Access and permissions for Orchestration & Automation

Access granted to IBM Security Orchestration & Automation from the platform automatically assigns predefined roles, and these roles confer particular permissions. Where a user is granted access to Orchestration & Automation, the Orchestration & Automation access supersedes access for IBM Security Case Management.

The access options for Orchestration & Automation from the platform are Admin, User, and No access. Of the two access options, one is designed for administrators and one for non-administrative users. The following graphic shows the menu on the Assign Access page. In this example, the selected user has Admin access assigned for Orchestration & Automation. Because the user has Orchestration & Automation Admin access, they also gain administrative access to Case Management because Case Management is a subset of Orchestration & Automation.

The surrounding text describes this.

The access options for Orchestration & Automation confer the following permissions:

Orchestration & Automation Admin access
A user granted Admin access for Orchestration & Automation from the platform has access to all of the Orchestration & Automation settings from Application settings > Case Management > Permissions and access. They also have access to the Analytics Dashboard. To grant playbook designers access to the security orchestration, automation and response capabilities from Application Settings > Case Management > Customization, you must grant the user a role that includes permissions for the Ability to view and modify from the Administration and Customization Permissions section.
Users granted Admin access for Orchestration & Automation are assigned the Default role, and the CP4S Admin role. The CP4S Admin role is the predefined administrator role for Orchestration & Automation. You cannot change or remove this role and it is hidden on the interface.
The Default role is assigned to all users granted access to Orchestration & Automation. You can change the permissions associated with this role but you cannot delete the role and you cannot remove it from a user.
If the user previously has access to Case Management, they maintain the role provided by that access. For example, if the user had Admin access to Case Management, they keep the Administrator role.
Orchestration & Automation User access
A user granted User access for Orchestration & Automation can access Case Management and the Analytics Dashboard from My applications > Case Management > Analytics. They do not have access to the user management settings from Application Settings > Case Management > Permissions and access or the playbook settings from Application Settings > Case Management > Customization.
A user granted User access for Orchestration & Automation is assigned the Default role, which provides permissions to create cases and they can also access the Analytics Dashboard. They cannot manage cases unless they are also granted either Orchestration & Automation Admin or Case Management Admin access or assigned another role that includes the View Incidents and Edit Incident permissions.
If the user was previously granted access to Case Management, they maintain the role provided by that access. For example, if the user had User access to Case Management, they keep the Incident Creator role.
No Access
The user has no access to Orchestration & Automation, but can still access Case Management, as controlled by the access granted to Case Management.
The predefined role definitions are as follows:
  • Default role: this role for Orchestration & Automation provides permissions to create cases. From the Roles tab, you can change permissions that are associated with this role, but you cannot delete the role and you cannot remove it from a user who has been granted access to Orchestration & Automation.
  • CP4S Admin: this is a hidden role for users granted Orchestration & Automation Admin access and provides permissions to manage Orchestration & Automation settings from Application Settings > Case Management > Permissions and access. You cannot change or delete this role or remove it from a user who has Orchestration & Automation Admin access.
Note: Assigning an administrative role to a user from within the Orchestration & Automation application does not provide access to the user management. To access the administration settings for the Orchestration & Automation application, a user must be assigned the Admin access for Orchestration & Automation from the platform.
Note: When you make changes to user access, and therefore the roles automatically assigned by that access, you do not see the changes to roles on the Administrator Settings > Users page until the user has interacted with the REST API and you refresh the Users page.