NetWitness Community

Yes

Role Permissions

In NetWitness, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the (Admin) > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness user role:

Administrators
Respond Administrators (RAs)
Reporting Engine Content Administrators (RE CAs)
Data Privacy Officers (DPOs)
SOC Managers (SOC Mgrs)
Operators
Malware Analysts (MAs)
Analysts
UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

service name = investigate-server
resource = metrics
action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Admin-server

The following table describes the permissions in the Admin-server tab.

Permission	Description
admin-server.configuration.manage	Permission to modify all service configuration parameters
admin-server.health.read	Permission to view any health notifications that the service exposes
admin-server.logs.manage	Permission to change log-related configuration
admin-server.metrics.read	Permission to view any metrics that the service exposes
admin-server.process.manage	Permission to start and stop the service
admin-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
admin-server.security.read	Permission to view security-related resources

Administration

The following table describes the list of permissions in Administration tab.

Permission	Description
Access Administration Module	Permission to access all the administration modules
Access Health & Wellness	Permission to access the health and wellness module
Apply System Updates	Permission to update the system
Can Opt In to Live Intelligence Sharing	Permission to opt for Live Intelligence sharing
Manage Advanced Settings	Permission to modify the advanced settings
Manage ATD Settings	Permission to modify the ATD settings
Manage Auditing	Permission to modify the auditing
Manage Email	Permission to change the email settings
Manage Global Auditing	Permission to modify global auditing
Manage Health & Wellness Policy	Permission to update the health & wellness policy
Manage Jobs	Permission to change the job settings
Manage LLS	Permission to modify LLS
Manage Logs	Permission to modify log related configurations
Manage Notifications	Permission to change notification settings
Manage Plugins	Permission to modify the plugins
Manage Predicates	Permission to modify the predicates
Manage Reconstruction	Permission to change the reconstruction
Manage Security	Permission to update the security settings
Manage Services	Permission to start and stop the services
Manage SSL Security	Permission to manage PKI setting
Manage System Settings	Permission to the modify the system settings
Modify ESA Settings	Permission to modify the ESA settings
Modify Event Sources	Permission to modify the ESA sources
Modify Hosts	Permission to modify the hosts
Modify Services	Permission to modify the services
View Event Sources	Permission to view the event sources
View Health & Wellness Policy	Permission to view the health & wellness policy
View Health & Wellness Stats Browser	Permission to view the health and wellness status in the browser
View Hosts	Permission to view the hosts
View Services	Permission to view the services
View Unified Sources	Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	MAs	Analysts
Access Administration Module		Yes	Yes	Yes	Yes	Yes
Access Health & Wellness		Yes	Yes	Yes	Yes	Yes
Apply System Updates				Yes
Can Opt In to Live Intelligence Sharing				Yes
Manage Advanced Settings				Yes
Manage ATD Settings	Yes	Yes	Yes	Yes
Manage Auditing		Yes		Yes
Manage Email				Yes
Manage Global Auditing		Yes		Yes
Manage Health & Wellness Policy				Yes
Manage Jobs		Yes	Yes	Yes
Manage LLS				Yes
Manage Logs		Yes		Yes
Manage Notifications				Yes
Manage Plugins		Yes	Yes	Yes		Yes
Manage Predicates				Yes
Manage Reconstruction				Yes
Manage Security		Yes		Yes
Manage Services		Yes		Yes
Manage SSL Security
Manage System Settings		Yes	Yes	Yes		Yes
Modify ESA Settings				Yes
Modify Event Sources				Yes
Modify Hosts				Yes
Modify Services		Yes		Yes
View Event Sources			Yes	Yes
View Health & Wellness Policy			Yes	Yes		Yes
View Health & Wellness Stats Browser		Yes	Yes	Yes		Yes
View Hosts		Yes		Yes
View Services		Yes		Yes
View Unified Sources		Yes	Yes	Yes		Yes

Alerting

The following table describes the permissions in the Alerting tab.

Permission	Description
Access Alerting Module	Permission to access the alerting module
Manage Rules	Permission to update the rules
View Alerts	Permission to view the alerts
View Rules	Permission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators	Analysts
Access Alerting Module	Yes	Yes	Yes	Yes	Yes
Manage Rules	Yes	Yes	Yes	Yes
View Alerts	Yes	Yes	Yes		Yes
View Rules		Yes	Yes	Yes

Cloud-connector-server

The following table describes the permissions in the Cloud-connector-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission	Description
Cloud-connector-server.*	All permissions (everything below)
cloud-connector-server.networkasset.read	Permission to view all the network assets data on the Assets page
cloud-connector-server.query.read	Permission to view the queries of the assets
cloud-connector-server.filter.read	Permission to save, modify, and delete filters

The following table lists the permissions in the Cloud-connector-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed

