Role PermissionsRole Permissions
InNetWitness, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the 
In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.
Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).
Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.
The tables that follow show the default permissions assigned to each NetWitness user role:
- Administrators
-
Respond Administrators (RAs)
- Reporting Engine Content Administrators (RE CAs)
- Data Privacy Officers (DPOs)
- SOC Managers (SOC Mgrs)
- Operators
- Malware Analysts (MAs)
- Analysts
- UEBA Analysts
Since the Administrators role has all of the permissions by default, it is not included in the tables.
Service Permissions Format for New ServicesService Permissions Format for New Services
The service permissions for some new NetWitness services contain three parts in the following format:
<service name>.<resource>.<action>
For example, for the investigate-server.metrics.read permission:
- service name = investigate-server
- resource = metrics
- action = read
Users assigned this permission can read any metrics that the investigate-server service exposes.
Admin-serverAdmin-server
The following table describes the permissions in the Admin-server tab.
| Permission | Description |
|---|---|
| admin-server.configuration.manage | Permission to modify all service configuration parameters |
| admin-server.health.read | Permission to view any health notifications that the service exposes |
| admin-server.logs.manage | Permission to change log-related configuration |
| admin-server.metrics.read | Permission to view any metrics that the service exposes |
| admin-server.process.manage | Permission to start and stop the service |
| admin-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| admin-server.security.read | Permission to view security-related resources |
AdministrationAdministration
The following table describes the list of permissions in Administration tab.
| Permission | Description |
|---|---|
| Access Administration Module |
Permission to access all the administration modules |
| Access Health & Wellness | Permission to access the health and wellness module |
| Apply System Updates |
Permission to update the system |
| Can Opt In to Live Intelligence Sharing | Permission to opt for Live Intelligence sharing |
| Manage Advanced Settings |
Permission to modify the advanced settings |
| Manage ATD Settings | Permission to modify the ATD settings |
| Manage Auditing |
Permission to modify the auditing |
| Manage Email | Permission to change the email settings |
| Manage Global Auditing |
Permission to modify global auditing |
| Manage Health & Wellness Policy | Permission to update the health & wellness policy |
|
Manage Jobs |
Permission to change the job settings |
| Manage LLS |
Permission to modify LLS |
| Manage Logs | Permission to modify log related configurations |
| Manage Notifications |
Permission to change notification settings |
| Manage Plugins | Permission to modify the plugins |
| Manage Predicates |
Permission to modify the predicates |
| Manage Reconstruction | Permission to change the reconstruction |
| Manage Security |
Permission to update the security settings |
| Manage Services | Permission to start and stop the services |
| Manage SSL Security | Permission to manage PKI setting |
| Manage System Settings |
Permission to the modify the system settings |
| Modify ESA Settings | Permission to modify the ESA settings |
| Modify Event Sources |
Permission to modify the ESA sources |
| Modify Hosts | Permission to modify the hosts |
| Modify Services |
Permission to modify the services |
| View Event Sources | Permission to view the event sources |
| View Health & Wellness Policy |
Permission to view the health & wellness policy |
| View Health & Wellness Stats Browser | Permission to view the health and wellness status in the browser |
| View Hosts |
Permission to view the hosts |
| View Services | Permission to view the services |
| View Unified Sources |
Permission to view the unified sources |
The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts | UEBA Analysts |
|---|---|---|---|---|---|---|---|
| Access Administration Module |
|
Yes | Yes | Yes | Yes | Yes |
|
| Access Health & Wellness | Yes | Yes | Yes | Yes | Yes | ||
| Apply System Updates |
|
Yes |
|
||||
| Can Opt In to Live Intelligence Sharing | Yes | ||||||
| Manage Advanced Settings |
|
Yes |
|
||||
| Manage ATD Settings | Yes | Yes | Yes | Yes | |||
| Manage Auditing |
|
Yes | Yes |
|
|||
| Manage Email | Yes | ||||||
| Manage Global Auditing |
|
Yes | Yes |
|
|||
| Manage Health & Wellness Policy | Yes | ||||||
|
Manage Jobs |
|
Yes |
Yes |
Yes |
|
|
|
| Manage LLS |
|
Yes | |||||
| Manage Logs | Yes | Yes |
|
||||
| Manage Notifications |
|
Yes | |||||
| Manage Plugins | Yes | Yes | Yes | Yes |
|
||
| Manage Predicates |
|
Yes | |||||
| Manage Reconstruction | Yes |
|
|||||
| Manage Security |
|
Yes | Yes | ||||
| Manage Services | Yes | Yes |
|
||||
|
Manage SSL Security |
|
|
|
|
|
|
|
| Manage System Settings |
|
Yes | Yes | Yes | Yes | ||
| Modify ESA Settings | Yes |
|
|||||
| Modify Event Sources |
|
Yes | |||||
| Modify Hosts | Yes |
|
|||||
| Modify Services |
|
Yes | Yes | ||||
| View Event Sources | Yes | Yes |
|
||||
| View Health & Wellness Policy |
|
Yes | Yes | Yes | |||
| View Health & Wellness Stats Browser | Yes | Yes | Yes | Yes |
|
||
| View Hosts |
|
Yes | Yes | ||||
| View Services | Yes | Yes |
|
||||
| View Unified Sources |
|
Yes | Yes | Yes | Yes |
AlertingAlerting
The following table describes the permissions in the Alerting tab.
| Permission | Description |
|---|---|
| Access Alerting Module | Permission to access the alerting module |
| Manage Rules | Permission to update the rules |
| View Alerts | Permission to view the alerts |
| View Rules | Permission to view the rules |
The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Alerting Module | Yes |
Yes |
Yes |
Yes |
|
Yes |
| Manage Rules | Yes | Yes | Yes | Yes | ||
| View Alerts | Yes |
Yes |
Yes |
|
|
Yes |
| View Rules | Yes | Yes | Yes |
Config-serverConfig-server
The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.
