Role Permissions

In NetWitness, user can access each module, dashlet, and view is restricted based on the assigned permissions. You can locate these role permissions in the Add or Edit Roles dialogs accessible from the netwitness_adminicon_25x22.png (Admin) > Security > Roles tab.

In the Add or Edit Role dialogs, the tabs in the Permission section represent different areas of NetWitness and show the available permissions for those areas. For example, the Administration tab shows the permissions available in the Admin view.

Note: There is no Configure tab in the Add/Edit Role dialogs that corresponds to the Configure view. To assign permissions in the Configure view, assign permissions to the views contained within the Configure view: Live Content (Live), Incident Rules (Incidents), Respond Notifications (Incidents, Respond-server, Integration server), ESA Rules (Alerting), Subscriptions (Live), and Custom Feeds (Live).

Note: To the left of the Administration tab is a tab marked with an asterisk (*). This tab indicates access to management of backend services only.

The tables that follow show the default permissions assigned to each NetWitness user role:

  • Administrators
  • Respond Administrators (RAs)

  • Reporting Engine Content Administrators (RE CAs)
  • Data Privacy Officers (DPOs)
  • SOC Managers (SOC Mgrs)
  • Operators
  • Malware Analysts (MAs)
  • Analysts
  • UEBA Analysts

Since the Administrators role has all of the permissions by default, it is not included in the tables.

Service Permissions Format for New Services

The service permissions for some new NetWitness services contain three parts in the following format:

<service name>.<resource>.<action>

For example, for the investigate-server.metrics.read permission:

  • service name = investigate-server
  • resource = metrics
  • action = read

Users assigned this permission can read any metrics that the investigate-server service exposes.

Admin-server

The following table describes the permissions in the Admin-server tab.

Permission Description
admin-server.configuration.manage Permission to modify all service configuration parameters
admin-server.health.read Permission to view any health notifications that the service exposes
admin-server.logs.manage Permission to change log-related configuration
admin-server.metrics.read Permission to view any metrics that the service exposes
admin-server.process.manage Permission to start and stop the service
admin-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
admin-server.security.read Permission to view security-related resources

Administration

The following table describes the list of permissions in Administration tab.

Permission Description
Access Administration Module

Permission to access all the administration modules

Access Health & Wellness Permission to access the health and wellness module
Apply System Updates

Permission to update the system

Can Opt In to Live Intelligence Sharing Permission to opt for Live Intelligence sharing
Manage Advanced Settings

Permission to modify the advanced settings

Manage ATD Settings Permission to modify the ATD settings
Manage Auditing

Permission to modify the auditing

Manage Email Permission to change the email settings
Manage Global Auditing

Permission to modify global auditing

Manage Health & Wellness Policy Permission to update the health & wellness policy

Manage Jobs

Permission to change the job settings

Manage LLS

Permission to modify LLS

Manage Logs Permission to modify log related configurations
Manage Notifications

Permission to change notification settings

Manage Plugins Permission to modify the plugins
Manage Predicates

Permission to modify the predicates

Manage Reconstruction Permission to change the reconstruction
Manage Security

Permission to update the security settings

Manage Services Permission to start and stop the services
Manage SSL Security Permission to manage PKI setting
Manage System Settings

Permission to the modify the system settings

Modify ESA Settings Permission to modify the ESA settings
Modify Event Sources

Permission to modify the ESA sources

Modify Hosts Permission to modify the hosts
Modify Services

Permission to modify the services

View Event Sources Permission to view the event sources
View Health & Wellness Policy

Permission to view the health & wellness policy

View Health & Wellness Stats Browser Permission to view the health and wellness status in the browser
View Hosts

Permission to view the hosts

View Services Permission to view the services
View Unified Sources

Permission to view the unified sources

The following table lists the permissions in the Administration tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts UEBA Analysts
Access Administration Module

 

Yes Yes Yes Yes Yes

 

Access Health & Wellness   Yes Yes Yes Yes Yes  
Apply System Updates

 

    Yes    

 

Can Opt In to Live Intelligence Sharing       Yes      
Manage Advanced Settings

 

    Yes    

 

Manage ATD Settings Yes Yes Yes Yes      
Manage Auditing

 

Yes   Yes    

 

Manage Email       Yes      
Manage Global Auditing

 

Yes   Yes    

 

Manage Health & Wellness Policy       Yes      

Manage Jobs

 

Yes

Yes

Yes

 

 

 

Manage LLS

 

    Yes      
Manage Logs   Yes   Yes    

 

Manage Notifications

 

    Yes      
Manage Plugins   Yes Yes Yes   Yes

 

Manage Predicates

 

    Yes      
Manage Reconstruction       Yes    

 

Manage Security

 

Yes   Yes      
Manage Services   Yes   Yes    

 

Manage SSL Security

 

 

 

 

 

 

 

Manage System Settings

 

Yes Yes Yes   Yes  
Modify ESA Settings       Yes    

 

Modify Event Sources

 

    Yes      
Modify Hosts       Yes    

 

Modify Services

 

Yes   Yes      
View Event Sources     Yes Yes    

 

View Health & Wellness Policy

 

  Yes Yes   Yes  
View Health & Wellness Stats Browser   Yes Yes Yes   Yes

 

View Hosts

 

Yes   Yes      
View Services   Yes   Yes    

 

View Unified Sources

 

Yes Yes Yes   Yes  

Alerting

The following table describes the permissions in the Alerting tab.

