change log-related configuration
security-server.metrics.read

Permission to view any metrics that the service exposes

security-server.permission.manage Permission to create or remove NetWitness Platform permissions
security-server.pki.manage Permission to modify all pki configuration parameters
security-server.process.manage Permission to start and stop the service
security-server.role.manage Permission to create, modify, or remove NetWitness Platform roles (for example, add role permissions)
security-server.role.read Permission to view NetWitness Platform role definitions
security-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
security-server.security.read Permission to view security-related resources
security-server.test.manage Permission to modify all test configuration parameters
security-server.user.manage Permission to view, create, modify, or remove NetWitness Platform user profiles
security-server.user.read Permission to view NetWitness Platform user profile details (for example, roles, login times, and so on)

Source-server

The following table describes the permissions in the Source-server tab.

Permission Description
source-server.* All permissions (everything below)
source-server.configuration.manage Permission to change any configuration properties for the service
source-server.group.manage Permission to create and manage USM groups
source-server.group.manage.nopolicy Permission to manage nopolicy
source-server.group.read Permission to view USM groups
source-server.grouppolicy.read Permission to view the canonical groups and policies
source-server.health.read Permission to view any health notifications that the service exposes
source-server.logs.manage Permission to change log-related configuration
source-server.metrics.read Permission to view any metrics that the service exposes
source-server.policy.manage Permission to create and manage USM policies
source-server.policy.read Permission to view USM policies
source-server.process.manage Permission to start and stop the service
source-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
source-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Source-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators and Operators roles have all of the permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
source-server.*

source-server.configuration.manage
source-server.group.manage

source-server.group.manage.nopolicy
source-server.group.read

Yes

Yes

Yes

source-server.grouppolicy.read
source-server.health.read

source-server.logs.manage
source-server.metrics.read

source-server.policy.manage
source-server.policy.read

Yes

Yes

Yes

source-server.process.manage
source-server.security.manage

source-server.security.read

Springboard

The following table describes the permissions in Springboard tab.

Permission Description
springboard.* All Permissions (everything below)
springboard.manage Permission to manage the Springboard, that is view, add, delete, and rearrange panels, and also restore system default settings.
springboard.read Permission to view Springboard.

The following table lists the permissions in the Springboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all the permissions by default and is not listed.

Permissions RAs DPOs SOC
Mgrs
Operators MAs Analysts
springboard.*
springboard.manage
springboard.read Yes Yes Yes Yes