| Permission | Description |
|---|---|
| config-server.* | All permissions (everything below) |
| config-server.configuration.manage | Permission to modify all service configuration parameters |
| config-server.health.read | Permission to view any health notifications that the service exposes |
| config-server.logs.manage | Permission to change log-related configuration |
| config-server.metrics.read | Permission to view any metrics that the service exposes |
| config-server.process.manage | Permission to start and stop the service |
| config-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| config-server.security.read | Permission to view security-related resources |
Content-serverContent-server
The following table describes the permissions in the Content-server tab.
| Permission | Description |
|---|---|
|
content-server.* |
All permissions (everything below) |
| content-server.collection.read | Permission to read selective collection content |
| content-server.configuration.manage | Permission to modify all service configuration parameters |
|
content-server.health.read |
Permission to view any health notifications that the service exposes |
| content-server.logparser.manage | Permission to manage log parser configurations |
|
content-server.logparser.read |
Permission to view log parser configurations |
| content-server.logs.manage | Permission to change log-related configuration |
|
content-server.metrics.read |
Permission to view any metrics that the service exposes |
|
content-server.policy.read |
Permission to read policies |
|
content-server.process.manage |
Permission to start and stop the service |
|
content-server.rule.manage |
Permission to manage content rules |
| content-server.rule.read | Permission to view content rules |
|
content-server.security.manage |
Permission to edit security-related resources (passwords, keys, and so on) |
|
content-server.security.read |
Permission to view security-related resources |
The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| content-server.* | Yes | Yes |
|
|||
| content-server.collection.read | ||||||
| content-server.configuration.manage | ||||||
|
content-server.health.read |
|
|||||
| content-server.logparser.manage | ||||||
|
content-server.logparser.read |
Yes |
Yes |
||||
| content-server.logs.manage | ||||||
|
content-server.metrics.read |
|
|
|
|
|
|
|
content-server.policy.read |
|
|
|
|
|
|
|
content-server.process.manage |
|
|
|
|
|
|
|
content-server.rule.manage |
|
|
|
|
|
|
| content-server.rule.read | ||||||
|
content-server.security.manage |
|
|
|
|
|
|
|
content-server.security.read |
|
|
|
|
|
Contexthub-serverContexthub-server
The following table describes the permissions in the Contexthub-server tab.
| Permission | Description |
|---|---|
| contexthub-server.* | All permissions (everything below) |
| contexthub-server.configuration.manage | Permission to modify all service configuration parameters |
|
contexthub-server.connection.manage |
Permission to modify all connection settings |
| contexthub-server.connection.read | Permission to view all connection settings |
|
contexthub-server.connectiontypes.read |
Permission to view all configured connection types |
| contexthub-server.datasource.manage | Permission to modify data source settings |
|
contexthub-server.datasource.read |
Permission to view data source settings |
| contexthub-server.health.read | Permission to view any health notifications that the service exposes |
|
contexthub-server.listentries.manage |
Permission to modify list entries |
| contexthub-server.logs.manage | Permission to change log-related configuration |
| contexthub-server.metrics.read | Permission to view any metrics that the service exposes |
| contexthub-server.process.manage | Permission to start and stop the service |
|
contexthub-server.query.read |
Permission to view queries |
| contexthub-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| contexthub-server.security.read | Permission to view security-related resources |
| contexthub-server.stix.read | Permission to view stix settings |
|
contexthub-server.taxiidatasource.manage |
Permission to modify settings for the taxii data source |
| contexthub-server.taxiidatasource.read | Permission to view settings for the taxii data source |
The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| contexthub-server.* | Yes |
|
||||
| contexthub-server.configuration.manage | ||||||
| contexthub-server.connection.manage |
|
|||||
| contexthub-server.connection.read | Yes | Yes | Yes | Yes | ||
| contexthub-server.connectiontypes.read | Yes |
|
||||
| contexthub-server.datasource.manage | Yes | Yes | Yes | Yes | ||
|
contexthub-server.datasource.read |
Yes | Yes | Yes | Yes | ||
| contexthub-server.health.read | ||||||
| contexthub-server.listentries.manage | Yes | Yes | Yes | Yes | ||
| contexthub-server.logs.manage | ||||||
| contexthub-server.metrics.read |
|
|||||
| contexthub-server.process.manage | ||||||
| contexthub-server.query.read | Yes | Yes | Yes | Yes | ||
| contexthub-server.security.manage | ||||||
| contexthub-server.security.read |
|
|||||
| contexthub-server.stix.read | Yes | Yes | Yes | |||
| contexthub-server.taxiidatasource.manage | Yes | Yes | Yes | |||
| contexthub-server.taxiidatasource.read | Yes | Yes | Yes |
Correlation-serverCorrelation-server
The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.