Permission	RA	DPOs	SOC Mgrs	Operators	MAs	Analysts
Cloud-connector-server*
cloud-connector-server.networkasset.read						Yes
cloud-connector-server.query.read						Yes
cloud-connector-server.filter.read						Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission	Description
config-server.*	All permissions (everything below)
config-server.configuration.manage	Permission to modify all service configuration parameters
config-server.health.read	Permission to view any health notifications that the service exposes
config-server.logs.manage	Permission to change log-related configuration
config-server.metrics.read	Permission to view any metrics that the service exposes
config-server.process.manage	Permission to start and stop the service
config-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
config-server.security.read	Permission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

Permission	Description
content-server.*	All permissions (everything below)
content-server.collection.read	Permission to read selective collection content
content-server.configuration.manage	Permission to modify all service configuration parameters
content-server.health.read	Permission to view any health notifications that the service exposes
content-server.logparser.manage	Permission to manage log parser configurations
content-server.logparser.read	Permission to view log parser configurations
content-server.logs.manage	Permission to change log-related configuration
content-server.metrics.read	Permission to view any metrics that the service exposes
content-server.policy.read	Permission to read policies
content-server.process.manage	Permission to start and stop the service
content-server.rule.manage	Permission to manage content rules
content-server.rule.read	Permission to view content rules
content-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
content-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operators	Analysts
content-server.*	Yes		Yes
content-server.collection.read
content-server.configuration.manage
content-server.health.read
content-server.logparser.manage
content-server.logparser.read		Yes		Yes
content-server.logs.manage
content-server.metrics.read
content-server.policy.read
content-server.process.manage
content-server.rule.manage
content-server.rule.read
content-server.security.manage
content-server.security.read

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

Permission	Description
contexthub-server.*	All permissions (everything below)
contexthub-server.configuration.manage	Permission to modify all service configuration parameters
contexthub-server.connection.manage	Permission to modify all connection settings
contexthub-server.connection.read	Permission to view all connection settings
contexthub-server.connectiontypes.read	Permission to view all configured connection types
contexthub-server.datasource.manage	Permission to modify data source settings
contexthub-server.datasource.read	Permission to view data source settings
contexthub-server.health.read	Permission to view any health notifications that the service exposes
contexthub-server.listentries.manage	Permission to modify list entries
contexthub-server.logs.manage	Permission to change log-related configuration
contexthub-server.metrics.read	Permission to view any metrics that the service exposes
contexthub-server.process.manage	Permission to start and stop the service
contexthub-server.query.read	Permission to view queries
contexthub-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.read	Permission to view security-related resources
contexthub-server.stix.read	Permission to view stix settings
contexthub-server.taxiidatasource.manage	Permission to modify settings for the taxii data source
contexthub-server.taxiidatasource.read	Permission to view settings for the taxii data source
contexthub-server.contextlookup.read	Permission to enable or disable the context lookup and perform Add/Remove from List actions on the Users, Hosts, Files, Respond, and Investigate Events view.

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
contexthub-server.*		Yes
contexthub-server.configuration.manage
contexthub-server.connection.manage
contexthub-server.connection.read	Yes		Yes	Yes	Yes
contexthub-server.connectiontypes.read			Yes
contexthub-server.datasource.manage	Yes		Yes	Yes	Yes
contexthub-server.datasource.read	Yes		Yes	Yes	Yes
contexthub-server.health.read
contexthub-server.listentries.manage	Yes		Yes	Yes	Yes
contexthub-server.logs.manage
contexthub-server.metrics.read
contexthub-server.process.manage
contexthub-server.query.read	Yes		Yes	Yes	Yes
contexthub-server.security.manage
contexthub-server.security.read
contexthub-server.stix.read			Yes	Yes	Yes
contexthub-server.taxiidatasource.manage			Yes	Yes	Yes
contexthub-server.taxiidatasource.read			Yes	Yes	Yes
contexthub-server.contextlookup.read	Yes		Yes	Yes	Yes

Correlation-server

The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.