Permission Description
Access Alerting Module Permission to access the alerting module
Manage Rules Permission to update the rules
View Alerts Permission to view the alerts
View Rules Permission to view the rules

The following table lists the permissions in the Alerting tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Alerting Module Yes

Yes

Yes

Yes

 

Yes

Manage Rules Yes Yes Yes Yes    
View Alerts Yes

Yes

Yes

 

 

Yes

View Rules   Yes Yes Yes    

Cloud-connector-server

The following table describes the permissions in the Cloud-connector-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission Description
Cloud-connector-server.* All permissions (everything below)
cloud-connector-server.networkasset.read Permission to view all the network assets data on the Assets page
cloud-connector-server.query.read Permission to view the queries of the assets
cloud-connector-server.filter.read Permission to save, modify, and delete filters

The following table lists the permissions in the Cloud-connector-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed

Permission RA DPOs SOC Mgrs Operators MAs Analysts
Cloud-connector-server*  

 

 

 

 

 

cloud-connector-server.networkasset.read           Yes
cloud-connector-server.query.read  

 

 

 

 

Yes
cloud-connector-server.filter.read           Yes

Config-server

The following table describes the permissions in the Config-server tab. The Administrators role has all of the permissions and is the only role granted permissions by default.

Permission Description
config-server.* All permissions (everything below)
config-server.configuration.manage Permission to modify all service configuration parameters
config-server.health.read Permission to view any health notifications that the service exposes
config-server.logs.manage Permission to change log-related configuration
config-server.metrics.read Permission to view any metrics that the service exposes
config-server.process.manage Permission to start and stop the service
config-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
config-server.security.read Permission to view security-related resources

Content-server

The following table describes the permissions in the Content-server tab.

Permission Description

content-server.*

All permissions (everything below)

content-server.collection.read Permission to read selective collection content
content-server.configuration.manage Permission to modify all service configuration parameters

content-server.health.read

Permission to view any health notifications that the service exposes

content-server.logparser.manage Permission to manage log parser configurations

content-server.logparser.read

Permission to view log parser configurations

content-server.logs.manage Permission to change log-related configuration

content-server.metrics.read

Permission to view any metrics that the service exposes

content-server.policy.read

Permission to read policies

content-server.process.manage

Permission to start and stop the service

content-server.rule.manage

Permission to manage content rules

content-server.rule.read Permission to view content rules

content-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

content-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Content-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
content-server.*   Yes   Yes  

 

content-server.collection.read            
content-server.configuration.manage            

content-server.health.read

         

 

content-server.logparser.manage            

content-server.logparser.read

    Yes    

Yes

content-server.logs.manage            

content-server.metrics.read

 

 

 

 

 

 

content-server.policy.read

 

 

 

 

 

 

content-server.process.manage

 

 

 

 

 

 

content-server.rule.manage

 

 

 

 

 

 

content-server.rule.read            

content-server.security.manage

 

 

 

 

 

 

content-server.security.read

 

 

 

 

 

 

Contexthub-server

The following table describes the permissions in the Contexthub-server tab.

Permission Description
contexthub-server.* All permissions (everything below)
contexthub-server.configuration.manage Permission to modify all service configuration parameters

contexthub-server.connection.manage

Permission to modify all connection settings

contexthub-server.connection.read Permission to view all connection settings

contexthub-server.connectiontypes.read

Permission to view all configured connection types

contexthub-server.datasource.manage Permission to modify data source settings

contexthub-server.datasource.read

Permission to view data source settings

contexthub-server.health.read Permission to view any health notifications that the service exposes

contexthub-server.listentries.manage

Permission to modify list entries

contexthub-server.logs.manage Permission to change log-related configuration
contexthub-server.metrics.read Permission to view any metrics that the service exposes
contexthub-server.process.manage Permission to start and stop the service

contexthub-server.query.read

Permission to view queries

contexthub-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
contexthub-server.security.read Permission to view security-related resources
contexthub-server.stix.read Permission to view stix settings

contexthub-server.taxiidatasource.manage

Permission to modify settings for the taxii data source

contexthub-server.taxiidatasource.read Permission to view settings for the taxii data source
contexthub-server.contextlookup.read Permission to enable or disable the context lookup and perform Add/Remove from List actions on the Users, Hosts, Files, Respond, and Investigate Events view.

The following table lists the permissions in the Contexthub-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
contexthub-server.*   Yes      

 

contexthub-server.configuration.manage            
contexthub-server.connection.manage          

 

contexthub-server.connection.read Yes   Yes   Yes Yes
contexthub-server.connectiontypes.read     Yes    

 

contexthub-server.datasource.manage Yes   Yes   Yes Yes

contexthub-server.datasource.read

Yes   Yes   Yes Yes
contexthub-server.health.read            
contexthub-server.listentries.manage Yes   Yes   Yes Yes
contexthub-server.logs.manage            
contexthub-server.metrics.read          

 

contexthub-server.process.manage            
contexthub-server.query.read Yes   Yes   Yes Yes
contexthub-server.security.manage            
contexthub-server.security.read          

 

contexthub-server.stix.read     Yes   Yes Yes
contexthub-server.taxiidatasource.manage     Yes   Yes Yes
contexthub-server.taxiidatasource.read     Yes   Yes Yes
contexthub-server.contextlookup.read Yes   Yes   Yes Yes

Correlation-server

The following table describes the permissions in the Correlation-server tab. These permissions pertain to ESA Correlation.