| Permission | Description |
|---|---|
| correlation-server.* | All permissions (everything below) |
| correlation-server.configuration.manage | Permission to modify all service configuration parameters |
| correlation-server.endpoint.manage | Permission to modify all endpoint configuration parameters |
| correlation-server.endpoint.read | Permission to view all endpoint configuration parameters |
| correlation-server.engine.manage | Permission to modify all engine configuration parameters |
| correlation-server.engine.read | Permission to view all engine configuration parameters |
| correlation-server.esperrule.manage | Permission to modify all esperrule configuration parameters |
| correlation-server.esperrule.read | Permission to view all esperrule configuration parameters |
| correlation-server.health.read | Permission to view any health notifications that the service exposes |
| correlation-server.keyvaluerule.manage | Permission to modify all keyvaluerule configuration parameters |
| correlation-server.keyvaluerule.read | Permission to view all keyvaluerule configuration parameters |
| correlation-server.logs.manage | Permission to change log-related configuration |
| correlation-server.metrics.read | Permission to view any metrics that the service exposes |
| correlation-server.module.manage | Permission to modify each module |
| correlation-server.module.read | Permission to view each module |
| correlation-server.process.manage | Permission to start and stop the service |
| correlation-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| correlation-server.security.read | Permission to view security-related resources |
| correlation-server.stream.manage | Permission to edit stream configuration settings |
| correlation-server.stream.read | Permission to view stream configuration settings |
| correlation-server.telemetry.read | Permission to view telemetry configuration settings |
The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| correlation-server.* |
Yes |
|
|
|
|
|
| correlation-server.configuration.manage | ||||||
| correlation-server.endpoint.manage |
|
|
|
|
|
|
| correlation-server.endpoint.read |
|
|
|
|
|
|
| correlation-server.engine.manage | Yes |
|
Yes |
Yes |
|
|
| correlation-server.engine.read | Yes | Yes | Yes | |||
| correlation-server.esperrule.manage |
|
|
|
|
|
|
| correlation-server.esperrule.read |
|
|
|
|
|
|
| correlation-server.health.read |
|
|
|
|
|
|
| correlation-server.keyvaluerule.manage | ||||||
| correlation-server.keyvaluerule.read | ||||||
| correlation-server.logs.manage | ||||||
| correlation-server.metrics.read |
|
|
|
|
|
|
| correlation-server.module.manage | Yes | Yes | Yes | |||
| correlation-server.module.read | Yes |
|
Yes |
Yes |
|
|
| correlation-server.process.manage | ||||||
| correlation-server.security.manage |
|
|
|
|
|
|
| correlation-server.security.read | ||||||
| correlation-server.stream.manage | Yes |
|
Yes |
Yes |
|
|
| correlation-server.stream.read | Yes | Yes | Yes | |||
| correlation-server.telemetry.read |
|
|
|
|
|
DashboardDashboard
The following table describes the permissions in the Dashboard tab.
| Permission | Description |
|---|---|
| Dashlet Access - Admin Device List Dashlet | Permission to access Admin Device List Dashlet |
| Dashlet Access - Admin Device Monitor Dashlet | Permission to access Admin Device Monitor Dashlet |
| Dashlet Access - Admin News Dashlet | Permission to access Admin News Dashlet |
| Dashlet Access - Alert Variance Dashlet | Permission to access Alert Variance Dashlet |
| Dashlet Access - Alerting Recent Alerts Dashlet | Permission to access Alerting Recent Alerts Dashlet |
| Dashlet Access - Investigation Jobs Dashlet | Permission to access Investigation Jobs Dashlet |
| Dashlet Access - Investigation Top Values Dashlet | Permission to access Investigation Top Values Dashlet |
| Dashlet Access - Live Featured Resources Dashlet | Permission to access Live Featured Resources Dashlet |
| Dashlet Access - Live New Resources Dashlet | Permission to access Live New Resources Dashlet |
| Dashlet Access - Live Subscriptions Dashlet | Permission to access Live Subscriptions Dashlet |
| Dashlet Access - Live Updated Resources Dashlet | Permission to access Live Updated Resources Dashlet |
| Dashlet Access - Malware Jobs Dashlet | Permission to access Malware Jobs Dashlet |
| Dashlet Access - Reporting Recent Report Dashlet | Permission to access Reporting Recent Report Dashlet |
| Dashlet Access - Reporting Charts Dashlet | Permission to access Reporting Charts Dashlet |
| Dashlet Access - Top Alerts Dashlet | Permission to access Top Alerts Dashlet |
| Dashlet Access - Unified First Watch Dashlet | Permission to access Unified First Watch Dashlet |
| Dashlet Access - Unified Shortcuts Dashlet | Permission to access Unified Shortcuts Dashlet |
The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Dashlet Access - Admin Device List Dashlet |
Yes |
Yes | Yes | Yes | Yes | |
| Dashlet Access - Admin Device Monitor Dashlet | Yes | |||||
| Dashlet Access - Admin News Dashlet |
Yes |
Yes | Yes | Yes | Yes | |
| Dashlet Access - Alert Variance Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Alerting Recent Alerts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Investigation Jobs Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Investigation Top Values Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Live Featured Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live New Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live Subscriptions Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Live Updated Resources Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Malware Jobs Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Reporting Recent Report Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Reporting Charts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Top Alerts Dashlet | Yes | Yes | Yes | Yes | ||
| Dashlet Access - Unified First Watch Dashlet | Yes | Yes | Yes | Yes | Yes | |
| Dashlet Access - Unified Shortcuts Dashlet | Yes | Yes | Yes | Yes | Yes |
Endpoint-broker-server Endpoint-broker-server
The following table describes the permissions in the Endpoint Broker server tab.
