Manage User Roles and Permissions
You can customize a specific user’s permissions by assigning one or more roles, or you can choose a predefined role. The roles define what tasks a user can perform in the Cybereason platform.
In this topic:
Managing user roles video
User roles
You use user roles to customize permissions for each user.
You have the option to assign custom roles or predefined roles for each user.
The custom roles include the following:
Role |
Description |
|---|---|
Analyst (L1, L2, and L3) |
Assign this role to your security analysts who will be responsible for investigation and remediation. You can assign roles specific to analyst level:
|
Analyst L1 Viewer |
Assign this role to users to enable them to view MalOp information, but not edit the MalOps (such as changing the MalOp status, adding MalOp comments, or adding MalOp labels). Note In environments without the new Data Platform infrastructure, users with this role do not have access to the Malop Inbox and Malware Alerts screens. |
Local analyst (L1, L2, and L3) |
Assign this role to analysts who will be responsible for managing incidents on sensors in specific sensor groups. Use the Permissions section of the Create User screen, which appears after selecting a Local analyst role, to assign the user to one or more sensor groups. Note This role is available on Cloud deployments only (not on On-Prem). Note This role is only available if you have enabled sensor grouping in your environment.
All local analysts can view and search for reputations from the Security profile > Reputation screen. You cannot have this role if you already have an Analyst L1/L2/L3 role or a Responder L1/L2 role assigned. Note This role is disabled by default. Open a Technical Support case to make this role available. |
Local L1 Analyst Viewer |
Assign this role to users to enable them to view MalOp information for their assigned groups, but not edit the MalOps (such as changing the MalOp status, adding MalOp comments, or adding MalOp labels). Use the Permissions section of the Create User screen, which appears after selecting a Local analyst role, to assign the user to one or more sensor groups. Note This role is available on Cloud deployments only (not on On-Prem). Note This role is only available if you have enabled sensor grouping in your environment. You cannot have this role if you already have the L1 Analyst Viewer role assigned. Note In environments without the new Data Platform infrastructure, users with this role do not have access to the Malop Inbox and Malware Alerts screens. |
Responder L1 |
Assign this role to users who will run interactive commands directly on the machine with the Remote Shell utility. You must enable two-factor authentication (TFA) or SSO for users with the Responder L1 role if you want them to use the Remote Shell utility in Unrestricted mode. |
Responder L2 |
Assign this role to users who will manage incident response management tasks, including tool deployment and execution, and results collection. You must enable two-factor authentication (TFA) or SSO for users with the Responder L2 role. |
Local Responder |
Assign this role to users who will run interactive commands directly on the machine with the Remote Shell utility, in environments where sensor grouping is enabled. You need to also add the Local Analyst role for this user and assign the sensor groups to access. Note This role is available on Cloud deployments only (not on On-Prem). Note This role is only available if you have enabled sensor grouping in your environment. You cannot have this role if you already have an Analyst L1/L2/L3 role or a Responder L1/L2 role assigned. Note This role is disabled by default. Open a Technical Support case to make this role available. |
HDL Analyst |
HDL Analysts have access to the Historical Data Lake user interface, and can run queries on historical data. See Historical Data Lake for more information. Note This role is available on Cloud deployments only (not on On-Prem). Note This role is disabled by default. Open a Technical Support case to make this role available. |
System admin |
Assign this role to users who will be responsible for the Cybereason platform system and sensor settings. |
System viewer |
Assign this role to users who should be able to view the Cybereason platform system and sensor settings. Users with this role cannot change any settings. Note Users with the System viewer role have read-only permissions for screens that the System admin users have access to. |
User admin |
Assign this role to users who will be responsible for creating and managing Cybereason users. |
Executive |
Assign this role to executive users who should be able to view high-level MalOp and investigation information. |
Policy admin |
Assign this role to users who should be able to upgrade sensors and create and assign sensor security policies. |
Sensor admin L1 |
Assign this role to users who will be responsible for managing certain groups of sensors. Use the Permissions section of the Create User screen, which appears after selecting the Sensor admin L1 role, to assign the user to one or more sensor groups. Note This role is only available if you have enabled sensor grouping in your environment. You cannot have this role if you already have the Responder L2 role assigned. Note This role is disabled by default. Open a Technical Support case to make this role available. |
Sensor viewer |
Assign this role to users who should have read access to sensors in certain groups. Use the Permissions section of the Create User screen, which appears after selecting the Sensor viewer role, to allow the user to read information about sensors in those groups. Note This role is disabled by default. Open a Technical Support case to request this feature. Note If you grant a user the Sensor viewer role along with a role that can access all groups, the user will have read access to sensors in all groups. |
In addition, the Cybereason platform has predefined roles that represent common positions within an organization, such as SOC lead. These predefined roles combine certain custom roles. You can select only one predefined role for a user.