Permission Description
correlation-server.* All permissions (everything below)
correlation-server.configuration.manage Permission to modify all service configuration parameters
correlation-server.endpoint.manage Permission to modify all endpoint configuration parameters
correlation-server.endpoint.read Permission to view all endpoint configuration parameters
correlation-server.engine.manage Permission to modify all engine configuration parameters
correlation-server.engine.read Permission to view all engine configuration parameters
correlation-server.esperrule.manage Permission to modify all esperrule configuration parameters
correlation-server.esperrule.read Permission to view all esperrule configuration parameters
correlation-server.health.read Permission to view any health notifications that the service exposes
correlation-server.keyvaluerule.manage Permission to modify all keyvaluerule configuration parameters
correlation-server.keyvaluerule.read Permission to view all keyvaluerule configuration parameters
correlation-server.logs.manage Permission to change log-related configuration
correlation-server.metrics.read Permission to view any metrics that the service exposes
correlation-server.module.manage Permission to modify each module
correlation-server.module.read Permission to view each module
correlation-server.process.manage Permission to start and stop the service
correlation-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
correlation-server.security.read Permission to view security-related resources
correlation-server.stream.manage Permission to edit stream configuration settings
correlation-server.stream.read Permission to view stream configuration settings
correlation-server.telemetry.read Permission to view telemetry configuration settings

The following table lists the permissions in the Correlation-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
correlation-server.*  

Yes

 

 

 

 

correlation-server.configuration.manage            
correlation-server.endpoint.manage

 

 

 

 

 

 

correlation-server.endpoint.read

 

 

 

 

 

 

correlation-server.engine.manage Yes

 

Yes

Yes

 

 

correlation-server.engine.read Yes   Yes Yes    
correlation-server.esperrule.manage

 

 

 

 

 

 

correlation-server.esperrule.read

 

 

 

 

 

 

correlation-server.health.read  

 

 

 

 

 

correlation-server.keyvaluerule.manage            
correlation-server.keyvaluerule.read            
correlation-server.logs.manage            
correlation-server.metrics.read  

 

 

 

 

 

correlation-server.module.manage Yes   Yes Yes    
correlation-server.module.read Yes

 

Yes

Yes

 

 

correlation-server.process.manage            
correlation-server.security.manage  

 

 

 

 

 

correlation-server.security.read            
correlation-server.stream.manage Yes

 

Yes

Yes

 

 

correlation-server.stream.read Yes   Yes Yes    
correlation-server.telemetry.read  

 

 

 

 

 

Dashboard

The following table describes the permissions in the Dashboard tab.

Permission Description
Dashlet Access - Admin Device List Dashlet Permission to access Admin Device List Dashlet
Dashlet Access - Admin Device Monitor Dashlet Permission to access Admin Device Monitor Dashlet
Dashlet Access - Admin News Dashlet Permission to access Admin News Dashlet
Dashlet Access - Alert Variance Dashlet Permission to access Alert Variance Dashlet
Dashlet Access - Alerting Recent Alerts Dashlet Permission to access Alerting Recent Alerts Dashlet
Dashlet Access - Investigation Jobs Dashlet Permission to access Investigation Jobs Dashlet
Dashlet Access - Investigation Top Values Dashlet Permission to access Investigation Top Values Dashlet
Dashlet Access - Live Featured Resources Dashlet Permission to access Live Featured Resources Dashlet
Dashlet Access - Live New Resources Dashlet Permission to access Live New Resources Dashlet
Dashlet Access - Live Subscriptions Dashlet Permission to access Live Subscriptions Dashlet
Dashlet Access - Live Updated Resources Dashlet Permission to access Live Updated Resources Dashlet
Dashlet Access - Malware Jobs Dashlet Permission to access Malware Jobs Dashlet
Dashlet Access - Reporting Recent Report Dashlet Permission to access Reporting Recent Report Dashlet
Dashlet Access - Reporting Charts Dashlet Permission to access Reporting Charts Dashlet
Dashlet Access - Top Alerts Dashlet Permission to access Top Alerts Dashlet
Dashlet Access - Unified First Watch Dashlet Permission to access Unified First Watch Dashlet
Dashlet Access - Unified Shortcuts Dashlet Permission to access Unified Shortcuts Dashlet

The following table lists the permissions in the Dashboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts
Dashlet Access - Admin Device List Dashlet

Yes

Yes Yes Yes   Yes
Dashlet Access - Admin Device Monitor Dashlet   Yes        
Dashlet Access - Admin News Dashlet

Yes

Yes Yes Yes   Yes
Dashlet Access - Alert Variance Dashlet Yes Yes Yes     Yes
Dashlet Access - Alerting Recent Alerts Dashlet Yes Yes Yes     Yes
Dashlet Access - Investigation Jobs Dashlet Yes Yes Yes     Yes
Dashlet Access - Investigation Top Values Dashlet Yes Yes Yes     Yes
Dashlet Access - Live Featured Resources Dashlet Yes Yes Yes Yes   Yes
Dashlet Access - Live New Resources Dashlet Yes Yes Yes Yes   Yes
Dashlet Access - Live Subscriptions Dashlet Yes Yes Yes Yes   Yes
Dashlet Access - Live Updated Resources Dashlet Yes Yes Yes Yes   Yes
Dashlet Access - Malware Jobs Dashlet Yes Yes Yes     Yes
Dashlet Access - Reporting Recent Report Dashlet Yes Yes Yes     Yes
Dashlet Access - Reporting Charts Dashlet Yes Yes Yes     Yes
Dashlet Access - Top Alerts Dashlet Yes Yes Yes     Yes
Dashlet Access - Unified First Watch Dashlet Yes Yes Yes Yes   Yes
Dashlet Access - Unified Shortcuts Dashlet Yes Yes Yes Yes   Yes

Endpoint-broker-server

The following table describes the permissions in the Endpoint Broker server tab.