| Permission | Description |
|---|---|
|
endpoint-broker-server* |
All permissions (everything below) |
| endpoint-broker-server.agent.manage | Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on. |
| endpoint-broker-server.agent.read | Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on. |
| endpoint-broker-server.configuration.manage | Permission to modify all endpoint broker configuration parameters |
| endpoint-broker-server.health.read | Permission to view any health notifications that the service exposes |
| endpoint-broker-server.logs.manage | Permission to change log-related configuration |
| endpoint-broker-server.metrics.read | Permission to view any metrics that the service exposes |
| endpoint-broker-server.policy.read | Permission to view existing policy details |
| endpoint-broker-server.process.manage | Permission to start and stop the service |
| endpoint-broker-server.security.manage |
Permission to edit security-related resources (passwords, keys, and so on) |
|
endpoint-broker-server.security.read |
Permission to view security-related resources |
The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| endpoint-broker-server* |
|
|
|
|
|
|
| endpoint-broker-server.agent.manage | Yes | Yes | ||||
| endpoint-broker-server.agent.read |
|
|
Yes |
|
Yes | |
| endpoint-broker-server.configuration.manage | ||||||
| endpoint-broker-server.health.read |
|
|
|
|
|
|
| endpoint-broker-server.logs.manage | ||||||
| endpoint-broker-server.metrics.read |
|
|
|
|
|
|
| endpoint-broker-server.policy.read |
|
|
|
|
Yes | |
| endpoint-broker-server.process.manage | ||||||
| endpoint-broker-server.security.manage |
|
|
|
|
|
|
| endpoint-broker-server.security.read |
Endpoint-serverEndpoint-server
The following table describes the permissions in the Endpoint-server tab.
| Permission | Description |
|---|---|
|
endpoint-server* |
All permissions (everything below) |
| endpoint-server.agent.manage |
Permission to generate and download the agent packager. Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on |
| endpoint-server.agent.read |
Permission to view the agent packager configuration Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on |
| endpoint-server.agentupdate.manage | Permission to upgrade agent and uninstall agent |
| endpoint-server.ca.manage |
Permission to generate and download the agent packager Permission to upgrade agent |
|
endpoint-server.ca.read |
Permission to generate and download the agent packager |
| endpoint-server.configuration.manage | Permission to modify all endpoint configuration parameters |
| endpoint-server.file.analyze | Permission to analyze file, save local copy, and initiate OPSWAT scans |
| endpoint-server.filter.manage | Permission to save, modify, and delete filters |
| endpoint-server.filter.read | Permission to view filters |
| endpoint-server.health.read | Permission to view any health notifications that the service exposes |
| endpoint-server.logs.manage | Permission to change log-related configuration |
| endpoint-server.metrics.read | Permission to view any metrics that the service exposes |
| endpoint-server.policy.read | Permission to view existing policy details |
|
endpoint-server.process.manage |
Permission to start and stop the service |
| endpoint-server.relay.manage | Permission to modify Relay Server Configuration |
|
endpoint-server.relay.read |
Permissions to view Relay Server details |
| endpoint-server.security.manage |
Permission to edit security-related resources (passwords, keys, and so on) |
|
endpoint-server.security.read |
Permission to view security-related resources |
| endpoint-server.tag.manage | Permission to manage Tags (Create and Delete) |
The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
|
endpoint-server* |
|
|||||
| endpoint-server.agent.manage | Yes | Yes | ||||
| endpoint-server.agent.read | Yes | Yes | ||||
| endpoint-server.agentupdate.manage | ||||||
| endpoint-server.ca.manage | Yes | |||||
|
endpoint-server.ca.read |
Yes |
|
||||
| endpoint-server.configuration.manage | ||||||
| endpoint-server.filter.manage | Yes | |||||
| endpoint-server.filter.read | Yes | |||||
| endpoint-server.health.read |
|
|||||
| endpoint-server.logs.manage | ||||||
| endpoint-server.metrics.read |
|
|||||
| endpoint-server.policy.read |
Yes |
|||||
|
endpoint-server.process.manage |
||||||
| endpoint-server.rar.manage | ||||||
|
endpoint-server.rar.read |
|
|
|
|
|
|
| endpoint-server.relay.manage | Yes | |||||
|
endpoint-server.relay.read |
|
|
|
Yes |
|
|
| endpoint-server.security.manage |
|
|||||
|
endpoint-server.security.read |
IncidentsIncidents
The following table describes the permissions in the Incidents tab.
| Permission | Description |
|---|---|
| Access Incident Module | Permission to access the Incident module |
| Configure Incident Management Integration | Permission to configure incident management integration |
| Delete Alerts and incidents | Permission o delete alerts and incidents |
| Manage Alert Handling Rules | Permission to modify the alert handling rules |
| View and Manage Incidents | Permission to modify the incidents |
The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Incident Module | Yes | Yes | Yes | Yes |
Yes |
|
| Configure Incident Management Integration | Yes | Yes | Yes | |||
| Delete Alerts and incidents | Yes | Yes |
|
|||
| Manage Alert Handling Rules | Yes | Yes | Yes | |||
| View and Manage Incidents | Yes | Yes | Yes | Yes |
Yes |
Integration-serverIntegration-server
(The Integration-server permissions are available in NetWitness version 11.1 and later.)
The following table describes the permissions in the Integration-server tab.
| Permission | Description |
|---|---|
|
integration-server.* |
All permissions (everything below) |
| integration-server.api.access | Permission to authorize external requests from 3rd party applications |
| integration-server.configuration.manage | Permission to view and modify all service integration configuration parameters |
| integration-server.health.read | Permission to read any health notifications that the service exposes |
| integration-server.logs.manage | Permission to change log-related integration configurations |
| integration-server.metrics.read | Permission to read any metrics that the service exposes |
| integration-server.notification.manage | Permission to change global notification configurations (for example, SMTP server) |
| integration-server.notification.read | Permission to read global notification configurations (for example, SMTP server) |
| integration-server.notification.send | Permission to send notifications (for example, Email) |
| integration-server.process.manage | Permission to start and stop the service |
| integration-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| integration-server.security.read | Permission to read security-related resources |
| integration-server.template.manage | Permission to change notification template |
| integration-server.template.read | Permission to read notification template |
The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
|
integration-server.* |
Yes | |||||
| integration-server.api.access | ||||||
| integration-server.configuration.manage | ||||||
| integration-server.health.read | ||||||
| integration-server.logs.manage | ||||||
| integration-server.metrics.read | ||||||
| integration-server.notification.manage | Yes | Yes | Yes | |||
| integration-server.notification.read | Yes | Yes | Yes | |||
| integration-server.notification.send | Yes | Yes | Yes | |||
| integration-server.process.manage | ||||||
| integration-server.security.manage | ||||||
| integration-server.security.read | ||||||
| integration-server.template.manage | Yes | Yes | Yes | |||
| integration-server.template.read | Yes | Yes | Yes |
InvestigateInvestigate
The following table describes the permissions in the Investigate tab.