Permission	Description
correlation-server.*	All permissions (everything below)
correlation-server.configuration.manage	Permission to modify all service configuration parameters
correlation-server.endpoint.manage	Permission to modify all endpoint configuration parameters
correlation-server.endpoint.read	Permission to view all endpoint configuration parameters
correlation-server.engine.manage	Permission to modify all engine configuration parameters
correlation-server.engine.read	Permission to view all engine configuration parameters
correlation-server.esperrule.manage	Permission to modify all esperrule configuration parameters
correlation-server.esperrule.read	Permission to view all esperrule configuration parameters
correlation-server.health.read	Permission to view any health notifications that the service exposes
correlation-server.keyvaluerule.manage	Permission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.read	Permission to view all keyvaluerule configuration parameters
correlation-server.logs.manage	Permission to change log-related configuration
correlation-server.metrics.read	Permission to view any metrics that the service exposes
correlation-server.module.manage	Permission to modify each module
correlation-server.module.read	Permission to view each module
correlation-server.process.manage	Permission to start and stop the service
correlation-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.read	Permission to view security-related resources
correlation-server.stream.manage	Permission to edit stream configuration settings
correlation-server.stream.read	Permission to view stream configuration settings
correlation-server.telemetry.read	Permission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators
correlation-server.*		Yes
correlation-server.configuration.manage
correlation-server.endpoint.manage
correlation-server.endpoint.read
correlation-server.engine.manage	Yes		Yes	Yes
correlation-server.engine.read	Yes		Yes	Yes
correlation-server.esperrule.manage
correlation-server.esperrule.read
correlation-server.health.read
correlation-server.keyvaluerule.manage
correlation-server.keyvaluerule.read
correlation-server.logs.manage
correlation-server.metrics.read
correlation-server.module.manage	Yes		Yes	Yes
correlation-server.module.read	Yes		Yes	Yes
correlation-server.process.manage
correlation-server.security.manage
correlation-server.security.read
correlation-server.stream.manage	Yes		Yes	Yes
correlation-server.stream.read	Yes		Yes	Yes
correlation-server.telemetry.read

Dashboard

The following table describes the permissions in the Dashboard tab.

Permission	Description
Dashlet Access - Admin Device List Dashlet	Permission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor Dashlet	Permission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News Dashlet	Permission to access Admin News Dashlet
Dashlet Access - Alert Variance Dashlet	Permission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts Dashlet	Permission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs Dashlet	Permission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values Dashlet	Permission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources Dashlet	Permission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources Dashlet	Permission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions Dashlet	Permission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources Dashlet	Permission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs Dashlet	Permission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report Dashlet	Permission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts Dashlet	Permission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts Dashlet	Permission to access Top Alerts Dashlet
Dashlet Access - Unified First Watch Dashlet	Permission to access Unified First Watch Dashlet
Dashlet Access - Unified Shortcuts Dashlet	Permission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RA	DPOs	SOC Mgrs	Operators	Analysts
Dashlet Access - Admin Device List Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Admin Device Monitor Dashlet		Yes
Dashlet Access - Admin News Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Alert Variance Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Alerting Recent Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Investigation Top Values Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Live Featured Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live New Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Subscriptions Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Live Updated Resources Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Malware Jobs Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Recent Report Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Reporting Charts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Top Alerts Dashlet	Yes	Yes	Yes		Yes
Dashlet Access - Unified First Watch Dashlet	Yes	Yes	Yes	Yes	Yes
Dashlet Access - Unified Shortcuts Dashlet	Yes	Yes	Yes	Yes	Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

Permission	Description
endpoint-broker-server*	All permissions (everything below)
endpoint-broker-server.agent.manage	Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.read	Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.manage	Permission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.read	Permission to view any health notifications that the service exposes
endpoint-broker-server.logs.manage	Permission to change log-related configuration
endpoint-broker-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-broker-server.policy.read	Permission to view existing policy details
endpoint-broker-server.process.manage	Permission to start and stop the service
endpoint-broker-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-broker-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	Operators	Analysts
endpoint-broker-server*
endpoint-broker-server.agent.manage	Yes	Yes
endpoint-broker-server.agent.read	Yes	Yes
endpoint-broker-server.configuration.manage
endpoint-broker-server.health.read
endpoint-broker-server.logs.manage
endpoint-broker-server.metrics.read
endpoint-broker-server.policy.read		Yes
endpoint-broker-server.process.manage
endpoint-broker-server.security.manage
endpoint-broker-server.security.read

Endpoint-serverEndpoint-server

The following table describes the permissions in the Endpoint-server tab.

Permission	Description
endpoint-server*	All permissions (everything below)
endpoint-server.agent.manage	Permission to generate and download the agent packager. Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on Note: Analyze file, Scan With OPSWAT, Save Local Copy have been moved to endpoint-server.file.analyze (from version 11.7)
endpoint-server.agent.read	Permission to view the agent packager configuration Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on
endpoint-server.agentupdate.manage	Permission to upgrade agent and uninstall agent
endpoint-server.ca.manage	Permission to generate and download the agent packager Permission to upgrade agent
endpoint-server.ca.read	Permission to generate and download the agent packager
endpoint-server.configuration.manage	Permission to modify all endpoint configuration parameters
endpoint-server.file.analyze	Permission to analyze file, save local copy, and initiate OPSWAT scans
endpoint-server.filter.manage	Permission to save, modify, and delete filters
endpoint-server.filter.read	Permission to view filters
endpoint-server.health.read	Permission to view any health notifications that the service exposes
endpoint-server.logs.manage	Permission to change log-related configuration
endpoint-server.metrics.read	Permission to view any metrics that the service exposes
endpoint-server.policy.read	Permission to view existing policy details
endpoint-server.process.manage	Permission to start and stop the service
endpoint-server.relay.manage	Permission to modify Relay Server Configuration
endpoint-server.relay.read	Permissions to view Relay Server details
endpoint-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
endpoint-server.security.read	Permission to view security-related resources
endpoint-server.tag.manage	Permission to manage Tags (Create and Delete)