Permission Description

endpoint-broker-server*

All permissions (everything below)

endpoint-broker-server.agent.manage Permission to manage the agent, that is start or stop scan, downloading file from host, delete agent data from the Endpoint Log Hybrid and so on.
endpoint-broker-server.agent.read Permission to view the endpoint data received from the agent such as host, file, certificate, events and so on.
endpoint-broker-server.configuration.manage Permission to modify all endpoint broker configuration parameters
endpoint-broker-server.health.read Permission to view any health notifications that the service exposes
endpoint-broker-server.logs.manage Permission to change log-related configuration
endpoint-broker-server.metrics.read Permission to view any metrics that the service exposes
endpoint-broker-server.policy.read Permission to view existing policy details
endpoint-broker-server.process.manage Permission to start and stop the service
endpoint-broker-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-broker-server.security.read

Permission to view security-related resources

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts
endpoint-broker-server*  

 

 

 

 

 

endpoint-broker-server.agent.manage       Yes   Yes
endpoint-broker-server.agent.read  

 

 

Yes

 

Yes
endpoint-broker-server.configuration.manage            
endpoint-broker-server.health.read  

 

 

 

 

 

endpoint-broker-server.logs.manage            
endpoint-broker-server.metrics.read  

 

 

 

 

 

endpoint-broker-server.policy.read  

 

 

 

 

Yes
endpoint-broker-server.process.manage            
endpoint-broker-server.security.manage  

 

 

 

 

 

endpoint-broker-server.security.read            

Endpoint-serverEndpoint-server

The following table describes the permissions in the Endpoint-server tab.

Permission Description

endpoint-server*

All permissions (everything below)

endpoint-server.agent.manage

Permission to generate and download the agent packager.

Permission to manage the agent, that is start or stop scan, downloading files, master file table (MFT), memory dumps from host, isolate host from network, delete agent data from the Endpoint Log Hybrid and so on
Note: Analyze file, Scan With OPSWAT, Save Local Copy have been moved to endpoint-server.file.analyze (from version 11.7)

endpoint-server.agent.read

Permission to view the agent packager configuration

Permission to view the endpoint data received from the agent such as host, file, certificate, events, and so on

endpoint-server.agentupdate.manage Permission to upgrade agent and uninstall agent
endpoint-server.ca.manage

Permission to generate and download the agent packager

Permission to upgrade agent

endpoint-server.ca.read

Permission to generate and download the agent packager

endpoint-server.configuration.manage Permission to modify all endpoint configuration parameters
endpoint-server.file.analyze Permission to analyze file, save local copy, and initiate OPSWAT scans
endpoint-server.filter.manage Permission to save, modify, and delete filters
endpoint-server.filter.read Permission to view filters
endpoint-server.health.read Permission to view any health notifications that the service exposes
endpoint-server.logs.manage Permission to change log-related configuration
endpoint-server.metrics.read Permission to view any metrics that the service exposes
endpoint-server.policy.read Permission to view existing policy details

endpoint-server.process.manage

Permission to start and stop the service

endpoint-server.relay.manage Permission to modify Relay Server Configuration

endpoint-server.relay.read

Permissions to view Relay Server details

endpoint-server.security.manage

Permission to edit security-related resources (passwords, keys, and so on)

endpoint-server.security.read

Permission to view security-related resources

endpoint-server.tag.manage Permission to manage Tags (Create and Delete)

The following table lists the permissions in the Endpoint-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operators MAs Analysts

endpoint-server*

         

 

endpoint-server.agent.manage       Yes   Yes
endpoint-server.agent.read       Yes   Yes
endpoint-server.agentupdate.manage            
endpoint-server.ca.manage       Yes    

endpoint-server.ca.read

      Yes  

 

endpoint-server.configuration.manage            
endpoint-server.filter.manage           Yes
endpoint-server.filter.read           Yes
endpoint-server.health.read          

 

endpoint-server.logs.manage            
endpoint-server.metrics.read          

 

endpoint-server.policy.read          

Yes

endpoint-server.process.manage

           
endpoint-server.rar.manage            

endpoint-server.rar.read

 

 

 

 

 

 

endpoint-server.relay.manage       Yes    

endpoint-server.relay.read

 

 

 

Yes

 

 

endpoint-server.security.manage          

 

endpoint-server.security.read

           

Incidents

The following table describes the permissions in the Incidents tab.

Permission Description
Access Incident Module Permission to access the Incident module
Configure Incident Management Integration Permission to configure incident management integration
Delete Alerts and incidents Permission o delete alerts and incidents
Manage Alert Handling Rules Permission to modify the alert handling rules
View and Manage Incidents Permission to modify the incidents

The following table lists the permissions in the Incidents tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Incident Module Yes Yes Yes   Yes

Yes

Configure Incident Management Integration Yes Yes Yes      
Delete Alerts and incidents Yes Yes      

 

Manage Alert Handling Rules Yes Yes Yes      
View and Manage Incidents Yes Yes Yes   Yes

Yes

Integration-server

(The Integration-server permissions are available in NetWitness version 11.1 and later.)

The following table describes the permissions in the Integration-server tab.

Permission Description

integration-server.*

All permissions (everything below)

integration-server.api.access Permission to authorize external requests from 3rd party applications
integration-server.configuration.manage Permission to view and modify all service integration configuration parameters
integration-server.health.read Permission to read any health notifications that the service exposes
integration-server.logs.manage Permission to change log-related integration configurations
integration-server.metrics.read Permission to read any metrics that the service exposes
integration-server.notification.manage Permission to change global notification configurations (for example, SMTP server)
integration-server.notification.read Permission to read global notification configurations (for example, SMTP server)
integration-server.notification.send Permission to send notifications (for example, Email)
integration-server.process.manage Permission to start and stop the service
integration-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
integration-server.security.read Permission to read security-related resources
integration-server.template.manage Permission to change notification template
integration-server.template.read Permission to read notification template

 

The following table lists the permissions in the Integration-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts

integration-server.*

  Yes        
integration-server.api.access            
integration-server.configuration.manage            
integration-server.health.read            
integration-server.logs.manage            
integration-server.metrics.read            
integration-server.notification.manage Yes   Yes Yes    
integration-server.notification.read Yes   Yes Yes    
integration-server.notification.send Yes   Yes Yes    
integration-server.process.manage            
integration-server.security.manage            
integration-server.security.read            
integration-server.template.manage Yes   Yes Yes    
integration-server.template.read Yes   Yes Yes    

Investigate

The following table describes the permissions in the Investigate tab.