| Permission | Description |
|---|---|
| Access Investigation Module | Permission to access investigation module |
| Context Lookup | Permission to access context lookup |
| Create Incidents from Investigation | Permission to create incidents from investigation |
| Manage List from Investigation | Permission to modify the list of investigation |
| Navigate Events | Permission to navigate the events |
| Navigate Values | Permission to navigate the values |
The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Access Investigation Module | Yes | Yes | Yes | Yes | Yes | |
| Context Lookup | Yes | Yes | Yes | Yes | ||
| Create Incidents from Investigation | Yes | Yes | Yes | Yes | ||
| Manage List from Investigation | Yes | Yes | Yes | Yes | ||
| Navigate Events | Yes | Yes | Yes | Yes | Yes | |
| Navigate Values | Yes | Yes | Yes | Yes | Yes |
Investigate-serverInvestigate-server
The following table describes the permissions in the Investigate-server tab.
| Permission | Description |
|---|---|
| investigate-server.* | All permissions (everything below) for 11.4 and above Events view, and 11.3 and earlier Event Analysis view. |
|
investigate-server.column group.read |
Permission to access column groups |
| investigate-server.configuration.manage | Permission to change any configuration properties for the service |
| investigate-server.content.export | Permission to export content from the service |
|
investigate-server-content.manage |
Permission to clear all per service or per user reconstruction cache |
| investigate-server.content.reconstruct | Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count |
|
investigate-server.event.filter |
Permission to view the Filter Events panel in the Events view |
|
investigate-server.event.read |
Permission to view events that the service exposes |
| investigate-server.health.read | Permission to view any health notifications that the service exposes |
| investigate-server.incident.manage | Create or update an incident in Respond |
| investigate-server.logs.manage | Permission to change log-related configuration |
| investigate-server.metagroup.manage | Permission to manage meta groups |
|
investigate-server.metagroup.read |
Permission to view and use meta groups |
| investigate-server.metrics.read | Permission to view any metrics that the service exposes |
| investigate-server.predicate.manage |
Permission to edit or remove one or more predicates |
| investigate-server.predicate.read |
Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view. |
| investigate-server.process.manage | Permission to start and stop the service |
| investigate-server.profile.read | Permission to access profiles. |
| investigate-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| investigate-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed. The UEBA Analysts and Content Administrators roles have none of these permissions by default and are not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| investigate-server.* | Yes |
Yes |
|
|
|
|
| investigate-server.columngroup.read | Yes | Yes | Yes | |||
| investigate-server.configuration.manage | ||||||
| investigate-server.content.export |
|
Yes |
Yes |
Yes |
||
|
investigate-server.content.manage |
|
|
|
|
|
|
| investigate-server.content.reconstruct | Yes | Yes | Yes | |||
|
investigate-server.event.filter |
Yes |
Yes |
Yes |
|
Yes |
Yes |
|
investigate-server.event.read |
|
Yes |
Yes |
Yes |
||
| investigate-server.health.read | ||||||
|
investigate-server.incident.manage |
|
|
|
|
|
Yes |
| investigate-server.logs.manage |
|
|
|
|
|
|
| investigate-server.metagroup.manage | ||||||
|
investigate-server.metagroup.read |
|
Yes |
Yes |
Yes |
||
| investigate-server.metrics.read | ||||||
|
investigate-server.predicate.manage |
|
|
|
|
|
|
|
investigate-server.predicate.read |
|
|
Yes |
Yes |
Yes |
|
| investigate-server.process.manage |
|
|
|
|
|
|
| investigate-server.profile.read | Yes | Yes | Yes | |||
| investigate-server.security.manage | ||||||
| investigate-server.security.read |
|
|
|
|
|
License-serverLicense-server
The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
| license-server.* | All permissions (everything below) |
| license-server.configuration.manage | Permission to modify all service configuration parameters |
| license-server.health.read | Permission to view any health notifications that the service exposes |
| license-server.license.manage | Permission to manage license related configurations |
| license-server.license.read | Permission to view license related configurations |
| license-server.logs.manage | Permission to change log-related configuration |
| license-server.metrics.read | Permission to view any metrics that the service exposes |
| license-server.process.manage | Permission to start and stop the service |
| license-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| license-server.security.read | Permission to view security-related resources |
LiveLive
The following table describes the permissions in the Live tab.
| Permission | Permission |
|---|---|
| Live | |
| Access Live Module | Permission to access live module |
| Manage Live System Settings | Permission to modify the live system settings |
| Resources | |
| Deploy Live Resources | Permission to deploy live resources |
| Manage Live Feeds | Permission to modify live feeds |
| Manage Live Resources | Permission to modify live resources |
| Search Live Resources | Permission to search live resources |
| View Live Resource Details | Permission to view live resource details |
The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Live |
|
|||||
| Access Live Module | Yes | Yes | Yes | Yes | ||
| Manage Live System Settings | Yes |
|
||||
| Resources | ||||||
| Deploy Live Resources | Yes | Yes |
|
|||
| Manage Live Feeds | Yes | Yes | ||||
| Manage Live Resources | Yes | Yes |
|
|||
| Search Live Resources | Yes | Yes | Yes | Yes | ||
| View Live Resource Details | Yes | Yes | Yes |
MalwareMalware
The following table describes the permissions in the Malware tab.