Role |
Description |
|---|---|
SOC lead |
The SOC Lead predefined role combines the permissions of a L3 Analyst and a User Admin, enabling SOC Leads to have full visibility and response abilities, along with the permissions necessary to manage the user accounts for their teams. |
Super user |
The Super User predefined role gives full access to perform the actions of all roles. This role is used for SOC leads who also need system management abilities, as well as for Cybereason’s own Incident Response and Customer Success teams, so that they can provide the highest level of support. |
API user |
The API user role has permission to execute a subset of API commands mainly for retrieving data as part of SOC automations. This role cannot run many API requests, such performing response actions on a MalOp, due to the permissions required for these API endpoints. For additional details on API permissions per API request, see the Permissions per API request topic. If you need to use the Cybereason platform’s API to perform tasks, Cybereason recommends creating a dedicated user for API purposes and assigning the relevant roles. In addition, API user cannot log in to the Cybereason platform UI, and therefore cannot change their password. |
Note
If you select a predefined role for a user, the Cybereason platform automatically selects the corresponding custom roles for the pre-defined role. If you clear a selected custom role after you select the pre-defined role, the Cybereason platform clears the pre-defined role you previously selected.
Permissions by role
The following tables detail the permissions assigned to each Cybereason role.
Administrator permissions
Permission |
System Admin |
System viewer |
User Admin |
Policy Admin |
Sensor L1 |
Sensor viewer |
|---|---|---|---|---|---|---|
Add machine isolation exceptions |
✓ |
|||||
Add sensors to groups |
✓ |
✓ |
||||
Add servers |
✓ |
|||||
Add user |
✓ |
|||||
Assign policies |
✓ |
✓ |
||||
Change own password |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Configure email notifications settings |
✓ |
|||||
Configure password policy |
✓ |
|||||
Configure sensor tags |
✓ |
✓ |
||||
Configure SMTP server |
✓ |
|||||
Create sensor groups |
✓ |
|||||
Create/Edit policies |
✓ |
✓ |
||||
Download sensors installation package |
✓ |
✓ |
||||
Download sensor logs |
✓ |
✓ |
||||
Download user action logs |
✓ |
|||||
Enable TFA for user |
✓ |
|||||
Enable TFA in Settings |
✓ |
|||||
Export sensor columns to CSV |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Manage Security profile settings |
✓ |
|||||
Manage Sensor policy settings |
✓ |
✓ |
||||
Manage sensors through the API |
✓ |
✓ |
✓ |
|||
Manage sensors through the UI |
✓ |
✓ |
✓ |
|||
Manage sites |
✓ |
|||||
Modify user roles |
✓ |
|||||
Monitor Device Control events |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Perform actions on sensors |
✓ |
✓ |
✓ |
|||
Print report |
✓ |
|||||
Remove sensors from groups |
✓ |
✓ |
||||
Decommission sensors |
✓ |
✓ |
✓ |
|||
Remove servers |
✓ |
|||||
Remove user |
✓ |
|||||
Reset user password |
✓ |
|||||
Search reputations |
✓ |
|||||
Send feedback |
✓ |
✓ |
✓ |
✓ |
||
Stale & archived sensor settings |
✓ |
✓ |
||||
Subscribe to email notification |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Unlock user |
✓ |
|||||
Upgrade sensors |
✓ |
✓ |
✓ |
|||
View sensors |
✓ |
✓ |
✓ |
✓ |
✓ |
|
View servers |
✓ |
✓ |
✓ |
Note
For details on the permissions required to use API endpoints, see the Permissions per API request topic.
Analyst and Executive user permissions
Permission |
L1 |
L2 |
L3 |
L1 Viewer |
Local L1 |
Local L2 |
Local L3 |
Local L1 Viewer |
Executive |
|---|---|---|---|---|---|---|---|---|---|
Add comment |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
||
Behavioral allowlisting |
✓ |
||||||||
Add or remove items from reputation lists |
✓ |
||||||||
Change MalOp status |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|||
Change own password |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Configure reputation source priority |
✓ |
||||||||
Create custom detection rules |
✓ |
||||||||
Define display columns |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Download file |
✓ |
✓ |
✓ |
✓ |
|||||
File search |
✓ |
||||||||
Isolate machines |
✓ |
✓ |
✓ |
||||||
Limit query results by number |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Limit query results by time |
✓ |
✓ |
|||||||
MalOp response/remediation actions |
✓ |
✓ |
✓ |
||||||
Manage reputations |
✓ |
||||||||
Manage reputations through the API |
✓ |
||||||||
Manage Security profile settings |
✓ |
||||||||
Monitor Device Control events |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Print report |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Run investigation query |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Save display columns |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Save queries |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
Search reputations |
✓ |
✓ |
✓ |
||||||
Send feedback |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Subscribe to email notification |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Unsuspend process |
✓ |
✓ |
✓ |
||||||
View and create Malop labels |
✓ |
✓ |
✓ |
||||||
View Discovery board |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|||
View MalOp details |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
View Malops management screen |
✓ |
✓ |
✓ |
✓ |
✓ |
||||
View Malop inbox |
✓ |
✓ |
✓ |
✓ |
|||||
View XDR screens |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Note
For details on the permissions required to use API endpoints, see the Permissions per API request topic.
Responder permissions
Users who need to perform additional or in-depth response tasks should be given the Responder L1, Responder L2, or Local Responder roles:
Role |
Permission |
|---|---|
Responder L1 |
Note You cannot use the Responder L1 role with the Local Analyst L1/L2/L3 or Local Responder roles. |
Responder L2 |
Note You cannot use the Responder L2 role with the Local Analyst L1/L2/L3 or Local Responder roles. |
Local Responder |
Note Users with the Local Responder role must also have the Local Analyst L1/L2/L3 role assigned to view and manage MalOps and run investigation queries. In addition, you cannot use the Local Responder role with the Responder L1/L2 or Analyst L1/L2/L3 roles. |