Roles and permissions for Threat Investigator

You can control a user's access by assigning the user to a role. A role is a group that is used for assigning permissions to the members of the group. Permissions are the operations or capabilities that are defined for the role.


To view and update the IBM® Security Threat Investigator configuration, you must have admin role access. The automatic investigation runs in the background and uses the identity of the user that enabled the automatic investigation. For automatic investigations to work correctly, the user that is configuring the app must also have access to the following:
  • At least read access to all the cases that you would like to investigate.
  • At least read access to the data sources that should be queried for investigating the case.
  • Data sources user role.
  • Threat Intelligence Insights user role.
  • Threat Investigator admin role.
Tip: If you want to change the user ID that the automatic investigation runs as, a new user must toggle the Enable automatic case investigation setting on the Threat Investigator configuration page and the new user’s identity will be used for future investigations.
For more information, see Configuring Threat Investigator.


With the Threat Investigator user role, you can view only the investigation results for cases that you can access. This access is managed by Case Management.