| Permission | Operators |
|---|---|
| Download Malware File(s) | Permission to donwnload the malware files for investigation |
| Initiate Malware Analysis Scan | Permission to start the malware analysis scan |
| View Malware Analysis Events | Permission to view the malware analysis events |
The following table lists the permissions in the Malware tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Download Malware File(s) | Yes | Yes | Yes | Yes | ||
| Initiate Malware Analysis Scan | Yes | Yes | Yes | Yes | ||
| View Malware Analysis Events | Yes | Yes | Yes | Yes |
Metrics-serverMetrics-server
The following table describes the permissions in the Metrics-server tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
|
metrics-server .* |
All permissions (everything below) |
| metrics-server.configuration.manage | Permission to modify all service configuration parameters |
|
metrics-server-content.manage |
Permission to modify configuration parameters in the service |
| metrics-server-content.read | Permission to view configuration parameters of the service |
| metrics-server.health.read | Permission to view any health notifications that the service exposes |
| metrics-server.logs.manage | Permission to change log-related configuration |
| metrics-server.metric.manage | Permission to modify all the configuration parameters |
| metrics-server.metric.read | Permission to view configuration of New Health and Wellness |
| metrics-server.metrics.read | Permission to view any metrics that the service exposes |
| metrics-server.process.manage | Permission to start and stop the service |
| metrics-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| metrics-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Metrics-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RA | DPOs | SOC Mgrs | Operator | MAs | Analysts | UEBA Analysts |
|---|---|---|---|---|---|---|---|
|
metrics-server .* |
|
|
|
|
|
|
|
| metrics-server.configuration.manage | |||||||
|
metrics-server-content.manage |
|
|
|
|
|
|
|
| metrics-server-content.read | |||||||
| metrics-server.health.read | |||||||
| metrics-server.logs.manage | |||||||
| metrics-server.metric.manage | |||||||
| metrics-server.metric.read | Yes | Yes | Yes | Yes | Yes | ||
| metrics-server.metrics.read | |||||||
| metrics-server.process.manage | |||||||
| metrics-server.security.manage | |||||||
| metrics-server.security.read |
Orchestration-serverOrchestration-server
The following table describes the permissions in the Orchestration-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
| orchestration-server.* | All permissions (everything below) |
| orchestration-server.configuration.manage | Permission to modify all service configuration parameters |
|
orchestration-server.file.read |
Permission to view files |
| orchestration-server.health.read | Permission to view any health notifications that the service exposes |
| orchestration-server.logs.manage | Permission to change log-related configuration |
| orchestration-server.metrics.read | Permission to view any metrics that the service exposes |
| orchestration-server.process.manage | Permission to start and stop the service |
| orchestration-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| orchestration-server.security.read | Permission to view security-related resources |
ReportsReports
The following table describes the permissions in the Reports tab.
| Permission | Description |
|---|---|
| Alert | |
| Define RE Alert | Permission to define the RE alerts |
| Export RE Alert Definition | Permission to export the RE alert definistions |
| Manage RE Alerts | Permission to to modify the RE alerts |
| View RE Alerts | Permission to view the RE alerts |
| View Scheduled RE Alerts | Permission to view the scheduled RE alerts |
| Chart | |
| Define Chart | Permission to define the charts |
| Delete Chart | Permission to delete the charts |
| Export Chart Definition | Permission to export the chart definistions |
| Manage Charts | Permission to modify the charts |
| View Charts | Permission to view the charts |
| List | |
| Define Lists | Permission to define the lists |
| Delete List | Permission to delete the lists |
| Export List | Permission to export the lists |
| Manage Lists | Permission to modify the lists |
| Report | |
| Define Report | Permission to define the reports |
| Delete Report | Permission to delete the reports |
| Export Report | Permission to export the reports |
| Manage Reports | Permission to modify the reports |
| View Reports | Permission to view the reports |
| Reports | |
| Access Configure | Permission to access Configure module |
| Access Reporter Module | Permission to access Reporter module |
| Access Reporter search | Permission to access Reporter search |
| Access View | Permission to access Reports view |
| Rule | |
| Add RE Alert Definition from Rule | Permission to add RE alert definition from the rules |
| Define Rule | Permission to define the rules |
| Delete Rule | Permission to delete the rules |
| Export Rule | Permission to export the rules |
| Manage Rules | Permission to modify the rules |
| View Rule Usage | Permission to view the rules usage |
| Schedules | |
| Define Schedule | Permission to define the schedules |
| Delete Schedule | Permission to delete the schedules |
| View Schedules | Permission to view the schedules |
| Warehouse Analytics | |
| Define Jobs | Permission to define the warehouse analytics jobs |
| Delete Jobs | Permission to delete the warehouse analytics jobs |
| Manage Jobs | Permission to modify the warehouse analytics jobs |
| View Jobs | Permission to view the warehouse analytics jobs |
The following table lists the permissions in the Reports tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| Alert |
|
|||||
| Define RE Alert | Yes | Yes | Yes | |||
| Export RE Alert Definition |
|
Yes | Yes | Yes | ||
| Manage RE Alerts | Yes | Yes | Yes | |||
| View RE Alerts |
Yes |
Yes | Yes | Yes | ||