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	Operators	Analysts
endpoint-server*
endpoint-server.agent.manage	Yes	Yes
endpoint-server.agent.read	Yes	Yes
endpoint-server.agentupdate.manage
endpoint-server.ca.manage	Yes
endpoint-server.ca.read	Yes
endpoint-server.configuration.manage
endpoint-server.filter.manage		Yes
endpoint-server.filter.read		Yes
endpoint-server.health.read
endpoint-server.logs.manage
endpoint-server.metrics.read
endpoint-server.policy.read		Yes
endpoint-server.process.manage
endpoint-server.rar.manage
endpoint-server.rar.read
endpoint-server.relay.manage	Yes
endpoint-server.relay.read	Yes
endpoint-server.security.manage
endpoint-server.security.read

Incidents

The following table describes the permissions in the Incidents tab.

Permission	Description
Access Incident Module	Permission to access the Incident module
Configure Incident Management Integration	Permission to configure incident management integration
Delete Alerts and incidents	Permission o delete alerts and incidents
Manage Alert Handling Rules	Permission to modify the alert handling rules
View and Manage Incidents	Permission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
Access Incident Module	Yes	Yes	Yes	Yes	Yes
Configure Incident Management Integration	Yes	Yes	Yes
Delete Alerts and incidents	Yes	Yes
Manage Alert Handling Rules	Yes	Yes	Yes
View and Manage Incidents	Yes	Yes	Yes	Yes	Yes

Integration-server

(The Integration-server permissions are available in NetWitness version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

Permission	Description
integration-server.*	All permissions (everything below)
integration-server.api.access	Permission to authorize external requests from 3rd party applications
integration-server.configuration.manage	Permission to view and modify all service integration configuration parameters
integration-server.health.read	Permission to read any health notifications that the service exposes
integration-server.logs.manage	Permission to change log-related integration configurations
integration-server.metrics.read	Permission to read any metrics that the service exposes
integration-server.notification.manage	Permission to change global notification configurations (for example, SMTP server)
integration-server.notification.read	Permission to read global notification configurations (for example, SMTP server)
integration-server.notification.send	Permission to send notifications (for example, Email)
integration-server.process.manage	Permission to start and stop the service
integration-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
integration-server.security.read	Permission to read security-related resources
integration-server.template.manage	Permission to change notification template
integration-server.template.read	Permission to read notification template

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Operators
integration-server.*		Yes
integration-server.api.access
integration-server.configuration.manage
integration-server.health.read
integration-server.logs.manage
integration-server.metrics.read
integration-server.notification.manage	Yes		Yes	Yes
integration-server.notification.read	Yes		Yes	Yes
integration-server.notification.send	Yes		Yes	Yes
integration-server.process.manage
integration-server.security.manage
integration-server.security.read
integration-server.template.manage	Yes		Yes	Yes
integration-server.template.read	Yes		Yes	Yes

Investigate

The following table describes the permissions in the Investigate tab.

Permission	Description
Access Investigation Module	Permission to access investigation module
Context Lookup	Permission to access context lookup
Create Incidents from Investigation	Permission to create incidents from investigation
Manage List from Investigation	Permission to modify the list of investigation
Navigate Events	Permission to navigate the events
Navigate Values	Permission to navigate the values

The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
Access Investigation Module	Yes	Yes	Yes	Yes	Yes
Context Lookup	Yes		Yes	Yes	Yes
Create Incidents from Investigation	Yes		Yes	Yes	Yes
Manage List from Investigation	Yes		Yes	Yes	Yes
Navigate Events	Yes	Yes	Yes	Yes	Yes
Navigate Values	Yes	Yes	Yes	Yes	Yes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

Permission	Description
investigate-server.*	All permissions (everything below) for 11.4 and above Events view, and 11.3 and earlier Event Analysis view.
investigate-server.column group.read	Permission to access column groups
investigate-server.configuration.manage	Permission to change any configuration properties for the service
investigate-server.content.export	Permission to export content from the service
investigate-server-content.manage	Permission to clear all per service or per user reconstruction cache
investigate-server.content.reconstruct	Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count
investigate-server.event.filter	Permission to view the Filter Events panel in the Events view
investigate-server.event.read	Permission to view events that the service exposes
investigate-server.health.read	Permission to view any health notifications that the service exposes
investigate-server.incident.manage	Create or update an incident in Respond
investigate-server.logs.manage	Permission to change log-related configuration
investigate-server.metagroup.manage	Permission to manage meta groups
investigate-server.metagroup.read	Permission to view and use meta groups
investigate-server.metrics.read	Permission to view any metrics that the service exposes
investigate-server.predicate.manage	Permission to edit or remove one or more predicates
investigate-server.predicate.read	Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view.
investigate-server.process.manage	Permission to start and stop the service
investigate-server.profile.read	Permission to access profiles.
investigate-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.read	Permission to view security-related resources
investigate-server.alert.manage	Permission to create alert from Investigate Events view.
investigate-server.searchpatternrule.manage	Permission to create search pattern from Investigate Events view.

