User permissions

User permissions

Suggest Edits

Permissions on the Intelligence Center are granular controls on user access
to features and data. They're predefined,
and assigned to users through roles.

Permissions are usually named with the convention <verb> <object>, where:

  • <verb> describes the action allowed, and
  • <object> describes the object being acted on.

To see a full list of permissions:

  • make a GET /permissions request,
  • or sign in on the Intelligence Center and
    go to Settings > User management > Permissions

The table of permissions below
covers permissions as they are applied in the Intelligence Center.

Control access through groups, roles, and permissions

What a user is allowed to access is determined by a combination of:

  • Groups

    Groups are used to organize users and
    defines the resources that its members are allowed to access.

  • Roles

    Roles are sets of permissions that determine the tasks a user assigned that role can perform.

The following flow chart is an example of
how to decide what to assign to your user
to give a certain level of access:

1189

Permissions flow chart

Groups

Groups allow you to name the resources
it's members are allowed to access.

You can set for a group:

Allowed sources

Allowed sources are sources that
members of the group can access data from.

An allowed source has two properties:

  • the source
  • a TLP color

Sources can be:

  • Groups. By default, a group has itself as an allowed source. You can add other groups as allowed sources to give group members access to intelligence created by members of that group.
  • Incoming feeds. Entities and observables that are ingested through an incoming feed have their source automatically set to the name of the incoming feed.
  • Enrichers. When an observable or entity is enriched, the resulting entities and observables have their source set to the name of the enricher used.

TLP colors set for a source determines the most restrictive TLP (inclusive) that that members of this group can access. By default, this is set to RED for a source. This means that group members can access objects with TLP colors WHITE, GREEN, AMBER, and RED.

Setting an allowed source's to a less restrictive TLP color would prevent group members from accessinng objects with more restrictive TLP colors. For example, setting the TLP color for an allowed source to GREEN would mean that objects with TLP colors AMBER and RED cannot be accessed by group members.

Allowed roles

Groups must specify a set of roles that group members can be assigned to.

Setting allowed roles for a group does not actually assign the role to group members. You must first add roles to the allowed roles of a group, then explicitly assign those roles to the user.

Roles

Roles are sets of permissions that grant read
or modify access to a given resource.

modify permissions grant both read and modify permissions
for a resource.

A role can contain any number of permissions. Users inherit their permissions from the roles that they are assigned.

Table of permissions

The following table describes permissions as
they are applied in the Intelligence Center.

Permissions required for each endpoint is documented in the API reference.

All -modify permissions already
include -read level permissions.

For example, modify users permissions
include read users permissions,
so you can assign a user modify users
without read users.

📔

Permission dependencies

Some permissions depend on other permissions.

For example, a user must first have read-tickets permissions in order to be able to read task comments with read ticket-comments permisisons.

Permission

Description

install knowledge-packs

Install knowledge packs.

To install knowledge packs in the UI, also requires read knowledge-packs permissions.

lock/unlock users

Unlock or deactivate user accounts.

Also requires modify users.

modify blob-uploads

Manually upload files in the UI through + > Upload.

Different from files permissions.

modify collaborators

Add and remove users in workspaces.

Also requires read workspaces.

modify configurations

Modify the following settings in the Intelligence Center UI:

  • Settings > System settings

  • Settings > STIX and TAXII > STIX

modify knowledge-packs

View, create, and modify knowledge packs.

modify discovery-rules

View, create, modify, enable/disable, and run discovery rules

Requires additional permissions to access some fields:

Field name

Min. permissions

Search query

For autocomplete to work in the UI, requires read entities.

Correlated workspaces

read workspaces

modify draft-entities

View, create, and modify draft entities.

modify enrichers

Edit, enable, and disable enrichers.

modify enrichment-rules

View, create, modify, enable/disable, and run enrichment rules.

Requires additional permissions to access some fields:

Field name

Min. permissions

Source

read sources

Enrichers

read enrichers

modify entities

View, create, and modify entities.

Requires additional permissions to see all fields and options.

The following is a non-exhaustive list of min. permissions:

  • read extracts to see related observables

  • read attack to see MITRE ATT&CK classifications

  • read sources to see sources

modify extracts

View, create, and modify observables

modify files

Users can:

  • attach and remove files to a workspace

  • pin and unpin attached files to the front page of a workspace.

To perform these tasks on files attached to a workspace, users must:

  • be an owner or collaborator on a workspace

  • have at least these permissions:

    • read workspaces

    • read graphs

modify graphs

View, create, and modify graphs

To save a graph, users must:

  • have at least read workspaces

  • be at least a collaborator on a workspace

modify groups

View, create, and modify user groups.

To be able to see and modify groups on the UI, users must either:

  • be Group Admin for at least one group

  • or have at least read configurations

To manage additional group properties, users require at least:

  • read users to manage a group’s user list

  • read sources to manage a group’s Allowed sources

  • modify roles to manage a group’s Allowed roles

modify incoming-feeds

View, create, modify, and run incoming feeds.

To create a new incoming feed in the UI, users must also have at least:

  • read transports

  • read content-types

modify intel-sets

View, create, and modify datasets.

To view dataset, users also require at least:

  • read entities

To create datasets, users also require at least:

  • read entities

  • read workspaces

modify outgoing-feeds

View, create, modify, and run outgoing feeds

To create a new outgoing feed, users must also have at least:

  • read transports

  • read content-types

  • read intel-sets

For feeds that create packages (e.g. feeds that use the HTTP download transport type), users must also have at least read content-blocks to see available package endpoints.

modify retention-policies

View, create, modify, and run data retention policies.

To create policies, users must also have at least:

  • read entities

  • read extracts

  • read sources

  • read taxonomies

modify roles

View, create, and modify roles.