Permission Description
Access Investigation Module Permission to access investigation module
Context Lookup Permission to access context lookup
Create Incidents from Investigation Permission to create incidents from investigation
Manage List from Investigation Permission to modify the list of investigation
Navigate Events Permission to navigate the events
Navigate Values Permission to navigate the values

The following table lists the permissions in the Investigate tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Access Investigation Module Yes Yes Yes   Yes Yes
Context Lookup Yes   Yes   Yes Yes
Create Incidents from Investigation Yes   Yes   Yes Yes
Manage List from Investigation Yes   Yes   Yes Yes
Navigate Events Yes Yes Yes   Yes Yes
Navigate Values Yes Yes Yes   Yes Yes

Investigate-server

The following table describes the permissions in the Investigate-server tab.

Permission Description
investigate-server.* All permissions (everything below) for 11.4 and above Events view, and 11.3 and earlier Event Analysis view.

investigate-server.column group.read

Permission to access column groups

investigate-server.configuration.manage Permission to change any configuration properties for the service
investigate-server.content.export Permission to export content from the service

investigate-server-content.manage

Permission to clear all per service or per user reconstruction cache

investigate-server.content.reconstruct Permission to view the summary view, the packet, packet map, text, log, and file reconstructions, as well as the packet count

investigate-server.event.filter

Permission to view the Filter Events panel in the Events view

investigate-server.event.read

Permission to view events that the service exposes

investigate-server.health.read Permission to view any health notifications that the service exposes
investigate-server.incident.manage Create or update an incident in Respond
investigate-server.logs.manage Permission to change log-related configuration
investigate-server.metagroup.manage Permission to manage meta groups

investigate-server.metagroup.read

Permission to view and use meta groups

investigate-server.metrics.read Permission to view any metrics that the service exposes
investigate-server.predicate.manage

Permission to edit or remove one or more predicates

investigate-server.predicate.read

Permission to filter events in the Navigate view, Legacy EventsEvents view, and Events view. Note: This permission is required with investigate-server.event.read permission to provide access to the and Events view.

investigate-server.process.manage Permission to start and stop the service
investigate-server.profile.read Permission to access profiles.
investigate-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
investigate-server.security.read Permission to view security-related resources
investigate-server.alert.manage Permission to create alert from Investigate Events view.
investigate-server.searchpatternrule.manage
Permission to create search pattern from Investigate Events view.

The following table lists the permissions in the Investigate-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed. The UEBA Analysts and Content Administrators roles have none of these permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
investigate-server.* Yes

Yes

 

 

 

 

investigate-server.columngroup.read     Yes   Yes Yes
investigate-server.configuration.manage            
investigate-server.content.export  

 

Yes

 

Yes

Yes

investigate-server.content.manage

 

 

 

 

 

 

investigate-server.content.reconstruct     Yes   Yes Yes

investigate-server.event.filter

Yes

Yes

Yes

 

Yes

Yes

investigate-server.event.read

 

 

Yes  

Yes

Yes

investigate-server.health.read            

investigate-server.incident.manage

 

 

 

 

 

Yes

investigate-server.logs.manage  

 

 

 

 

 

investigate-server.metagroup.manage            

investigate-server.metagroup.read

 

 

Yes

 

Yes

Yes

investigate-server.metrics.read            

investigate-server.predicate.manage

 

 

 

 

 

 

investigate-server.predicate.read

 

 

Yes

 

Yes

Yes

investigate-server.process.manage  

 

 

 

 

 

investigate-server.profile.read     Yes   Yes Yes
investigate-server.security.manage            
investigate-server.security.read  

 

 

 

 

 

investigate-server.alert.manage  

 

 

 

 

 

investigate-server.searchpatternrule.manage
 

 

 

 

 

 

License-server

The following table describes the permissions in the License-server tab. The Administrator and Operator have all of the permissions and are the only roles granted permissions by default.

Permission Description
license-server.* All permissions (everything below)
license-server.configuration.manage Permission to modify all service configuration parameters
license-server.health.read Permission to view any health notifications that the service exposes
license-server.license.manage Permission to manage license related configurations
license-server.license.read Permission to view license related configurations
license-server.logs.manage Permission to change log-related configuration
license-server.metrics.read Permission to view any metrics that the service exposes
license-server.process.manage Permission to start and stop the service
license-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
license-server.security.read Permission to view security-related resources

Live

The following table describes the permissions in the Live tab.

Permission Permission
Live  
Access Live Module Permission to access live module
Manage Live System Settings Permission to modify the live system settings
Resources  
Deploy Live Resources Permission to deploy live resources
Manage Live Feeds Permission to modify live feeds
Manage Live Resources Permission to modify live resources
Search Live Resources Permission to search live resources
View Live Resource Details Permission to view live resource details

The following table lists the permissions in the Live tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Live          

 

Access Live Module   Yes Yes Yes   Yes
Manage Live System Settings       Yes  

 

Resources            
Deploy Live Resources   Yes   Yes  

 

Manage Live Feeds   Yes   Yes    
Manage Live Resources   Yes   Yes  

 

Search Live Resources   Yes Yes Yes   Yes
View Live Resource Details   Yes Yes Yes    

Malware

The following table describes the permissions in the Malware tab.