The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed. The UEBA Analysts and Content Administrators roles have none of these permissions by default and are not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
investigate-server.*	Yes	Yes
investigate-server.columngroup.read			Yes	Yes	Yes
investigate-server.configuration.manage
investigate-server.content.export			Yes	Yes	Yes
investigate-server.content.manage
investigate-server.content.reconstruct			Yes	Yes	Yes
investigate-server.event.filter	Yes	Yes	Yes	Yes	Yes
investigate-server.event.read			Yes	Yes	Yes
investigate-server.health.read
investigate-server.incident.manage					Yes
investigate-server.logs.manage
investigate-server.metagroup.manage
investigate-server.metagroup.read			Yes	Yes	Yes
investigate-server.metrics.read
investigate-server.predicate.manage
investigate-server.predicate.read			Yes	Yes	Yes
investigate-server.process.manage
investigate-server.profile.read			Yes	Yes	Yes
investigate-server.security.manage
investigate-server.security.read
investigate-server.alert.manage
investigate-server.searchpatternrule.manage

License-server

The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.

Permission	Description
license-server.*	All permissions (everything below)
license-server.configuration.manage	Permission to modify all service configuration parameters
license-server.health.read	Permission to view any health notifications that the service exposes
license-server.license.manage	Permission to manage license related configurations
license-server.license.read	Permission to view license related configurations
license-server.logs.manage	Permission to change log-related configuration
license-server.metrics.read	Permission to view any metrics that the service exposes
license-server.process.manage	Permission to start and stop the service
license-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
license-server.security.read	Permission to view security-related resources

Live

The following table describes the permissions in the Live tab.

Permission	Permission
Live
Access Live Module	Permission to access live module
Manage Live System Settings	Permission to modify the live system settings
Resources
Deploy Live Resources	Permission to deploy live resources
Manage Live Feeds	Permission to modify live feeds
Manage Live Resources	Permission to modify live resources
Search Live Resources	Permission to search live resources
View Live Resource Details	Permission to view live resource details

The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operators	Analysts
Live
Access Live Module	Yes	Yes	Yes	Yes
Manage Live System Settings			Yes
Resources
Deploy Live Resources	Yes		Yes
Manage Live Feeds	Yes		Yes
Manage Live Resources	Yes		Yes
Search Live Resources	Yes	Yes	Yes	Yes
View Live Resource Details	Yes	Yes	Yes

Malware

The following table describes the permissions in the Malware tab.

Permission	Operators
Download Malware File(s)	Permission to download the malware files for investigation
Initiate Malware Analysis Scan	Permission to start the malware analysis scan
View Malware Analysis Events	Permission to view the malware analysis events

The following table lists the permissions in the Malware tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	MAs	Analysts
Download Malware File(s)	Yes	Yes	Yes	Yes
Initiate Malware Analysis Scan	Yes	Yes	Yes	Yes
View Malware Analysis Events	Yes	Yes	Yes	Yes

Metrics-server

The following table describes the permissions in the Metrics-server tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.

Permission	Description
metrics-server .*	All permissions (everything below)
metrics-server.configuration.manage	Permission to modify all service configuration parameters
metrics-server-content.manage	Permission to modify configuration parameters in the service
metrics-server-content.read	Permission to view configuration parameters of the service
metrics-server.health.read	Permission to view any health notifications that the service exposes
metrics-server.logs.manage	Permission to change log-related configuration
metrics-server.metric.manage	Permission to modify all the configuration parameters
metrics-server.metric.read	Permission to view configuration of New Health and Wellness
metrics-server.metrics.read	Permission to view any metrics that the service exposes
metrics-server.process.manage	Permission to start and stop the service
metrics-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
metrics-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Metrics-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	DPOs	SOC Mgrs	Operator	MAs	Analysts
metrics-server .*
metrics-server.configuration.manage
metrics-server-content.manage
metrics-server-content.read
metrics-server.health.read
metrics-server.logs.manage
metrics-server.metric.manage
metrics-server.metric.read	Yes	Yes	Yes	Yes	Yes
metrics-server.metrics.read
metrics-server.process.manage
metrics-server.security.manage
metrics-server.security.read

Navigation

The following table describes the permissions in the Navigation tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.