| View Scheduled RE Alerts | Yes | Yes | Yes | |||
| Chart |
|
|||||
| Define Chart | Yes | Yes | Yes | |||
| Delete Chart |
|
Yes | Yes | Yes | ||
| Export Chart Definition | Yes | Yes | Yes | |||
| Manage Charts |
|
Yes | Yes | Yes | ||
| View Charts | Yes | Yes | Yes | |||
| List |
|
|||||
| Define Lists | Yes | Yes | Yes | |||
| Delete List |
|
Yes | Yes | Yes | ||
| Export List | Yes | Yes | Yes | |||
| Manage Lists |
|
Yes | Yes | Yes | ||
| Report | ||||||
| Define Report |
|
Yes | Yes | Yes | ||
| Delete Report | Yes | Yes | Yes | |||
| Export Report |
|
Yes | Yes | Yes | ||
| Manage Reports | Yes | Yes | Yes | |||
| View Reports |
|
Yes | Yes | Yes | ||
| Reports | ||||||
| Access Configure |
|
Yes | Yes | Yes | ||
| Access Reporter Module | Yes | Yes | Yes | |||
| Access Reporter search |
|
Yes | Yes | Yes | ||
| Access View | Yes | Yes | Yes | |||
| Rule |
|
|||||
| Add RE Alert Definition from Rule | Yes | Yes | Yes | |||
| Define Rule |
|
Yes | Yes | Yes | ||
| Delete Rule | Yes | Yes | Yes | |||
| Export Rule |
|
Yes | Yes | Yes | ||
| Manage Rules | Yes | Yes | Yes | |||
| View Rule Usage |
|
Yes | Yes | Yes | ||
| Schedules | ||||||
| Define Schedule |
|
Yes | Yes | Yes | ||
| Delete Schedule | Yes | Yes | Yes | |||
| View Schedules |
|
Yes | Yes | Yes | ||
| Warehouse Analytics | ||||||
| Define Jobs |
|
Yes | Yes | Yes | ||
| Delete Jobs | Yes | Yes | Yes | |||
| Manage Jobs |
|
Yes | Yes | Yes | ||
| View Jobs | Yes | Yes | Yes |
Respond-serverRespond-server
The following table describes the permissions in the Respond-server tab.
Note: For viewing and managing the Risk Score feature, users who have installed NetWitness Platform 11.3 or upgraded from NetWitness 10.6.x to 11.3, risk score permissions will be already present for Analysts. For users updating from NetWitness 11.x to NetWitness Platform 11.3, the Administrator has to provide Analysts' permissions to manage and view risk score.
| Permission | Description |
|---|---|
| respond-server.* | All permissions (everything below) |
| respond-server.alert.delete | Permission to delete alerts |
| respond-server.alert.manage | Permission to create, update, or delete alerts and alert filters |
| respond-server.alert.read | Permission to view alerts and alert filters |
| respond-server.alertrule.manage | Permission to create, update, or delete alert aggregation rules |
| respond-server.alertrule.read | Permission to view alert aggregation rules |
| respond-server.configuration.manage | Permission to change any configuration properties for the service |
| respond-server.health.read | Permission to view any health notifications that the service exposes |
| respond-server.incident.delete | Permission to delete incidents |
| respond-server.incident.manage | Permission to create, update, or delete incidents and incident filters including permission to view the Create Incident and Add to Incident options in the Investigate > Events view |
| respond-server.incident.read | Permission to view incidents and incident filters |
| respond-server.journal.manage | Permission to create, update, or delete journal entries for an incident |
| respond-server.journal.read | Permission to view journal entries for an incident |
| respond-server.logs.manage | Permission to change log-related configuration |
| respond-server.metrics.read | Permission to view any metrics that the service exposes |
| respond-server.notification.manage | (This permission is available in NetWitness version 11.1 and later.) Permission to configure incident email notification settings such as the selected email server, SOC Managers, and who will be sent the notifications (Assignee and SOC Managers) |
| respond-server.notification.read | (This permission is available in NetWitness version 11.1 and later.) Permission to view incident email notification settings |
| respond-server.process.manage | Permission to start and stop the service |
| respond-server.remediation.manage | Permission to create, update, or delete remediation tasks |
| respond-server.remediation.read | Permission to view remediation tasks |
|
respond-server.risk.manage |
Permission to manage risk score |
| respond-server.risk.read | Permission to view risk score |
| respond-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| respond-server.security.read | Permission to view security-related resources |
The following table lists the permissions in the Respond-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator has all of the permissions by default and are not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| respond-server.* |
Yes |
Yes | ||||
| respond-server.alert.delete | ||||||
| respond-server.alert.manage |
|
Yes | Yes | Yes | ||
| respond-server.alert.read | Yes | Yes | Yes | |||
| respond-server.alertrule.manage |
|
Yes | ||||
| respond-server.alertrule.read | Yes | |||||
| respond-server.configuration.manage |
|
|||||
| respond-server.health.read | ||||||
| respond-server.incident.delete |
|
|||||
| respond-server.incident.manage | Yes | Yes | Yes | |||
| respond-server.incident.read |
|
Yes | Yes | Yes | ||
| respond-server.journal.manage | Yes | Yes | Yes | |||
| respond-server.journal.read |
|
Yes | Yes | Yes | ||
| respond-server.logs.manage | ||||||
| respond-server.metrics.read |
|
|||||
| respond-server.notification.manage | Yes | |||||
| respond-server.notification.read |
|
Yes | ||||
| respond-server.process.manage | ||||||
| respond-server.remediation.manage |
|
Yes | Yes | Yes | ||
| respond-server.remediation.read | Yes | Yes | Yes | |||
|
respond-server.risk.manage |
|
|
|
|
|
Yes |
| respond-server.risk.read | Yes | |||||
| respond-server.security.manage |
|
|||||
| respond-server.security.read |
Incident Email Notification Settings PermissionsIncident Email Notification Settings Permissions
Note: Incident email notification setting permissions are available in NetWitness version 11.1 and later.
If you are updating from NetWitness version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.