Permission Operators
Download Malware File(s) Permission to download the malware files for investigation
Initiate Malware Analysis Scan Permission to start the malware analysis scan
View Malware Analysis Events Permission to view the malware analysis events

The following table lists the permissions in the Malware tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Download Malware File(s)   Yes Yes   Yes Yes
Initiate Malware Analysis Scan   Yes Yes   Yes Yes
View Malware Analysis Events   Yes Yes   Yes Yes

Metrics-server

The following table describes the permissions in the Metrics-server tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.

Permission Description

metrics-server .*

All permissions (everything below)

metrics-server.configuration.manage Permission to modify all service configuration parameters

metrics-server-content.manage

Permission to modify configuration parameters in the service

metrics-server-content.read Permission to view configuration parameters of the service
metrics-server.health.read Permission to view any health notifications that the service exposes
metrics-server.logs.manage Permission to change log-related configuration
metrics-server.metric.manage Permission to modify all the configuration parameters
metrics-server.metric.read Permission to view configuration of New Health and Wellness
metrics-server.metrics.read Permission to view any metrics that the service exposes
metrics-server.process.manage Permission to start and stop the service
metrics-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
metrics-server.security.read Permission to view security-related resources

The following table lists the permissions in the Metrics-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operator MAs Analysts UEBA Analysts

metrics-server .*

 

 

 

 

 

 

 

metrics-server.configuration.manage              

metrics-server-content.manage

 

 

 

 

 

 

 

metrics-server-content.read              
metrics-server.health.read              
metrics-server.logs.manage              
metrics-server.metric.manage              
metrics-server.metric.read   Yes Yes Yes Yes Yes  
metrics-server.metrics.read              
metrics-server.process.manage              
metrics-server.security.manage              
metrics-server.security.read              

Navigation

The following table describes the permissions in the Navigation tab. The Administrators role have all of the permissions and are the only roles granted permissions by default.

Permission Description

navigation .*

All permissions (everything below)

navigation.homepage-admin-view.manage Permission to manage the Admin view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-admin-view.read Permission to view Admin view widgets under Home page
navigation.homepage-analyst-view.manage Permission to manage the Analyst view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-analyst-view.read Permission to view Analyst view widgets under Home page
navigation.homepage-manager-view.manage Permission to manage the Manager view under Home page, that is view, add, delete, and rearrange widgets, and also restore the dashboard to default configuration view.
navigation.homepage-manager-view.read Permission to view Manager view widgets under Home page

The following table lists the permissions in the Navigation tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RA DPOs SOC Mgrs Operator MAs Analysts UEBA Analysts

navigation .*

 

 

 

 

 

 

 

navigation.homepage-admin-view.manage              

navigation.homepage-admin-view.read

 

 

 

 

 

 

 

navigation.homepage-analyst-view.manage           Yes  
navigation.homepage-analyst-view.read           Yes  
navigation.homepage-manager-view.manage     Yes        
navigation.homepage-manager-view.read     Yes        

Orchestration-server

The following table describes the permissions in the Orchestration-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission Description
orchestration-server.* All permissions (everything below)
orchestration-server.configuration.manage Permission to modify all service configuration parameters

orchestration-server.file.read

Permission to view files

orchestration-server.health.read Permission to view any health notifications that the service exposes
orchestration-server.logs.manage Permission to change log-related configuration
orchestration-server.metrics.read Permission to view any metrics that the service exposes
orchestration-server.process.manage Permission to start and stop the service
orchestration-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
orchestration-server.security.read Permission to view security-related resources

Reports

The following table describes the permissions in the Reports tab.

Permission Description
Alert  
Define RE Alert Permission to define the RE alerts
Export RE Alert Definition Permission to export the RE alert definistions
Manage RE Alerts Permission to to modify the RE alerts
View RE Alerts Permission to view the RE alerts
View Scheduled RE Alerts Permission to view the scheduled RE alerts
Chart  
Define Chart Permission to define the charts
Delete Chart Permission to delete the charts
Export Chart Definition Permission to export the chart definitions
Manage Charts Permission to modify the charts
View Charts Permission to view the charts
List  
Define Lists Permission to define the lists
Delete List Permission to delete the lists
Export List Permission to export the lists
Manage Lists Permission to modify the lists
Report  
Define Report Permission to define the reports
Delete Report Permission to delete the reports
Export Report Permission to export the reports
Manage Reports Permission to modify the reports
View Reports Permission to view the reports
Reports  
Access Configure Permission to access Configure module
Access Reporter Module Permission to access Reporter module
Access Reporter search Permission to access Reporter search
Access View Permission to access Reports view
Rule  
Add RE Alert Definition from Rule Permission to add RE alert definition from the rules
Define Rule Permission to define the rules
Delete Rule Permission to delete the rules
Export Rule Permission to export the rules
Manage Rules Permission to modify the rules
View Rule Usage Permission to view the rules usage
Schedules  
Define Schedule Permission to define the schedules
Delete Schedule Permission to delete the schedules
View Schedules Permission to view the schedules
Warehouse Analytics  
Define Jobs Permission to define the warehouse analytics jobs
Delete Jobs Permission to delete the warehouse analytics jobs
Manage Jobs Permission to modify the warehouse analytics jobs
View Jobs Permission to view the warehouse analytics jobs

The following table lists the permissions in the Reports tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all of the permissions by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
Alert

 

         
Define RE Alert   Yes Yes     Yes
Export RE Alert Definition

 

Yes Yes     Yes
Manage RE Alerts   Yes Yes     Yes
View RE Alerts

Yes

Yes Yes     Yes
View Scheduled RE Alerts   Yes Yes     Yes
Chart

 

         
Define Chart   Yes Yes     Yes
Delete Chart

 

Yes Yes     Yes
Export Chart Definition   Yes Yes     Yes
Manage Charts

 

Yes Yes     Yes
View Charts   Yes Yes     Yes
List

 