Permission	Description
navigation .*	All permissions (everything below)
navigation.homepage-admin-view.manage	Permission to manage the Admin view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-admin-view.read	Permission to view Admin view widgets under Home page
navigation.homepage-analyst-view.manage	Permission to manage the Analyst view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-analyst-view.read	Permission to view Analyst view widgets under Home page
navigation.homepage-manager-view.manage	Permission to manage the Manager view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-manager-view.read	Permission to view Manager view widgets under Home page

The following table lists the permissions in the Navigation tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	SOC Mgrs	Analysts
navigation .*
navigation.homepage-admin-view.manage
navigation.homepage-admin-view.read
navigation.homepage-analyst-view.manage		Yes
navigation.homepage-analyst-view.read		Yes
navigation.homepage-manager-view.manage	Yes
navigation.homepage-manager-view.read	Yes

Orchestration-server

The following table describes the permissions in the Orchestration-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission	Description
orchestration-server.*	All permissions (everything below)
orchestration-server.configuration.manage	Permission to modify all service configuration parameters
orchestration-server.file.read	Permission to view files
orchestration-server.health.read	Permission to view any health notifications that the service exposes
orchestration-server.logs.manage	Permission to change log-related configuration
orchestration-server.metrics.read	Permission to view any metrics that the service exposes
orchestration-server.process.manage	Permission to start and stop the service
orchestration-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
orchestration-server.security.read	Permission to view security-related resources

Reports

The following table describes the permissions in the Reports tab.

Permission	Description
Alert
Define RE Alert	Permission to define the RE alerts
Export RE Alert Definition	Permission to export the RE alert definistions
Manage RE Alerts	Permission to to modify the RE alerts
View RE Alerts	Permission to view the RE alerts
View Scheduled RE Alerts	Permission to view the scheduled RE alerts
Chart
Define Chart	Permission to define the charts
Delete Chart	Permission to delete the charts
Export Chart Definition	Permission to export the chart definitions
Manage Charts	Permission to modify the charts
View Charts	Permission to view the charts
List
Define Lists	Permission to define the lists
Delete List	Permission to delete the lists
Export List	Permission to export the lists
Manage Lists	Permission to modify the lists
Report
Define Report	Permission to define the reports
Delete Report	Permission to delete the reports
Export Report	Permission to export the reports
Manage Reports	Permission to modify the reports
View Reports	Permission to view the reports
Reports
Access Configure	Permission to access Configure module
Access Reporter Module	Permission to access Reporter module
Access Reporter search	Permission to access Reporter search
Access View	Permission to access Reports view
Rule
Add RE Alert Definition from Rule	Permission to add RE alert definition from the rules
Define Rule	Permission to define the rules
Delete Rule	Permission to delete the rules
Export Rule	Permission to export the rules
Manage Rules	Permission to modify the rules
View Rule Usage	Permission to view the rules usage
Schedules
Define Schedule	Permission to define the schedules
Delete Schedule	Permission to delete the schedules
View Schedules	Permission to view the schedules
Warehouse Analytics
Define Jobs	Permission to define the warehouse analytics jobs
Delete Jobs	Permission to delete the warehouse analytics jobs
Manage Jobs	Permission to modify the warehouse analytics jobs
View Jobs	Permission to view the warehouse analytics jobs

The following table lists the permissions in the Reports tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission	RAs	DPOs	SOC Mgrs	Analysts
Alert
Define RE Alert		Yes	Yes	Yes
Export RE Alert Definition		Yes	Yes	Yes
Manage RE Alerts		Yes	Yes	Yes
View RE Alerts	Yes	Yes	Yes	Yes
View Scheduled RE Alerts		Yes	Yes	Yes
Chart
Define Chart		Yes	Yes	Yes
Delete Chart		Yes	Yes	Yes
Export Chart Definition		Yes	Yes	Yes
Manage Charts		Yes	Yes	Yes
View Charts		Yes	Yes	Yes
List
Define Lists		Yes	Yes	Yes
Delete List		Yes	Yes	Yes
Export List		Yes	Yes	Yes
Manage Lists		Yes	Yes	Yes
Report
Define Report		Yes	Yes	Yes
Delete Report		Yes	Yes	Yes
Export Report		Yes	Yes	Yes
Manage Reports		Yes	Yes	Yes
View Reports		Yes	Yes	Yes
Reports
Access Configure		Yes	Yes	Yes
Access Reporter Module		Yes	Yes	Yes
Access Reporter search		Yes	Yes	Yes
Access View		Yes	Yes	Yes
Rule
Add RE Alert Definition from Rule		Yes	Yes	Yes
Define Rule		Yes	Yes	Yes
Delete Rule		Yes	Yes	Yes
Export Rule		Yes	Yes	Yes
Manage Rules		Yes	Yes	Yes
View Rule Usage		Yes	Yes	Yes
Schedules
Define Schedule		Yes	Yes	Yes
Delete Schedule		Yes	Yes	Yes
View Schedules		Yes	Yes	Yes
Warehouse Analytics
Define Jobs		Yes	Yes	Yes
Delete Jobs		Yes	Yes	Yes
Manage Jobs		Yes	Yes	Yes
View Jobs		Yes	Yes	Yes

Respond-serverRespond-server

The following table describes the permissions in the Respond-server tab.