The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Incident Email Notification Settings [ 
Incidents tab:
- Configure Incident Management Integration
Respond-server tab:
- respond-server.notification.manage
- respond-server.notification.read
Integration-server tab:
- integration-server.notification.read
- integration-server.notification.manage
Respond Event Analysis PermissionsRespond Event Analysis Permissions
Note: The Event Analysis panel in the Respond view is available in NetWitness version 11.2 and later.
The Events panel in the Respond view, formerly known as the Event Analysis panel, shows the Events view from Investigate for specific indicator events. The following permissions are required to view the Events panel in the Respond view. These permissions are provided by default for users with the Analysts role.
Investigate-server tab:
- investigate-server.event.read
- investigate-server.content.reconstruct
- investigate-server.content.export
Administration tab:
- Access Administration Module
Respond Saved Filter PermissionsRespond Saved Filter Permissions
Note: Saved filters for the incidents and alerts lists in Respond are available in NetWitness version 11.5 and later.
The following permissions are required for the incidents and alerts filters (Respond > Incidents and Respond > Alerts). The Analysts role has the required Respond filter permissions by default.
Respond-server tab:
-
respond-server.incident.manage
-
respond-server.incident.read
-
respond-server.alert.manage
-
respond-server.alert.read
Security-serverSecurity-server
The following table describes the permissions in the Security-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.
| Permission | Description |
|---|---|
| security-server.* | All permissions (everything below) |
| security-server.account.manage | Permission to view, create, modify, or remove NetWitness local accounts |
| security-server.account.read | Permission to view NetWitness local accounts |
| security-server.ca.manage | Permission to manage NetWitness deployment PKI parameters (for example, sign certificates, and so on) |
| security-server.ca.read | Permission to view NetWitness deployment PKI parameters |
| security-server.configuration.manage | Permission to modify all service configuration parameters |
| security-server.connection.manage | Permission to modify all connection configuration parameters |
| security-server.health.read | Permission to view any health notifications that the service exposes |
| security-server.logs.manage | Permission to change log-related configuration |
| security-server.metrics.read |
Permission to view any metrics that the service exposes |
| security-server.permission.manage | Permission to create or remove NetWitness permissions |
| security-server.pki.manage | Permission to modify all pki configuration parameters |
| security-server.process.manage | Permission to start and stop the service |
| security-server.role.manage | Permission to create, modify, or remove NetWitness roles (for example, add role permissions) |
| security-server.role.read | Permission to view NetWitness role definitions |
| security-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| security-server.security.read | Permission to view security-related resources |
| security-server.test.manage | Permission to modify all test configuration parameters |
| security-server.user.manage | Permission to view, create, modify, or remove NetWitness user profiles |
| security-server.user.read | Permission to view NetWitness user profile details (for example, roles, login times, and so on) |
Source-serverSource-server
The following table describes the permissions in the Source-server tab.
| Permission | Description |
|---|---|
| source-server.* | All permissions (everything below) |
| source-server.configuration.manage | Permission to change any configuration properties for the service |
| source-server.group.manage | Permission to create and manage USM groups |
| source-server.group.manage.nopolicy | Permission to manage nopolicy |
| source-server.group.read | Permission to view USM groups |
| source-server.grouppolicy.read | Permission to view the canonical groups and policies |
| source-server.health.read | Permission to view any health notifications that the service exposes |
| source-server.logs.manage | Permission to change log-related configuration |
| source-server.metrics.read | Permission to view any metrics that the service exposes |
| source-server.policy.manage | Permission to create and manage USM policies |
| source-server.policy.read | Permission to view USM policies |
| source-server.process.manage | Permission to start and stop the service |
| source-server.security.manage | Permission to edit security-related resources (passwords, keys, and so on) |
| source-server.security.read |
Permission to view security-related resources |
|
source-server.centralgroup.read |
Permission to view the Centralized Content Management groups |
| source-server.centralpolicy.read | Permission to view the Centralized Content Management policies |
|
source-server.centralservice.read |
Permission to view the core services and ESA services |
The following table lists the permissions in the Source-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators and Operators roles have all of the permissions by default and are not listed.
| Permission | RAs | DPOs | SOC Mgrs | Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| source-server.* |
|
|
|
|
|
|
| source-server.configuration.manage | ||||||
| source-server.group.manage |
|
|
|
|
|
|
| source-server.group.manage.nopolicy | ||||||
| source-server.group.read |
Yes |
Yes |
|
|
Yes |
|
| source-server.grouppolicy.read | ||||||
| source-server.health.read |
|
|
|
|
|
|
| source-server.logs.manage | ||||||
| source-server.metrics.read |
|
|
|
|
|
|
| source-server.policy.manage | ||||||
| source-server.policy.read |
Yes |
Yes |
|
|
Yes |
|
| source-server.process.manage | ||||||
| source-server.security.manage |
|
|
|
|
|
|
| source-server.security.read | Yes | |||||
|
source-server.centralgroup.read |
|
|
|
|
|
Yes |
| source-server.centralpolicy.read | Yes | |||||
|
source-server.centralservice.read |
|
|
|
|
|
Yes |
SpringboardSpringboard
The following table describes the permissions in Springboard tab.
| Permission | Description |
|---|---|
| springboard.* | All Permissions (everything below) |
| springboard.manage | Permission to manage the Springboard, that is view, add, delete, and rearrange panels, and also restore system default settings. |
| springboard.read | Permission to view Springboard. |
The following table lists the permissions in the Springboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all the permissions by default and is not listed.
| Permissions | RAs | DPOs | SOC Mgrs |
Operators | MAs | Analysts |
|---|---|---|---|---|---|---|
| springboard.* | ||||||
| springboard.manage | ||||||
| springboard.read | Yes | Yes | Yes | Yes |