         
Define Lists   Yes Yes     Yes
Delete List

 

Yes Yes     Yes
Export List   Yes Yes     Yes
Manage Lists

 

Yes Yes     Yes
Report            
Define Report

 

Yes Yes     Yes
Delete Report   Yes Yes     Yes
Export Report

 

Yes Yes     Yes
Manage Reports   Yes Yes     Yes
View Reports

 

Yes Yes     Yes
Reports            
Access Configure

 

Yes Yes     Yes
Access Reporter Module   Yes Yes     Yes
Access Reporter search

 

Yes Yes     Yes
Access View   Yes Yes     Yes
Rule

 

         
Add RE Alert Definition from Rule   Yes Yes     Yes
Define Rule

 

Yes Yes     Yes
Delete Rule   Yes Yes     Yes
Export Rule

 

Yes Yes     Yes
Manage Rules   Yes Yes     Yes
View Rule Usage

 

Yes Yes     Yes
Schedules            
Define Schedule

 

Yes Yes     Yes
Delete Schedule   Yes Yes     Yes
View Schedules

 

Yes Yes     Yes
Warehouse Analytics            
Define Jobs

 

Yes Yes     Yes
Delete Jobs   Yes Yes     Yes
Manage Jobs

 

Yes Yes     Yes
View Jobs   Yes Yes     Yes

Respond-server

The following table describes the permissions in the Respond-server tab.

Note: For viewing and managing the Risk Score feature, users who have installed NetWitness Platform 11.3 or upgraded from NetWitness 10.6.x to 11.3, risk score permissions will be already present for Analysts. For users updating from NetWitness 11.x to NetWitness Platform 11.3, the Administrator has to provide Analysts' permissions to manage and view risk score.

Permission Description
respond-server.* All permissions (everything below)
respond-server.alert.delete Permission to delete alerts
respond-server.alert.manage Permission to create, update, or delete alerts and alert filters
respond-server.alert.read Permission to view alerts and alert filters
respond-server.alertrule.manage Permission to create, update, or delete alert aggregation rules
respond-server.alertrule.read Permission to view alert aggregation rules
respond-server.configuration.manage Permission to change any configuration properties for the service
respond-server.health.read Permission to view any health notifications that the service exposes
respond-server.incident.delete Permission to delete incidents
respond-server.incident.manage Permission to create, update, or delete incidents and incident filters including permission to view the Create Incident and Add to Incident options in the Investigate > Events view
respond-server.incident.read Permission to view incidents and incident filters
respond-server.journal.manage Permission to create, update, or delete journal entries for an incident
respond-server.journal.read Permission to view journal entries for an incident
respond-server.logs.manage Permission to change log-related configuration
respond-server.metrics.read Permission to view any metrics that the service exposes
respond-server.notification.manage (This permission is available in NetWitness version 11.1 and later.)
Permission to configure incident email notification settings such as the selected email server, SOC Managers, and who will be sent the notifications (Assignee and SOC Managers)
respond-server.notification.read (This permission is available in NetWitness version 11.1 and later.)
Permission to view incident email notification settings
respond-server.process.manage Permission to start and stop the service
respond-server.remediation.manage Permission to create, update, or delete remediation tasks
respond-server.remediation.read Permission to view remediation tasks

respond-server.risk.manage

Permission to manage risk score

respond-server.risk.read Permission to view risk score
respond-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
respond-server.security.read Permission to view security-related resources

 

The following table lists the permissions in the Respond-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrator has all of the permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
respond-server.*

Yes

Yes        
respond-server.alert.delete            
respond-server.alert.manage

 

  Yes   Yes Yes
respond-server.alert.read     Yes   Yes Yes
respond-server.alertrule.manage

 

  Yes      
respond-server.alertrule.read     Yes      
respond-server.configuration.manage

 

         
respond-server.health.read            
respond-server.incident.delete

 

         
respond-server.incident.manage     Yes   Yes Yes
respond-server.incident.read

 

  Yes   Yes Yes
respond-server.journal.manage     Yes   Yes Yes
respond-server.journal.read

 

  Yes   Yes Yes
respond-server.logs.manage            
respond-server.metrics.read

 

         
respond-server.notification.manage     Yes      
respond-server.notification.read

 

  Yes      
respond-server.process.manage            
respond-server.remediation.manage

 

  Yes   Yes Yes
respond-server.remediation.read     Yes   Yes Yes

respond-server.risk.manage

 

 

 

 

 

Yes
respond-server.risk.read           Yes
respond-server.security.manage

 

         
respond-server.security.read            

Incident Email Notification Settings Permissions

Note: Incident email notification setting permissions are available in NetWitness version 11.1 and later.
If you are updating from NetWitness version 11.0 to 11.1 or later, you will need to add additional permissions to your existing built-in NetWitness user roles. For all upgrades to 11.1 or later, you will need to add additional permissions to custom roles.

The following permissions are required for Respond Administrators, Data Privacy Officers, and SOC Managers to access Incident Email Notification Settings [ netwitness_configureicon_24x21.png (Configure) > Incident Notifications].

Incidents tab:

  • Configure Incident Management Integration

Respond-server tab:

  • respond-server.notification.manage
  • respond-server.notification.read

Integration-server tab:

  • integration-server.notification.read
  • integration-server.notification.manage

Respond Event Analysis Permissions

Note: The Event Analysis panel in the Respond view is available in NetWitness version 11.2 and later.

The Events panel in the Respond view, formerly known as the Event Analysis panel, shows the Events view from Investigate for specific indicator events. The following permissions are required to view the Events panel in the Respond view. These permissions are provided by default for users with the Analysts role.