Note: For viewing and managing the Risk Score feature, users who have installed NetWitness Platform 11.3 or upgraded from NetWitness 10.6.x to 11.3, risk score permissions will be already present for Analysts. For users updating from NetWitness 11.x to NetWitness Platform 11.3, the Administrator has to provide Analysts' permissions to manage and view risk score.

Permission	Description
respond-server.*	All permissions (everything below)
respond-server.alert.delete	Permission to delete alerts
respond-server.alert.manage	Permission to create, update, or delete alerts and alert filters
respond-server.alert.read	Permission to view alerts and alert filters
respond-server.alertrule.manage	Permission to create, update, or delete alert aggregation rules
respond-server.alertrule.read	Permission to view alert aggregation rules
respond-server.configuration.manage	Permission to change any configuration properties for the service
respond-server.health.read	Permission to view any health notifications that the service exposes
respond-server.incident.delete	Permission to delete incidents
respond-server.incident.manage	Permission to create, update, or delete incidents and incident filters including permission to view the Create Incident and Add to Incident options in the Investigate > Events view
respond-server.incident.read	Permission to view incidents and incident filters
respond-server.journal.manage	Permission to create, update, or delete journal entries for an incident
respond-server.journal.read	Permission to view journal entries for an incident
respond-server.logs.manage	Permission to change log-related configuration
respond-server.metrics.read	Permission to view any metrics that the service exposes
respond-server.notification.manage	(This permission is available in NetWitness version 11.1 and later.) Permission to configure incident email notification settings such as the selected email server, SOC Managers, and who will be sent the notifications (Assignee and SOC Managers)
respond-server.notification.read	(This permission is available in NetWitness version 11.1 and later.) Permission to view incident email notification settings
respond-server.process.manage	Permission to start and stop the service
respond-server.remediation.manage	Permission to create, update, or delete remediation tasks
respond-server.remediation.read	Permission to view remediation tasks
respond-server.risk.manage	Permission to manage risk score
respond-server.risk.read	Permission to view risk score
respond-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
respond-server.security.read	Permission to view security-related resources

The following table lists the permissions in the Respond-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator has all of the permissions by default and are not listed.

Permission	RAs	DPOs	SOC Mgrs	MAs	Analysts
respond-server.*	Yes	Yes
respond-server.alert.delete
respond-server.alert.manage			Yes	Yes	Yes
respond-server.alert.read			Yes	Yes	Yes
respond-server.alertrule.manage			Yes
respond-server.alertrule.read			Yes
respond-server.configuration.manage
respond-server.health.read
respond-server.incident.delete
respond-server.incident.manage			Yes	Yes	Yes
respond-server.incident.read			Yes	Yes	Yes
respond-server.journal.manage			Yes	Yes	Yes
respond-server.journal.read			Yes	Yes	Yes
respond-server.logs.manage
respond-server.metrics.read
respond-server.notification.manage			Yes
respond-server.notification.read			Yes
respond-server.process.manage
respond-server.remediation.manage			Yes	Yes	Yes
respond-server.remediation.read			Yes	Yes	Yes
respond-server.risk.manage					Yes
respond-server.risk.read					Yes
respond-server.security.manage
respond-server.security.read

Incident Email Notification Settings Permissions

Note: Incident email notification setting permissions are available in NetWitness version 11.1 and later.
If you are updating from NetWitness version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.

The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Incident Email Notification Settings [ (Configure) > Incident Notifications].

Incidents tab:

Configure Incident Management Integration

Respond-server tab:

respond-server.notification.manage
respond-server.notification.read

Integration-server tab:

integration-server.notification.read
integration-server.notification.manage

Respond Event Analysis Permissions

Note: The Event Analysis panel in the Respond view is available in NetWitness version 11.2 and later.

The Events panel in the Respond view, formerly known as the Event Analysis panel, shows the Events view from Investigate for specific indicator events. The following permissions are required to view the Events panel in the Respond view. These permissions are provided by default for users with the Analysts role.

Investigate-server tab:

investigate-server.event.read
investigate-server.content.reconstruct
investigate-server.content.export

Administration tab:

Access Administration Module

Respond Saved Filter Permissions

Note: Saved filters for the incidents and alerts lists in Respond are available in NetWitness version 11.5 and later.

The following permissions are required for the incidents and alerts filters (Respond > Incidents and Respond > Alerts). The Analysts role has the required Respond filter permissions by default.

Respond-server tab:

respond-server.incident.manage
respond-server.incident.read
respond-server.alert.manage
respond-server.alert.read

Response Actions

The following table describes the permissions in the Response Actions tab.