To create and modify roles, users must also have at least:

  • read permissions

To be able to see and modify roles on the UI, users must either:

  • be Group Admin for at least one group

  • or have at least read configurations

modify rules

View, create, modify, enable/disable, and run:

To create and modify rules, users may need corresponding permissions to configure certain rule properties:

Field name

Min. permissions

Criteria > Source

read sources

Criteria > Observable types

read extracts

Criteria > Link name filter

read extracts

Actions > Add tags

read taxonomies

Actions > Add to dataset

read intel-sets

Actions > Merge similar

read entities and membership to group(s) with corresponding Allowed sources.

modify tasks

View and terminate system jobs.

To interact with system jobs in the UI through Settings > System jobs, users must have at least read configurations.

modify taxii-services

View, create, and modify TAXII services.

To interact with TAXII service configuration in the UI through Settings > STIX and TAXII > TAXII, users must also have at least read configurations.

modify taxonomies

View, create, and modify taxonomies.

modify ticket-comments

View, create, and modify comments on Tasks (“tickets”).

To be able to add comments on Tasks in the UI, users must also:

  • have at least read tickets

  • be a stakeholder or an assignee on that ticket

modify tickets

View, create, and modify Tasks (“tickets”).

To be able to see a task in the UI, users must either:

  • be a stakeholder or an assignee on that ticket

  • or, be at least a collaborator on the workspace the task is attached to

Users need additional permissions to access some UI fields in tasks:

Field name

Min. permissions

Assigned to

read users

Workspaces

read workspaces

Stakeholders

read users

Referenced entities

read entities

Comments

read ticket-comments

modify users

View and deactivate users.

To be able to create and modify users, you must:

  • be a Group Admin in a group where you are creating or modifying users

  • or have both modify user-groups and modify user-roles

modify user-groups

Add or remove existing users from a group.

Requires at least:

  • modify users

  • read groups

modify user-roles

Add or remove roles from a user.

Requires at least:

  • modify users

  • read roles

modify workspace-comments

View, create, and modify comments in workspaces.

To interact with comments in workspaces, users must at least:

  • have read workspaces

  • be a collaborator on that workspace

modify workspaces

View, create, and modify workspaces

Requires additional permissions to access some features:

Feature

Min. permissions

Dashboard

read graphs

Browse > *

  • read entities

  • read intel-sets

  • read files

  • read graphs

Exposure

read entities

read audit-trail

View the audit trail in the Audit view under System settings.

To see Settings > System settings > Audit in the UI, users need at least read configurations.

read attack

View MITRE ATT&CK classifications.

Users must have this permission and modify to be able to assign ATT&CK classifications to an entity.

read blob-uploads

View manually uploaded files.

Different from files permissions.

To see manually uploaded files at Search > Go to search and browse > Files in the UI, users must at least have read entities.

read collaborators

View collaborators of a workspace.

read configurations

View settings in Settings > System settings.

read knowledge-packs

View knowledge packs.

Requires additional permissions to see the contents of a knowledge pack.

read content-blocks

View packed outgoing feed packages.

read content-types

View available content types when creating feeds.

read destinations

View the list of outgoing feeds where an entity or observable is published.

Destinations are displayed in the UI as a section in the Overview tab when you open an entity or observable.

To see an entity’s or observable’s destinations in the UI, users must have at least read entities or read observables.

read discovery-rules

View discovery rules.

To see discovery rules in the UI, users must have at least read rules.

read draft-entities

View draft entities tab in the Draft tab under Production.

read enrichers

View enrichers.

read enrichment-rules

View enrichment rules.

To see enrichment rules in the UI, users must have at least read enrichers.

read entities

View entities.

Requires additional permissions to see all fields and options.

read extracts

View observables.

Requires additional permissions to see all fields and options.

read files

View files uploaded to a workspace.

Users must be at least a collaborator on a workspace to view files attached to it.

read graphs

View graphs.

Users must be at least a collaborator on a workspace to view graphs saved to it.

read groups

View groups.

To see groups in the UI, users must have at least read users.

read incoming-feeds

View incoming feeds.

Requires additional permissions to see all fields and options.

read intel-sets

View datasets.

To see the contents of a dataset, users must have at least read entities.

read notifications

View notifications.

read outgoing-feeds

View outgoing feeds.

Requires additional permissions to see all fields and options.

read permissions

View the list of available permissions.

To see the list of permissions in Settings > User management > Permissions, users must have at least read users.

read retention-policies

View data retention policies.

read roles

View roles.

To see the permissions that a role includes, users must have read permissions

read rules

View observable and entity rules.

Requires additional permissions to see all fields and options.

read sources

View the list of sources.

read tasks

View system jobs.

read taxii-services

View TAXII services.

read taxonomies

View the taxonomy list.

read ticket-comments

View comments on Tasks (“tickets”).

To be able to view comments on Tasks in the UI, users must also:

  • have at least read tickets

  • be a stakeholder or an assignee on that ticket

read tickets

View, create, and modify Tasks (“tickets”).

To be able to see a task in the UI, users must either:

  • be a stakeholder or an assignee on that ticket

  • or, be at least a collaborator on the workspace the task is attached to

Users need additional permissions to access some UI fields in tasks:

read traceback-logs

View traceback logs displayed in the UI when an error occurs.

read transports

View available transport types for feeds.

read users

View the list of users.

read workspace-comments

View comments in workspaces.

To interact with comments in workspaces, users must at least:

  • have read workspaces

  • be a collaborator on that workspace

read workspaces

View workspaces

Requires additional permissions to access some features.

reset password

Allows user to force reset another user’s password.

Also requires at least modify users.

Updated about 2 years ago

What’s Next