Investigate-server tab:

  • investigate-server.event.read
  • investigate-server.content.reconstruct
  • investigate-server.content.export

Administration tab:

  • Access Administration Module

Respond Saved Filter Permissions

Note: Saved filters for the incidents and alerts lists in Respond are available in NetWitness version 11.5 and later.

The following permissions are required for the incidents and alerts filters (Respond > Incidents and Respond > Alerts). The Analysts role has the required Respond filter permissions by default.

Respond-server tab:

  • respond-server.incident.manage

  • respond-server.incident.read

  • respond-server.alert.manage

  • respond-server.alert.read

Response Actions

The following table describes the permissions in the Response Actions tab.

Permission Description
response-actions-server.* All permissions (everything below)
response-actionsserver.actiondefinition.execute Permission to execute any quick actions
response-actionsserver.actiondefinition.manage Permission to create, edit, clone, delete, enable, and disable the
Response Actions.
response-actionsserver.actiondefinition.read Permission to view the Response Actions configured in the
Response Actions view
response-actionsserver.history.read Permission to view the Response Action history

The following table lists the permissions in the Response Actions tab assigned to each role. A blank field
indicates that the role does not have the permission. The Administrators role has all of the permissions
by default and is not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
response-actions-server.*

Yes

         
response-actionsserver.actiondefinition.execute Yes   Yes Yes Yes Yes
response-actionsserver.actiondefinition.manage

Yes

  Yes Yes    
response-actionsserver.actiondefinition.read Yes   Yes Yes Yes Yes
response-actionsserver.history.read

Yes

  Yes Yes Yes Yes

IMPORTANT: You can view the Quick Actions option in the Context Highlights section in
Investigate, Respond, Users, and Hosts views only if you have Access Administration Module
(Security > Roles > Select and Edit the Role > Edit Role > Permissions > Administration)
permission.

Security-server

The following table describes the permissions in the Security-server tab. The Administrators, Operators, and Data Privacy Officers roles have all of the permissions and are the only roles granted permissions by default.

Permission Description
security-server.* All permissions (everything below)
security-server.account.manage Permission to view, create, modify, or remove NetWitness local accounts
security-server.account.read Permission to view NetWitness local accounts
security-server.ca.manage Permission to manage NetWitness deployment PKI parameters (for example, sign certificates, and so on)
security-server.ca.read Permission to view NetWitness deployment PKI parameters
security-server.configuration.manage Permission to modify all service configuration parameters
security-server.connection.manage Permission to modify all connection configuration parameters
security-server.health.read Permission to view any health notifications that the service exposes
security-server.logs.manage Permission to change log-related configuration
security-server.metrics.read

Permission to view any metrics that the service exposes

security-server.permission.manage Permission to create or remove NetWitness permissions
security-server.pki.manage Permission to modify all pki configuration parameters
security-server.process.manage Permission to start and stop the service
security-server.role.manage Permission to create, modify, or remove NetWitness roles (for example, add role permissions)
security-server.role.read Permission to view NetWitness role definitions
security-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
security-server.security.read Permission to view security-related resources
security-server.test.manage Permission to modify all test configuration parameters
security-server.user.manage Permission to view, create, modify, or remove NetWitness user profiles
security-server.user.read Permission to view NetWitness user profile details (for example, roles, login times, and so on)

Source-server

The following table describes the permissions in the Source-server tab.

Permission Description
source-server.* All permissions (everything below)
source-server.configuration.manage Permission to change any configuration properties for the service
source-server.group.manage Permission to create and manage USM groups
source-server.group.manage.nopolicy Permission to manage nopolicy
source-server.group.read Permission to view USM groups
source-server.grouppolicy.read Permission to view the canonical groups and policies
source-server.health.read Permission to view any health notifications that the service exposes
source-server.logs.manage Permission to change log-related configuration
source-server.metrics.read Permission to view any metrics that the service exposes
source-server.policy.manage Permission to create and manage USM policies
source-server.policy.read Permission to view USM policies
source-server.process.manage Permission to start and stop the service
source-server.security.manage Permission to edit security-related resources (passwords, keys, and so on)
source-server.security.read

Permission to view security-related resources

source-server.centralgroup.read

Permission to view the Centralized Content Management groups

source-server.centralpolicy.read Permission to view the Centralized Content Management policies

source-server.centralservice.read

Permission to view the core services and ESA services

The following table lists the permissions in the Source-server tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators and Operators roles have all of the permissions by default and are not listed.

Permission RAs DPOs SOC Mgrs Operators MAs Analysts
source-server.*  

 

 

 

 

 

source-server.configuration.manage            
source-server.group.manage  

 

 

 

 

 

source-server.group.manage.nopolicy            
source-server.group.read  

Yes

Yes

 

 

Yes

source-server.grouppolicy.read            
source-server.health.read  

 

 

 

 

 

source-server.logs.manage            
source-server.metrics.read  

 

 

 

 

 

source-server.policy.manage            
source-server.policy.read  

Yes

Yes

 

 

Yes

source-server.process.manage            
source-server.security.manage  

 

 

 

 

 

source-server.security.read           Yes

source-server.centralgroup.read

 

 

 

 

 

Yes

source-server.centralpolicy.read           Yes

source-server.centralservice.read

 

 

 

 

 

Yes

Springboard

The following table describes the permissions in Springboard tab.

Permission Description
springboard.* All Permissions (everything below)
springboard.manage Permission to manage the Springboard, that is view, add, delete, and rearrange panels, and also restore system default settings.
springboard.read Permission to view Springboard.

The following table lists the permissions in the Springboard tab assigned to each role. A blank field indicates that the role does not have the permission. The Administrators role has all the permissions by default and is not listed.

Permissions RAs DPOs SOC
Mgrs
Operators MAs Analysts
springboard.*            
springboard.manage            
springboard.read Yes   Yes   Yes Yes