Permission	Description
response-actions-server.*	All permissions (everything below)
response-actionsserver.actiondefinition.execute	Permission to execute any quick actions
response-actionsserver.actiondefinition.manage	Permission to create, edit, clone, delete, enable, and disable the Response Actions.
response-actionsserver.actiondefinition.read	Permission to view the Response Actions configured in the Response Actions view
response-actionsserver.history.read	Permission to view the Response Action history

The following table lists the permissions in the Response Actions tab assigned to each role. A blank field
indicates that the role does not have the permission. The Administrators role has all of the permissions
by default and is not listed.

Permission	RAs	SOC Mgrs	Operators	MAs	Analysts
response-actions-server.*	Yes
response-actionsserver.actiondefinition.execute	Yes	Yes	Yes	Yes	Yes
response-actionsserver.actiondefinition.manage	Yes	Yes	Yes
response-actionsserver.actiondefinition.read	Yes	Yes	Yes	Yes	Yes
response-actionsserver.history.read	Yes	Yes	Yes	Yes	Yes

IMPORTANT: You can view the Quick Actions option in the Context Highlights section in
Investigate, Respond, Users, and Hosts views only if you have Access Administration Module
(Security > Roles > Select and Edit the Role > Edit Role > Permissions > Administration)
permission.

Security-server

The following table describes the permissions in the Security-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission	Description
security-server.*	All permissions (everything below)
security-server.account.manage	Permission to view, create, modify, or remove NetWitness local accounts
security-server.account.read	Permission to view NetWitness local accounts
security-server.ca.manage	Permission to manage NetWitness deployment PKI parameters (for example, sign certificates, and so on)
security-server.ca.read	Permission to view NetWitness deployment PKI parameters
security-server.configuration.manage	Permission to modify all service configuration parameters
security-server.connection.manage	Permission to modify all connection configuration parameters
security-server.health.read	Permission to view any health notifications that the service exposes
security-server.logs.manage	Permission to change log-related configuration
security-server.metrics.read	Permission to view any metrics that the service exposes
security-server.permission.manage	Permission to create or remove NetWitness permissions
security-server.pki.manage	Permission to modify all pki configuration parameters
security-server.process.manage	Permission to start and stop the service
security-server.role.manage	Permission to create, modify, or remove NetWitness roles (for example, add role permissions)
security-server.role.read	Permission to view NetWitness role definitions
security-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
security-server.security.read	Permission to view security-related resources
security-server.test.manage	Permission to modify all test configuration parameters
security-server.user.manage	Permission to view, create, modify, or remove NetWitness user profiles
security-server.user.read	Permission to view NetWitness user profile details (for example, roles, login times, and so on)

Source-server

The following table describes the permissions in the Source-server tab.

Permission	Description
source-server.*	All permissions (everything below)
source-server.configuration.manage	Permission to change any configuration properties for the service
source-server.group.manage	Permission to create and manage USM groups
source-server.group.manage.nopolicy	Permission to manage nopolicy
source-server.group.read	Permission to view USM groups
source-server.grouppolicy.read	Permission to view the canonical groups and policies
source-server.health.read	Permission to view any health notifications that the service exposes
source-server.logs.manage	Permission to change log-related configuration
source-server.metrics.read	Permission to view any metrics that the service exposes
source-server.policy.manage	Permission to create and manage USM policies
source-server.policy.read	Permission to view USM policies
source-server.process.manage	Permission to start and stop the service
source-server.security.manage	Permission to edit security-related resources (passwords, keys, and so on)
source-server.security.read	Permission to view security-related resources
source-server.centralgroup.read	Permission to view the Centralized Content Management groups
source-server.centralpolicy.read	Permission to view the Centralized Content Management policies
source-server.centralservice.read	Permission to view the core services and ESA services

The following table lists the permissions in the Source-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators and Operators roles have all of the permissions by default and are not listed.

Permission	DPOs	SOC Mgrs	Analysts
source-server.*
source-server.configuration.manage
source-server.group.manage
source-server.group.manage.nopolicy
source-server.group.read	Yes	Yes	Yes
source-server.grouppolicy.read
source-server.health.read
source-server.logs.manage
source-server.metrics.read
source-server.policy.manage
source-server.policy.read	Yes	Yes	Yes
source-server.process.manage
source-server.security.manage
source-server.security.read			Yes
source-server.centralgroup.read			Yes
source-server.centralpolicy.read			Yes
source-server.centralservice.read			Yes

Springboard

The following table describes the permissions in Springboard tab.

Permission	Description
springboard.*	All Permissions (everything below)
springboard.manage	Permission to manage the Springboard, that is view, add, delete, and rearrange panels, and also restore system default settings.
springboard.read	Permission to view Springboard.

The following table lists the permissions in the Springboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all the permissions by default and is not listed.

Permissions	RAs	SOC Mgrs	MAs	Analysts
springboard.*
springboard.manage
springboard.read	Yes	Yes	Yes	Yes